For years, security professionals have recognized the need to enhance SaaS security. However, the exponential adoption of Software-as-a-Service (SaaS) applications over 2020 turned slow-burning embers into a raging fire.
Organizations manage anywhere from thirty-five to more than a hundred applications. From collaboration tools like Slack and Microsoft Teams to mission-critical applications like SAP and Salesforce, SaaS applications act as the foundation of the modern enterprise. 2020 created an urgent need for security solutions that mitigate SaaS misconfiguration risks.
Recognizing the importance of SaaS security, Gartner named a new category, SaaS Security Posture Management (SSPM), to distinguish solutions that have the capabilities to offer a continuous assessment of security risks arising from a SaaS application's deployment.
To understand how security teams are currently dealing with their SaaS security posture and what their main concerns are, Adaptive Shield, a leading SSPM solution, commissioned an independent survey of 300 InfoSecurity professionals from North America and Western Europe, in companies ranging from 500 to more than 10,000 employees.
The results of the 2021 SaaS Security Survey Report present a picture of widespread SaaS application security concerns as well as uncovers less-than-best practices organizations are turning to de facto, while trying to manage the overwhelming amount of SaaS security configurations.
Understanding the SaaS Security Management Landscape
SaaS applications provide easy-to-use, scalable solutions that offer a wide variety of native security controls. However, ultimately the configuration of all the settings, user permissions, and compliance falls on the security professionals to manage.
SaaS Misconfiguration Worries
85% of respondents in the 2021 SaaS Security Survey Report cited SaaS misconfigurations as one of the top three risks facing their organization. Interestingly, the other security risks that topped the list - account hijacking and data leakage - as well as many of the others on the list, can also stem directly from SaaS misconfigurations. For example, a misconfiguration in Jira led to data leakage for many Fortune 500 companies, including potential exposure for email addresses and IDs, employee roles, current projects and milestones, and more.
|Figure 1 taken from the 2021 SaaS Security Survey Report|
More Apps Mean Less Monitoring
Although this seems counterintuitive at first, upon further thought, 'more apps means less monitoring' makes sense for the organization handling the monitoring process manually. The respondents to the survey report that as organizations continue to onboard more applications, the organization is less successful in monitoring their apps. In fact, according to the respondents, only 12% of companies using 50-99 applications engage in weekly misconfiguration checks.
With each app having its own design, settings, user roles, and distinct permissions, and in a dynamic environment with a steady turnover of employees, automatic software updates, and complex cross-department needs, it makes sense that organizations can lose control the more apps they onboard.
|Figure 2 taken from the 2021 SaaS Security Survey Report|
Delegating Security Impacts Risk
With the scope of the ever-growing portfolio of SaaS app estate, 52% of respondents report regularly putting responsibility for checking and maintaining SaaS security into the hands of the SaaS owner. The responsible parties are often in areas like Sales, Marketing, or Product. Unfortunately, these stakeholders often have little to no security background or skills.
SSPM Is a 2021 Top Priority
An SSPM's key capabilities enable secure cloud configuration:
- Compliance assessment
- Operational monitoring
- Risk identification
- Policy enforcement
- Threat assessment
As CSPM and CASB tools aren't built to address the challenges of a SaaS environment, SSPM has risen to the top of the enterprise agenda and is the top pick in terms of priorities in 2021. 48% of respondents named SSPM tools as the #1 item on their priority list.
Security teams want full and continuous visibility into their SaaS application security posture, and SSPM solutions provide these functionalities.
Automating SaaS Security with Adaptive Shield
Automating maintenance of security settings and controls can enable security teams to take control of their SaaS applications.
SaaS Security Posture Management (SSPM), like Adaptive Shield, offers a powerful platform designed uniquely to enable security teams to proactively maintain continuous security across their interconnected, divergent SaaS application estate.
Managing SaaS app security adaptively means complete visibility and threats across the whole SaaS app estate, from video conferencing platforms and customer support tools to HR management systems, dashboards and workspaces, and much more. Adaptive Shield:
- Leverages built-in security settings/controls to discover all gaps and fix them automatically proactively.
- Continuously monitors global settings and user privileges to verify there are no breaches or drifts.
- Offers a comprehensive bank of SaaS app integrations with more SaaS apps added by the week.
- Enables swift remediation for SaaS security issues from beginning to end.
- Displays the health of the organization's SaaS security posture in one place for data-driven decision making.
- Takes minutes to deploy for zero business disruption
By automating monitoring and enforcement with Adaptive Shield, security teams no longer need to delegate responsibility to app owners, or have no visibility to the management of the security settings of the SaaS.
Get the full 2021 SaaS Security Survey Report here, or reach out to one of Adaptive Shield's security experts about your own unique SaaS environment.