JPMorgan CISO Spotlights SaaS Security Concerns. What Now?

The cybersecurity community has been buzzing about JPMorgan Chase CISO Pat Opet's open letter to third-party suppliers since its release right before RSA. This candid assessment from the security leader of one of the world's largest financial institutions has struck a chord, particularly his observations about SaaS security.

Opet didn't mince words: "SaaS models are fundamentally reshaping how companies integrate services and data—a subtle yet profound shift eroding decades of carefully architected security boundaries."

This statement encapsulates a reality that security professionals have been grappling with—the traditional security perimeter has dissolved, replaced by a complex web of interconnected SaaS applications, each with their own configurations, access controls, and data sharing capabilities.

Let's break down the key issues highlighted in Opet's letter and explore practical solutions.

The New SaaS Security Challenges

OAuth Vulnerabilities: Single-Factor Authentication

While we've made significant progress in securing human access to applications through multi-factor authentication, app-to-app connections remain a blind spot. OAuth tokens—the primary mechanism for SaaS applications to connect to each other—lack the equivalent of 2FA.

Opet says, "In practice, these integration models collapse authentication (verifying identity) and authorization (granting permissions) into overly simplified interactions, effectively creating single-factor explicit trust between systems on the internet and private internal resources. This architectural regression undermines fundamental security principles that have proven durability."

Once a token is compromised, attackers can often move laterally across your SaaS ecosystem without triggering traditional security controls. These tokens are particularly valuable targets because they frequently have persistent access and broad permissions that exceed what individual users might have.

Risky OAuth Connection - Boomerang and Gmail

As a vivid example, consider popular Gmail add-ons like Boomerang (see above): they require full access to your email, calendar, and contacts to function. That's essentially handing over the keys to your inbox and schedule – a massive concentration of trust. In fact, Boomerang's own support pages admit it needs access to the full email data to send and schedule messages. That kind of broad OAuth scope might be convenient, but it's a honeypot for attackers.

Interconnected Systems: The Ripple Effect

The catastrophic CrowdStrike outage of July 2024 demonstrated how deeply interconnected our SaaS systems have become. A flawed update to a single security product rippled across industries worldwide, grounding flights, shutting down hospitals, and disrupting financial systems.

This incident highlighted that we're no longer just dependent on our direct SaaS providers—we're dependent on their entire supply chain as well. The challenge isn't just securing our applications. It's understanding the complex web of interdependencies between them and increasing resilience against supply chain issues.

Fourth-Party Risk: Sprawling Data

Third-party risk management has been a focus for years, but fourth-party risk—the risk introduced by your vendors' vendors—remains largely invisible. When your SaaS provider integrates with another service to deliver functionality, your data may flow to this fourth party without your knowledge or explicit consent.

These hidden data flows create the phenomenon of "Data Sprawl": data travels from your SaaS apps beyond security's purview of control. This causes significant compliance and security challenges, especially when sensitive data crosses geographic or regulatory boundaries. Most organizations have no visibility into these connections, let alone effective controls.

Privileged Access Without Consent

Opet calls out a particularly concerning trend: "software providers gaining privileged access to customer systems without explicit consent or transparency." This issue made headlines last December when the US Treasury discovered a BeyondTrust backdoor admin account had been compromised by Chinese state-backed threat actors. These customer support accounts with full tenant access to customer environments are not uncommon in SaaS, like in the case of the Sailpoint app.

Many organizations are unaware of the privileged access their SaaS providers maintain to their environments. Without visibility into these access paths, organizations cannot effectively manage the associated risks.

GenAI Risks: Data Leaks Through More Pathways

The explosive growth of generative AI introduces yet another layer of complexity to SaaS security. These agents often require broad access to function effectively, creating new attack surfaces and data exposure risks.

As an example, consider a Zoom AI companion that transcripts all your calls. This AI documents all your meetings, potentially including confidential business strategies, customer information, or internal discussions. While the transcription service offers productivity benefits, it also creates an entirely new repository of sensitive data that may be accessed by unauthorized users or nefarious actors. Does your organization have governance controls that verify which AI tools are processing your sensitive conversations, what permissions they've been granted, and how that data is being stored and shared?

