An increase of 5%, as per a recent study, revealed that thirty-one percent of corporations encountered a SaaS data breach within the previous 12 months. This rise may be associated with the insufficient visibility of the applications being implemented, including third-party links to fundamental SaaS platforms.
Nearly fifty percent of companies utilizing Microsoft 365 believe they have less than 10 applications linked to the platform, however, aggregated data in the report indicates an average connection count exceeding a thousand. A third acknowledged not being aware of the total number of SaaS applications deployed within their organization.
SaaS applications: A favored target for cybercriminals
According to the “State of SaaS Security 2024 Report,” conducted by security platform AppOmni among 644 firms in the U.S., U.K., France, Germany, Japan, and Australia in February and March 2024, nearly half have a workforce of over 2,500 employees.
“The authors stated that business sectors or individuals frequently bypass traditional IT acquisition procedures to embrace new third-party SaaS apps seamlessly integrating with their core SaaS platforms.
Notably, a recent Onymos report unveiled that on average, enterprises now depend on more than 130 SaaS applications, compared to just 80 in 2020.
Given the sensitive information stored, the numerous entry points due to broad adoption and integration with other services, and their dependence on often misconfigured cloud environments, SaaS applications remain a prime target for cybercriminals.
Gartner anticipated a 45% global organizational exposure to attacks on their software supply chains by 2025.
SEE: Millions of Apple Applications Were Vulnerable to CocoaPods Supply Chain Attack
Decentralised security governance alongside SaaS app deployment causing potential gaps
An additional aspect in play is the progressive shift toward decentralized security governance, generating ambiguity surrounding responsibilities and, consequently, forming risky gaps.
Given that SaaS has largely supplanted on-premises software which can easily be fortified with physical security measures like cameras and guards, as SaaS is cloud-based, deployed across diverse devices, and used by a variety of personas, its security and governance have become diffused.
Only 15% of the survey participants stated that accountability for SaaS security is centralized within the organization’s cybersecurity team.
“The virtues of decentralized operations are met with blurred lines of responsibility between the CISO, business heads, and the cybersecurity team,” highlighted the report’s authors. “Changes necessary for comprehensive SaaS security often play second fiddle to business objectives, even as business unit leaders lack the expertise to deploy security controls.”
They further remarked, “And as there is substantial autonomy at the application owner level concerning security controls, implementing consistent cybersecurity measures to counter app-specific vulnerabilities becomes challenging.”
Scrutiny of SaaS apps falls below par — even those authorized by the company
Virtually all respondent organizations only launch SaaS apps meeting established security standards. Nevertheless, 34% indicated lenient enforcement of these regulations. This marks a 12% increase from the 2023 survey.
The confusion regarding responsibilities between business leaders and IT teams, coupled with the eagerness to quickly gain efficiency benefits often results in apps not receiving thorough security vetting before going live.
Moreover, merely 27% of the survey participants exude confidence in the security levels of the authorized apps. Less than a third express confidence in the security of their company’s or customers’ stored data in enterprise SaaS apps, marking a 10% drop from the previous year.
The report’s authors opined, “SaaS apps profoundly differ in their handling of policies, occurrences, and controls to manage access and approvals. Consequently, the ad hoc management of policies on a per-application basis can lead to inconsistent enforcement.”
Guidelines for creating a safe SaaS environment
The AppOmni team outlined various steps to secure a SaaS environment:
- Survey the SaaS estate to identify the attack surface, ascertain access levels. Give priority to apps that handle and process mission-critical information.
- Specify the functions and obligations of security professionals and business leaders, and draft standard operating procedures for processes such as adding new apps, configuring policy baselines, and managing user access.
- Implement stringent permissions and precise threat detection across the SaaS estate to decrease the number of security alerts and permit systemic fixes.
- Introduce detection and approval policies for linked SaaS apps and OAuth connections, not just primary applications. Utilize the open-source SaaS Event Maturity Matrix to evaluate supported events for the connected apps.
- Formulate an incident response strategy emphasizing immediate action for SaaS threats and incidents, comprising assessment, investigation, mitigation, and disclosure.
The CEO and co-founder of AppOmni, Brendan O’Connor, remarked in the report: “Relying solely on SaaS vendors as the main security providers for your SaaS estate is obsolete.
“Given that the SaaS estate serves as the operating system of business, the necessity of a well-organized security program, organizational consensus on responsibility and liability, and continual large-scale monitoring are indispensable.”
About Author
