Software-as-a-Service platforms have always been focal points of cybersecurity risks. A recent investigation reveals that these dangers are still a top concern for 78% of technology leaders in the United States as more SaaS applications make their way into corporate environments.
Despite companies giving priority to data privacy and security, their ongoing dependence on SaaS and cloud services leaves them vulnerable, as outlined in The SaaS Disruption Report: Security & Data by Onymos and Enterprise Strategy Group.
Shiva Nathan, the originator and CEO of Onymos, informed TechRepublic that a significant risk associated with this dependency is that when organizations acquire a SaaS platform to hasten app development, they have to provide data access to the third-party SaaS provider in exchange.
Granting such access could result in cyber attacks and inadvertent data exposure. This scenario can be especially concerning nowadays, as on average, businesses rely on more than 130 SaaS applications compared to just 80 back in 2020, Nathan elaborated.
“That marks a 62% surge,’’ he noted. “Each of these [SaaS applications] represents a new vulnerability for malicious actors, both state-sponsored and non-state actors, to exploit. And they are exploiting them. Software supply chain attacks are increasing, particularly targeting the healthcare sector, which had to shift to a remote care model during the COVID-19 pandemic.”
In order to facilitate that transition, healthcare institutions have traditionally depended on third-party suppliers, Nathan added. The report highlights other industries heavily reliant on SaaS applications, including:
- Government.
- Logistics and supply chain.
- Manufacturing.
- Retail.
- Banking and financial services.
- Education.
Gartner has predicted that by 2025, 45% of organizations globally will have encountered attacks on their software supply chains. The report reinforces this forecast, with nearly half (45%) of technology leaders reporting experiencing a cyber incident through a third-party SaaS application in the past 12 months.
The Significance of Data Preservation
The study — derived from insights provided by 300 leaders in app development, IT, and security — also brought to light that 91% of respondents in the survey stressed the vital importance of data retention for internally developed custom applications, underscoring its prominence in their app development focal points.
Nathan expressed surprise at this statistic, noting that these “technology leaders acknowledge the critical nature of data preservation but continue to heavily depend on SaaS. There is evidently a conflict within these organizations between speed-to-market and data ownership,’’ he remarked. “This tension has always been present, but it is intensifying.”
Technology Leaders’ Main Concerns
Nearly three-quarters (72%) of the surveyed leaders highlighted “security” as a primary focus, closely followed by 65% who pointed out “data confidentiality.”
These focus areas were also mirrored in project assignments, responsibilities, and activities within organizations’ app and software development endeavors, the report confirmed. Three out of the top five priorities were:
- Ensuring data confidentiality (60% identified it as a top or primary priority).
- Developing secure applications (49% identified it as a top or primary priority).
- Maintaining complete control over data ownership (42% identified it as a top or primary priority).
The survey also disclosed that 65% of internally created applications are business-critical, and just 36% of tech leaders have all their applications hosted on-premise or on private cloud platforms.
Enhanced Focus on Security Posture for SaaS Applications
Given the elevated concerns regarding data security, organizations need to review their existing business strategies for utilizing SaaS and cloud services, as stated in the Onymos/ESG report.
“Currently, it is commonplace to hear technology leaders discussing their ‘security posture‘ — however, having a ‘data posture’ is equally important,’’ Nathan emphasized. “This involves questioning what data is being shared with SaaS vendors for their service; is that data truly necessary for them; what exactly are they doing with it; and where is it being utilized.
“The emergence of AI products and services only heightens the need for answers to these queries,’’ he emphasized.
The report offers several recommendations, including a substantial departure from prevailing SaaS and cloud practices by embracing principles rooted in “no-data” architecture, which prioritize data privacy and security.
“This architectural approach allows businesses to retain complete ownership and authority over their data, eliminating the need for data sharing or access grants to third-party SaaS and cloud vendors, thus reducing associated risks,’’ the report explained. “Businesses should also be permitted to possess and adapt the code connected with the SaaS solutions they use for their app and software development.”
This empowers enterprise engineering teams to scrutinize and evaluate the code as if they were the original creators, the Onymos/ESG report highlighted. “Through this method, organizations can have full assurance in the code’s legitimacy, dependability, and security,” the report asserted.
Furthermore, IT departments should prioritize and routinely conduct thorough security audits and penetration tests on third-party entities. “This assessment should cover the path of the organization’s data through various apps and SaaS solutions, enabling the identification and mitigation of unintended data access and sharing concerns,’’ the report recommended.
About Author
