While SaaS security is finally getting the attention it deserves, there’s still a significant gap between intent and implementation. Ad hoc strategies and other practices still fall short of a security program. The move toward decentralization has generated confusion over responsibilities, and many organizations remain unaware of which SaaS applications are used, by whom, and what is risky, according to AppOmni.
Source: AppOmni
“Despite greater awareness and effort, things are getting worse. Just as there are constant headlines about breaches, the number of SaaS exploits has reached 31%, up five percentage points from last year. The details behind those statistics are even worse—despite increased budgets and initiatives, organizations need to do a far better job securing SaaS deployments,” said Brendan O’Connor, CEO at AppOmni.
A downside to dispersed domains
SaaS apps are easy to adopt and have enabled departments to independently deploy solutions that meet their particular needs. However, the benefits of decentralized operations are accompanied by a blurring of responsibilities between the CISO, line-of-business heads, and the cybersecurity team.
Changes required for SaaS security often take a backseat to business goals, even as business unit heads need to gain the knowledge to implement security controls.
Adoption without awareness
SaaS apps are being widely deployed without sufficient knowledge of related risks. When organizations implement SaaS apps, they see a surge in third-party integrations that deliver extended functionalities, automated workflows, unified data access, etc.
However, most organizations need more visibility into their entire SaaS-to-SaaS connection footprint. For example, 49% of the respondents who frequently use Microsoft 365 believed they have less than 10 applications connected to the platform; AppOmni’s aggregated data indicates there are 1,000-plus connections on average. Ultimately, gaining visibility into the entire SaaS attack surface is the first step in the SaaS security journey, and continuous monitoring is just as important.
Policies without enforcement
Fully 90% of respondents have policies in place to ensure the use of only sanctioned apps, but 34% admit that those rules are not strictly enforced. This percentage actually spiked by 12 points since 2023.
The problem is that SaaS apps don’t undergo the same security vetting as those deployed by IT teams, and broaden the potential attack surface. In this environment, organizations need to enforce baseline policies for all business-critical SaaS apps, and identify who has access to what data in those apps.