Strengthening SaaS security: challenges and effective strategies

Current security strategies for Software-as-a-Service (SaaS) applications are unsatisfactory, according to a report from Adaptive Shield. This is evidenced by the many recent security incidents related to SaaS applications. “We wanted to gain a deeper understanding of incidents in SaaS applications and how organizations are building their threat prevention and detection models to protect their SaaS ecosystem,” said Hillary Baron, lead author and senior technical director for research to the Cloud Security Alliance. Baron pointed out that only 58% of organizations estimate their current SaaS security solutions cover 50% or less of their SaaS applications, exposing an unacceptable gap that cannot be filled with manual audits and cloud security access brokers. (CASB).

Increased investments in SaaS security and change of role of managers

Growing awareness of the need to improve SaaS security has led to a dramatic increase in investment in the industry. Baron revealed that 71% of respondents indicated that they have prioritized their investments in security tools for SaaS. Among these solutions, SaaS Security Posture Management (SSPM) is emerging as the preferred choice for securing the entire SaaS application stack. In parallel, a role shift is taking place for CISOs and security managers from an oversight to a governance role as ownership of SaaS applications spreads across departments of their organizations.

Relevance of threat prevention and SaaS security policies

Maor Bin, CEO of Adaptive Shield, highlighted the expanding attack area into the SaaS ecosystem, emphasizing the importance of protecting SaaS data and prioritizing SaaS security, just as you would a cloud infrastructure with Cloud Security Posture Management. He added: "In last year's survey, 17% of respondents said they use SSPMs. This year, that figure has risen dramatically, with 80% currently using or planning to use an SSPM by the end of 2024". This growth is driven by the fact that 55% of organizations said they have recently experienced a SaaS security incident, resulting in ransomware, malware, data breaches and more. Threat prevention and detection in SaaS is central to a robust cybersecurity strategy that spans various aspects such as SaaS misconfigurations, identity and access governance, SaaS-to-SaaS access, device-to-SaaS risk management, and detection and identity threat response (ITDR).

The Importance of Human Capital and Device Hygiene in SaaS Security

Businesses are recognizing the importance of human capital in securing the SaaS ecosystem, but more needs to be done. While 68% of organizations are increasing their investment in hiring and training staff on SaaS security, only 51% have established effective communication and collaboration between security teams and app owners. Surprisingly, only 33% currently monitor less than half of their SaaS stack. In addition, more attention should be paid to the hygiene of the devices. The security of devices accessing the SaaS stack is critical to preventing unauthorized access and data breaches. Despite this, only 54% of organizations inspect device hygiene for SaaS privileged users, 47% inspect device hygiene for all SaaS users, and only 42% identify unmanaged devices accessing the SaaS stack.