SaaS Data Breaches Are Surging: How Should Security Teams Respond?

Visibility and accountability gaps are leading to poor policy enforcement, finds Phil Muncaster

Software-as-a-service (SaaS) has come to be viewed as a generally more secure alternative to internally hosted applications. After all, customers benefit from a dedicated software provider with a market-driven imperative to protect customer data. However, not all suppliers are created equal, and data and access security are still the customer’s responsibility. The truth is that nearly a third (31%) of global organisations suffered a breach of data in their SaaS applications last year, up five percentage points from the previous 12 months, according to a recent study by AppOmni.

So, what do SaaS customers need to do to harness the benefits of the cloud without inviting excessive cyber risk?

From strength to strength

Gartner expected the market for SaaS solutions to grow 18% year-on-year (YoY) to reach $232.3bn in 2024 – around a third of the total spend on public cloud services worldwide. It’s not surprising. SaaS apps are convenient, especially in a hybrid working, mobile-centric world. And where skills and resources are tight, it also makes sense to hand over the hosting and back-end management of applications to a dedicated provider.

The market for SaaS will reach $232.3bn in 2024

But there are challenges. The data stored in ERP, CRM and other critical business applications is absolutely mission-critical. Respondents to AppOmni’s poll claim loss of IP, reputational fallout and customer data compromise are their biggest concerns in 2024. Always keen to spot and exploit security gaps, threat actors increasingly focus on SaaS providers and their customers. Configuration errors by enterprise customers give them even more to aim at.

Five SaaS security challenges

The report highlights several key security challenges with SaaS deployments.

• Decentralised responsibility makes security harder

Half (50%) of respondents claim that responsibility for securing SaaS rests entirely with the business owner, with just 15% stating that responsibility is centralised in the cybersecurity team. This may improve productivity, but it dilutes the accountability and control needed to secure deployments.

• Too much SaaS and not enough visibility

Business units and individual employees often bypass traditional IT procurement processes with third-party SaaS apps that integrate with core SaaS platforms. The report shares examples such as Salesforce integration with Slack. But this creates SaaS sprawl, which again makes security harder. You can’t protect what you can’t see. A third (34%) of respondents claim they don’t know how many SaaS apps are deployed in their organisation.

“From a technology perspective, we need visibility into new SaaS applications and services,” IANS Research faculty member, Wolfgang Goerlich, tells Assured Intelligence. “If we see them coming onboard and they follow our operating model, we’re good to proceed. If not, this visibility ensures we can correct the process and educate people on it. Each change is an opportunity to reinforce centralised governance.”

• Effective policy enforcement is lacking

The vast majority (90%) of respondents claim their organisation has policies to allow only the use of sanctioned apps. But a third claim these policies aren’t strictly enforced. That share has risen by 12 percentage points since 2023. This challenge is compounded by the problem of unsanctioned apps which don’t go through the same security vetting as those deployed by the IT team.

• Post-deployment vigilance wanes

Organisations understand the need to secure their SaaS environments during the procurement phase. Some 87% perform audits on installation, for example. But few maintain continuous SaaS security, and nearly one in 10 say they don’t even carry out audits because they rely on ‘trusted’ SaaS companies.

• No one knows what’s the best mix of SaaS security tooling

Organisations rely on various security controls to manage risk in their SaaS environments. These include SIEM (38%), endpoint protection (38%), CASB (28%), and API-based security (26%). Many (43%) also use SaaS secure posture management (SSPM), although exactly what these tools contain may vary from vendor to vendor, the report claims. Others apparently rely on custom tools or even managed service providers.

Keeping SaaS Data Safe

Part of the challenge is that many organisations are still not 100% clear on the shared responsibility model that governs cybersecurity in the cloud. Although the perception is that SaaS vendors handle compliance, identity and access management (IAM), and app controls, the truth is more nuanced.

According to the report, the customer has an important part to play in all three areas:

1. The SaaS provider ensures infrastructure meets specific regulatory/best practice standards, but the customer must ensure its use of the application is compliant
2. Customers must enforce multi-factor authentication (MFA), single sign-on (SSO), create/manage/delete user accounts, and proactively monitor user access logs and audit trails to spot and act on unauthorised or suspicious activity
3. Customers are responsible for configuring default security settings and defining/ enforcing access control policies

“You can have a securely developed and operated SaaS product that comes with strong security features, but all of that is meaningless if a customer doesn’t effectively use those security features, fails to monitor activities within the applications, or simply misconfigures the product to allow unintended access or data exposures,” AppOmni co-founder and CTO, Brian Soby, tells Assured Intelligence.

A three-point plan

SaaS adoption will only grow as more organisations eschew the CapEx burden presented by on-premises hosting of enterprise applications and seek to support more flexible and resilient working practices. As they do so, security must be front of mind, even as business units try to circumvent cybersecurity teams.

The report recommends the following three-point plan:

1. Allocate sufficient resources to SaaS security
2. Find the right technology to gain visibility and control over IAM and configuration management
3. Embed security principles like zero-trust into SaaS deployments

“It’s not enough to stop at Zero Trust Network Access (ZTNA) and Security Service Edge (SSE) without filling the gap with approaches like Zero Trust Posture Management (ZTPM) that address the security of the applications,” argues Soby.

“Some of the top benefits of SaaS are many of the same things that cause security challenges down the road” Alfredo Hickman

“Most recently, the industry saw a vivid example of this gap with the breaches of Snowflake customers. They were entirely related to the customer configuration of their Snowflake instances. Had those customers included the security of their SaaS apps within their security architectures, those losses would have been avoided.”

Obsidian Security CISO, Alfredo Hickman, adds that simple steps, such as banning SaaS purchases on personal cards and using financial approval as a gate into third-party risk assessment, can help to kick start an effective SaaS security governance programme.

“SaaS governance is the closest thing we have to ‘shift left’ in SaaS security. Some of the top benefits of SaaS, such as speed and ease of deploying, accessing, and integrating with SaaS are many of the same things that cause security challenges down the road,” he tells Assured Intelligence.

“With SaaS, just about anyone with an email address and a credit card can purchase, configure, and deploy a SaaS app within your organisation, often unilaterally and with little to no insight or support from IT.  Before you know it, an organisation can have many SaaS applications deployed and potentially many instances of the same application deployed throughout the enterprise, with all sorts of corporate data flowing within the applications and their many integrations. This is a major problem. However, this is a problem that effective governance programmes can address early.”

IANS Research’s Goerlich argues that organisations ultimately need to focus on doing the simple things well.

“One of the least flashy aspects of cybersecurity has become one of the most important. Leaders need shared operating models, clear roles, and responsibilities,” he explains. “These need to be established, agreed upon, communicated and upheld. This provides centralised governance so the organisation can quickly adopt SaaS apps while ensuring these apps integrate into a security architecture and control framework.”

Above all, security teams need better intelligence on how SaaS apps are used, Goerlich says.

“Our control often stops the moment a person launches the application. We need better access controls, analytics, data loss prevention, and more around what people do within the app environment,” he concludes. “Otherwise, we have recreated the ‘crunchy exterior, chewy interior’ security model – the only difference is, we’ve moved the chewy interior from the network layer to the application layer.”