This scenario multiplies across dozens of similar AI-enhanced tools, each collecting and processing different slices of your enterprise data, often without security's knowledge.

Then there are risky GenAI tools that fly under the radar. When DeepSeek was first introduced, we scanned our customer environments for signs of usage. Within 24 hours of the platform's release, our analysis revealed that a major financial institution—despite having explicit policies prohibiting such tools—had already accumulated over 500 employee registrations.

AI Sprawl Security Challenges

Identities Sprawl: Access Points Multiply

It's not enough to just secure the app – it's a combination of the app and the identities. Even if you secure your Salesforce well, check all the boxes for best practices, and enable SSO, your SaaS identities can still put data at risk. I'll share an example: imagine a Salesforce admin creates a local account for a contractor with no MFA. Now you have a weak link that could easily be exploited for access into that tool.

It's not just human identities, it's non-human identities: service accounts, API keys, OAuth connections, plugins, and machine identities. Unlike human users, these digital identities often bypass security measures, operating with elevated privileges, minimal oversight, and weak authentication. The risks are substantial: a forgotten service account can provide persistent access long after an employee leaves; an AI agent's credentials could be leveraged to access sensitive data across multiple systems; or an employee leaving the company could install a plugin and maintain direct access to your SaaS tools even after they're formally disconnected.

Compounding the problem, most organizations lack visibility into these identities. Security teams can't protect what they can't see, and the average enterprise now has more non-human than human identities accessing their SaaS ecosystem.

The Challenge of Identity Sprawl

Opet leaves us with a call to action: "We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities. Traditional measures like network segmentation, tiering, and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model. Instead, we need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems."

He calls for a new paradigm of solutions to address the new, SaaS-driven landscape. At the end of the letter, he also calls upon vendors to prioritize "secure by default" designs over speed-to-market of new features.

Moving Forward: The Need for Dynamic SaaS Security

Opet's letter is a wakeup call, but it also leaves security leaders with a question: what now? Traditional security approaches are static, focusing on set-in-stone perimeters and flagging activity based on pre-programmed signatures.

But today's SaaS landscapes are dynamic, ever-evolving, and expanding across unstable boundaries. So how can we implement security that evolves with the times?

Dynamic SaaS Security, by Reco, can help. Here's how Reco addresses the challenges detailed in Opet's letter:

• OAuth token identification: Reco automatically tracks every OAuth-based link between your apps ("app-to-app discovery") and builds a Knowledge Graph of who's connected to what (see image below).
• Full SaaS mapping: Reco tracks all SaaS-to-SaaS connections and maps relationships between apps, users, and data so you can spot risky permissions before they're abused.
• Identifying fourth-party data sharing: Reco detects when your data and resources are being shared beyond the third-party boundary by continuously monitoring access patterns and data flows. Learn more here.
• Monitoring built-in admin accounts: Reco continuously monitors the activity of built-in admin accounts to detect unusual behavior, enabling security teams to take swift action in the event of a potential compromise.
• SaaS identity threat detection & response (ITDR): Reco monitors your SaaS environment for signs of compromise on the identity level. It flags suspicious authentication events, unusual access patterns, privilege escalation attempts, and token misuse.
• Identity and access governance: Reco scans your environment for identities (both human and non-human) with risky permissions, offering remediation steps to tighten controls.
• AI governance: Reco provides a governance solution that helps organizations:

1. Discover all AI-enabled applications and agents in their environment
2. Monitor data accessed and processed by AI systems
3. Detect unusual or excessive permissions granted to AI tools
4. Identify potential data leakage through AI channels
5. Identify risky user permissions, like guest accounts with access to AI copilots

Reco Alerts for Risky SaaS Usage

Reco Alerts for Risky Identity Behavior

Learn more about Reco on our website at reco.ai or download the white paper: Secure AI Copilots and Agents to dive deeper into this topic.

About Author: Ofer Klein is the Cofounder and CEO of Reco. Ofer is a former Israeli pilot, and a serial entrepreneur with a vast experience in building and growing GTM teams with SaaS companies in the US. He is passionate about leading solutions for the distributed workforce.