SaaS security

Nearly every organization uses at least one software-as-a-service (SaaS) application, and many use hundreds. The SaaS market is forecast to see sustained double-digit growth through 2027 (Gartner). A key growth driver is AI functionality, which is being integrated into many SaaS applications. According to a Forbes article, companies will invest in AI-powered SaaS apps to boost productivity and automate tasks.

SaaS apps, which are hosted in the cloud, are exposed to specific risks. Their vulnerabilities include a broad and expanding external attack surface, open access from anywhere, integration with other applications, and the use of public cloud services with their own security issues.

One of the unique aspects of SaaS security is the division of responsibility between the application provider and the customer. While providers oversee the security of their platform, including its infrastructure, the customer is responsible for the security of corporate data uploaded to and stored in the SaaS application. This division can lead to misunderstandings and security gaps.

Another differentiator for Saas vs. traditional apps is multi-tenancy, a system architecture where one software instance serves multiple customers (tenants). A primary focus of SaaS security is protecting each tenant’s sensitive data within this shared environment and complying with data privacy regulations.

The development of generative AI-based SaaS applications adds another concern to the security landscape. For instance, AI applications that impersonate trusted SaaS apps can be downloaded by mistake, opening the organization to attack. Also, generative AI tools often require extensive access to sensitive data within SaaS environments, raising the potential for breaches.

The popularity and rapid growth of SaaS apps, together with their cloud-hosted model, underscore the need for strong security. To protect these applications and their data against cyberthreats, the industry has developed practices and solutions emphasizing strong authentication and access controls, monitoring, encryption, data loss prevention, and user training.

Protecting SaaS applications and their data is essential for today’s enterprises. Most organizations use SaaS apps heavily, seeking to benefit from their predictable costs, low initial investment, scalability, and ease of implementation. Many of these apps are critical to the mission of the enterprise, escalating the need for security.

Unfortunately, SaaS apps have become prime targets for data breaches, mostly because they store sensitive customer and business data, including intellectual property. To make things worse, SaaS attackers are streamlining their tactics, techniques, and procedures (TTPs) to move rapidly from initial access to data exfiltration, thereby skipping several stages in the MITRE ATT&CK framework. Some are using AI to automate their attacks, uncover SaaS vulnerabilities and misconfigurations more easily, thwart traditional security measures, and design more-effective phishing campaigns.

Besides addressing the risks posed by uncontrolled SaaS usage, app proliferation, and evolving threats, there are specific reasons to bolster SaaS security:

1. Prevent loss of sensitive data from internal and external threat actors, which can cause financial and reputational damage
2. Strengthen regulatory compliance, particularly regarding data privacy and integrity, to avoid penalties
3. Ensure customer confidence in the face of concerns about data breaches
4. Facilitate remote working by managing access to SaaS apps from different locations and devices
5. Improve business continuity by mitigating risks that could interfere with normal operations

Many SaaS vulnerabilities are related to their architecture and access mechanisms, and to user behavior.

• Cloud hosting: SaaS application data is stored in the public cloud, putting it at risk from security misconfigurations, loss of control and visibility, and confusion over the security responsibilities of the customer vs. those of the cloud service provider.
• Multi-tenancy: Because data from different customers resides on the same server, a multi-tenant SaaS architecture presents a risk of inadvertent or deliberate data access by another tenant.
• Reliance on the vendor: While SaaS customers are responsible for securing their data, they must rely on the vendor to protect the infrastructure, platform, and software.
• Misconfigurations: SaaS platforms may have serious misconfigurations, such as public file sharing enabled without password protection, which elevate the risks of unauthorized access and data breaches.
• Open access: SaaS apps can be accessed from any location or device, and the software may not specify the use of complex passwords or multi-factor authentication (MFA). These factors can make it more difficult to prevent unauthorized access than with a traditional app that is subject to centralized access management.
• Shadow SaaS: Easy availability of SaaS apps may encourage employees to download unsanctioned software without the IT department’s permission or awareness. As a result, security risks and vulnerabilities may go unnoticed. According to some estimates, one in four SaaS apps is unsanctioned.
• SaaS “sprawl:” Related to shadow IT is the tendency of organizations to use more SaaS apps than they require, expanding the attack surface and making oversight and management more difficult.
• Integrations: SaaS platforms often integrate with other applications via APIs. If these APIs are not securely designed, they can provide entry points for attackers looking to access sensitive data.

In addition to these vulnerabilities, SaaS apps face new risks, primarily due to the incorporation of AI capabilities in existing apps and the spread of generative AI-based tools like copilots. Here are some examples:

• AI-driven SaaS apps rely on user data as a primary resource for training algorithms. This process can potentially lead to the integration of sensitive data into these algorithms.
• AI models often retain data for extended periods, raising the risk of breaches.
• Similar to shadow SaaS, “shadow AI” is the unsanctioned use of AI tools and applications, including AI-based SaaS apps.

SaaS security is a relatively new area of focus for most organizations and hasn’t yet become an imperative for their IT teams—primarily due to lack of time and resources. But as SaaS usage continues to grow, concerns about vulnerabilities, threats, and incidents are driving the need for security best practices.

To optimize SaaS security, it’s advisable to:

• Investigate each SaaS vendor prior to implementing their app. Review their security and compliance practices, standards, integrations, and data retention policies.
• Discover and inventory all SaaS apps–including unsanctioned apps, if possible–being used in the enterprise.
• Implement rigorous access controls based on zero trust to protect sensitive data stored in SaaS apps. Tools that can help include role-based access control (RBAC), single sign-on solutions, MFA, and granular permission settings.
• Use encryption for SaaS data at rest and in transit. Determine if encryption is the default setting for each app, or if it must be enabled by the customer.
• Train employees on SaaS security policies and safeguarding credentials, and keep them updated on threats and incidents. Explain how to identify phishing and social engineering attacks, and underscore the issues with shadow SaaS.
• Monitor user activity regarding SaaS apps to identify unusual behavior or unauthorized access.

Because there are many aspects of SaaS security, there are also a variety of products available to address them. Some integrate multiple capabilities, while others target specific issues such as access control or authentication.

When selecting a SaaS security product, it’s important to remember that traditional approaches may not be effective. Application hosting in the public cloud by a third party, combined with user access from any device or location, restrict visibility into the number and types of SaaS apps in the organization and how their data is being used.

To address these challenges, the industry has developed specific solutions for SaaS security. Following are some examples:

SaaS security posture management (SSPM) tools provide a centralized view of SaaS applications by analyzing their configurations, user permissions, integrations, and compliance risks.

Security service edge (SSE): According to Gartner, SSE “secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration.”

Cloud access security brokers (CASBs) monitor and control user access to cloud applications, including SaaS. They act as intermediaries between users and cloud service providers to ensure that security policies are consistently applied across cloud environments.

Identity threat detection & response (IDTR) solutions monitor SaaS applications for suspicious logins or other anomalous behaviors.

When evaluating security platforms, look for capabilities that target SaaS-specific risks, such as misconfigurations, overprivileged accounts, and shadow SaaS. To address these challenges, choose a platform with advanced functionalities:

• Continuous monitoring and management of SaaS apps, typically provided through SSPM.
• Comprehensive visibility into SaaS-to-SaaS integrations, user permissions, data protection settings, and human and machine identities
• Advanced threat detection and response
• Remediation capabilities, such as termination of inactive integrations
• Scalability to support all SaaS apps used by the organization
• Compatibility with your IT security stack