The rapid adoption of SaaS solutions, accelerated by trends such as remote work, cloud computing, big data, and Generative AI (GenAI) has brought significant benefits to organizations. However, this transformation also introduces new attack surfaces and unique challenges for security teams, who must now consider how they can secure the intricate web of SaaS usage across their organization.
Today, the SaaS security landscape is characterized by several key themes and issues:
- Credential Theft and Stuffing: This trend is fueled by dark web marketplaces where breached credentials are bought, sold, and traded, making it easy for attackers to carry out credential stuffing attacks.
- Shadow SaaS: The explosion of unauthorized SaaS apps has led to a rise in employees inadvertently exposing sensitive data. Trial or demo accounts are a main source of shadow SaaS.
- SaaS Sprawl: In 2023, the average number of SaaS apps used by a business reached 473. Our numbers indicate an increase this year. Now, consider that each app has unique security settings and considerations and you have yourself a recipe for lots of security overhead.
- Data Sprawl: Given the challenges introduced by the SaaS sprawl, shadow SaaS, and the adoption of GenAI and you have sensitive data residing everywhere. Keeping track of it all is a full-time job on its own.
- SaaS Shared Responsibility Model: While SaaS vendors provide varying degrees of security controls, it's up to customers to configure them correctly. Misconfigurations expose sensitive data and create vulnerabilities. Organizations must take ownership of securing their SaaS environments by properly configuring and monitoring the settings and activity across their applications.
The first annual SaaS security report, "State of SaaS Security 2024," was conducted by SaaS security leader Reco. Drawing from our analysis of over 6,600 SaaS environments from over 50 enterprises across all verticals, this report provides an unprecedented, data-centric view into the SaaS security landscape in 2024 as CISOs prepare to set priorities for 2025.
Download the full State of SaaS Security 2024 Report
Key findings:
Generative AI Surge: Tool Adoption Is Increasing Year-Over-Year
Organizations are rapidly adopting Generative AI tools like copilots, with the average company now using 17 GenAI applications, up from 13 (+30.7%) in July. While beneficial, these tools introduce new security challenges, especially when integrated with critical resources like shared organization storage drives.
The key to mitigating risks posed by GenAI apps is setting clear policies on AI tool usage, carefully vetting AI vendors for security and compliance standards, implementing data protection measures like data anonymization, and establishing oversight committees to monitor AI use within the organization.
At Reco, we expect the adoption of AI to increase exponentially over the coming years. There is no better time than now to implement a security strategy to secure the use of AI in your organization.
GenAI adoption is surging year-over-year |
The Continued Explosion of Unauthorized Apps
Organizations are utilizing an average of 490 SaaS applications per customer—a 3.7% increase from 2023. Alarmingly, on average only 229 of these apps are officially authorized, leaving 261 apps on average outside the purview of security teams.
While securing usage of approved SaaS apps is already difficult enough, it's nearly impossible to secure unauthorized usage. Security teams simply cannot secure what they're not aware of. Unauthorized apps expand an organization's attack surface, making it more susceptible to security breaches, data leaks, and compliance failures. This unchecked expansion of SaaS applications presents a critical challenge for organizations striving to maintain effective governance and data integrity.
To combat this, organizations must implement robust governance and app procurement frameworks, such as centralized SaaS management platforms and stringent approval processes, to effectively oversee this sprawl and mitigate associated security risks.
Usage of Unauthorized Apps Continues to Increase |
Illuminating Shadow SaaS: 1 in 4 Apps Fly Under the Radar
Shadow SaaS accounts for 26% of all SaaS usage within organizations, with an average of 129 shadow SaaS apps per company. This significantly expands an organization's attack surface, as well as the risk of data breaches and non-compliance.
To mitigate these risks, organizations should balance innovation with governance by implementing employee education programs, conducting regular software usage audits, and deploying SaaS discovery solutions to enhance visibility.
Nearly 26% of Connected SaaS Apps are Unauthorized |
The MFA Gap: 1 in 10 Accounts Are Still Vulnerable
Despite progress, 9.5% of user accounts—including many administrative accounts—don't have Multi-Factor Authentication (MFA) enabled. This oversight is a significant security risk. Accounts without MFA are easy targets for attackers using phishing or credential stuffing techniques. The risk is especially high with administrative accounts; if compromised, attackers could gain full access to your systems and sensitive data.
Organizations must enforce MFA across all users without exception, prioritize securing over-privileged accounts, provide user training on MFA importance, and consider advanced authentication methods like single sign-on (SSO) and biometrics to enhance access to sensitive data and critical apps.
A Positive Sign: Nearly 90.5% of Accounts Have Enabled MFA |
Data Leak Dangers: Preventing Misconfigurations in Enterprise SaaS
Our analysis across 50+ environments and over 6,600 applications found critical misconfigurations in popular SaaS platforms. 91% of Salesforce instances had public file sharing enabled without password protection, increasing the risk of unauthorized access. Similarly, 78.7% of Snowflake instances had the PREVENT_UNLOAD_TO_INLINE_URL parameter set to false, exposing sensitive data to potential exfiltration. When paired with other misconfigurations, this opens up organizations to potential for data breaches.
Misconfigurations Identified During Onboarding that Can Lead to Exposure |
These findings illustrate the reality of complexity that security teams must navigate as they secure SaaS usage across their organizations. As SaaS usage continues to grow, it's crucial for organizations to implement security strategies that address unauthorized app usage, identity management, and emerging technologies.
In this report, we'll also provide you with insights and guidance needed to ensure the secure deployment and usage of SaaS apps across your organization. By better understanding these trends and challenges, organizations can leverage the full benefits of SaaS while staying secure.
Read the full State of SaaS Security 2024 Report now
About the Author: Andrea is the Head of Marketing of Reco, responsible for driving demand and growth in SaaS security. Andrea is a cyber security veteran, having supported various security companies across various growth milestones, from Seed round to acquisition. She is passionate about growing businesses and teams to drive profitable outcomes and better well being for CISOs and security practitioners.
Andrea Bailiff-Gush — Head of Marketing at Reco https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1mNEKIAU-hnDwb6xJ-gxk29htrGbC3e5jp62oJPg8KdN5BJ_wxU8mxDCg3tTYN5o_h1P8Ag2CFWUG0T-Lfinvkwhs3niWMkZB_H8R1iOeziHtThbHq-osxUA8kS8riBi2qdW7__GbA58gYNSqhC49XNlRoa8C1rNKrLifKJP15O_ufz6R8F0AnbG0WLQ/s100-rw-e365/Andrea.png