Security News

The challenge in remediating the threats posed by endpoints and devices lies in the ability to correlate between the SaaS app users, their roles, and permissions with their associated devices' compliance and integrity levels. Not a simple feat automated SaaS Security Posture Management solutions, like Adaptive Shield, can now provide visibility that correlates the SaaS user and their associated devices with the device's hygiene score.

There are three main challenges that have arisen stemming from this evolution: While SaaS apps include a host of native security settings, they need to be hardened by the security team of the organization. Employees are granting 3rd party app access to core SaaS apps that pose potential threats to the company.

When it comes to keeping SaaS stacks secure, IT and security teams need to be able to streamline the detection and remediation of misconfigurations in order to best protect their SaaS stack from threats. While companies adopt more and more apps, their increase in SaaS security tools and staff has lagged behind, as found in the 2022 SaaS Security Survey Report.

SaaS applications have become synonymous with modern business environments, and CISOs and security teams struggle to find a happy medium between ensuring the security of their SaaS portfolio and empowering the organization's streamlined business workflows and productivity. In recent conversations with leading CISOs in the global market, including Frank Kim, fellow and former CSO at the SANS Institute; Sounil Yu, CSO at JupiterOne; Ray Espinoza, VP Cloud Security at Medallia; Leon Ravenna, CISO at KAR Global; Alex Manea, CISO at Georgian and Tim Fitzgerald, CISO at Arm, we took a deep dive into the CISO perspective on SaaS challenges, security pitfalls, actionable tips for successful SaaS management and to avoid the dreaded "Death by 1000 apps."

SaaS sprawl grows with the number of applications an organization uses in its SaaS stack, and as information in the different applications is distributed, it becomes less and less centralized, resulting in data sprawl. The ubiquity of SaaS applications means that they encourage shadow SaaS. Neither new nor unusual, this activity allows employees to take advantage of available SaaS solutions that meet their own specific needs in a way they feel is not being met by the organization.

The 2022 SaaS Security Survey Report, in collaboration with CSA, examines the state of SaaS security as seen in the eyes of CISOs and security professionals in today's enterprises. The report gathers anonymous responses from 340 CSA members to examine not only the growing risks in SaaS security but also how different organizations are currently working to secure themselves.

Employees in the digital transformation age are now compelled to choose their best-of-breed applications, independently adopting and connecting SaaS applications, no/low code platforms like Workato and Zapier, and SaaS marketplace third-party apps in order to increase productivity, creating a convoluted web of ever-growing app-to-app integrations. These solutions provided value for their original purpose, but the SaaS-to-SaaS supply chain today thrives on application integration, non-human identities and app-to-app connectivity - leaving out the human element in order to streamline and automate work processes.

Torii announced a report revealing that 69% of tech executives believe shadow IT is a top concern related to SaaS - or cloud application - adoption. The majority of respondents have made exceptions to their SaaS security protocols, with 80% doing so because the applications were adopted outside IT's purview.

A new survey from the Cloud Security Alliance found that IT teams don't have a complete picture of SaaS in use by business units. Too many departments with access to SaaS security settings: 35%. Lack of visibility into changes into the SaaS security settings: 34%. Forty percent of respondents said that business departments, such as legal, marketing and sales, have access to security settings.

"Many recent breaches and data leaks have been tied back to misconfigurations. Whereas most research related to misconfigurations has focused strictly on the IaaS layers and entirely ignores the SaaS stack, SaaS security and misconfigurations are equally, if not more, important when it comes to an organization's overall security." "We wanted to gain a deeper understanding of the use of SaaS applications, how security assessments are conducted and the overall awareness of tools that can be used to secure SaaS applications," said Hillary Baron, lead author and research analyst, Cloud Security Alliance.