Major enterprises are increasingly turning to Software-as-a-Service (SaaS) solutions to drive greater agility and cost efficiency throughout the business. However, the path to results has been paved with more than a few challenges, including systems integration, data migration, and most significantly, new security concerns.
Adaptive Shield’s SaaS Security Survey Report 2021 examines a variety of issues related to SaaS adoption, but primarily focuses on the different types of security and the role stratifications enterprises often overlook in SaaS management. Read on to learn about the security challenges many organizations face in their SaaS development, as well as the rewards these organizations can reap when SaaS is handled with care.
Also Read: Why Is Risk Management Important?
Optimizing Your SaaS Experience
- SaaS Security Survey Report Demographics
- SaaS Security Survey Report Findings
- The Biggest Challenges of Enterprise SaaS
- The Biggest Rewards of Enterprise SaaS
In May 2021, Adaptive Shield surveyed 300 InfoSecurity professionals from North America and Western Europe, focusing on companies with 500+ employees. Although there was some diversity in the roles of people surveyed, the majority of survey participants fell into one of the following job categories:
- Cloud Security Architects
- SaaS Security Architects
- Security Engineers
- Risk Assessment Vendors
- Forensics Experts
Some other important metrics to note from the study:
- Companies of all sizes, starting with at least 500 employees, were surveyed; however, smaller enterprises made up the majority of the surveyed population, with 41% of survey participants falling in the 500 to 1,000 employee count range.
- Over half of all participants surveyed were from the United States, with additional participants from Canada and the United Kingdom.
- The survey primarily targeted executives within these businesses, with most participants holding a manager position or higher.
- The five industries most heavily represented by these results are financial services, technology, e-commerce and retail, energy and utilities, and industrials.
User-Based Security Ideas: Access Control Security Best Practices
Adaptive Shield’s survey mostly discusses a newer security solution that many companies are looking to adopt: SaaS security posture management (SSPM). Cloud security posture management (CSPM) and cloud access security broker (CASB) tools have been a key part of cybersecurity models for many years. But SSPM is working to fill a gap in security directly at the SaaS application level, rather than at the greater cloud and cloud-to-application layer levels.
In this study, Adaptive Shield identifies SaaS application misconfiguration as one of the biggest problems organizations face. Consequently, SSPM is a solution many companies are selecting to help them better monitor and detect problems with application configurations.
An SSPM tool’s main goals are to assess security risks, identify misconfigurations across SaaS applications, and provide deep visibility and detection for security hygiene maintenance. Although SSPM solves many of the major misconfigurations that organizations face, mismanaged SaaS applications and company roles continue to be a problem for cloud and application security.
According to the report, 85% of surveyed companies believe SaaS misconfiguration is one of three top security threats to their organization. Interestingly though, only 27% of surveyed companies check for SaaS configurations on a weekly basis, while 73% check monthly or even less.
A trend found within this study: the more SaaS applications your organization manages (50+), the less likely you are to monitor their security status on a weekly basis. Although the infrequency of SaaS application monitoring in major enterprises seems paradoxical, there are several reasons for the seeming cognitive dissonance:
Large Companies and Stratified Roles
Companies with highly stratified specialties and roles may not feel the need to dedicate security personnel to SaaS maintenance specifically. They instead turn to sales, marketing, and product owners who are familiar with the SaaS tool. However, these personnel are likely unfamiliar with important security maintenance requirements for these apps.
The Speed of SaaS Development and Adoption
SaaS apps have grown dramatically in variety and functionality, and many companies have bought into them at an equally rapid rate. As the number of apps to manage grows, unless a focused SaaS security automation tool is in place, it becomes increasingly challenging for internal teams to audit a large portfolio of SaaS tools on a regular basis.
The Growing Attack Surface
Beyond the growth of actual SaaS tools in companies, there’s also the sprawl of users and company tools across the globe. The attack surface of enterprise networks has grown with remote work, turning more users into vulnerable access points for attacks as they move further away from company data centers and traditional protocols.
When users who aren’t security professionals receive unmitigated access to SaaS applications and their management, organizations run a high risk of application misconfiguration, as well as potential phishing and unauthorized access. In larger organizations with thousands of employees, it becomes nearly impossible for the security team to actively monitor vulnerabilities across all users and devices each week.
More on remote work and security: VPNs, Zero Trust Network Access, and the Evolution of Secure Remote Work
When SaaS applications are managed well, they offer a variety of benefits to the organizations that use them:
- SaaS apps are typically easier for non-technical users to understand, which further democratizes IT across an organization.
- Unlike many traditional applications, SaaS apps are hosted on the cloud, which offers all of the benefits of cloud access to company users — like real-time collaboration, updates, and cloud security offerings.
- Third-party hosts typically manage SaaS application platforms. So even if your internal team lacks technical expertise, resources from the third-party company help your team use tools optimally.
- Most software-based and on-premises applications require a lump-sum purchase model. But with the cloud-based structure of SaaS, companies can subscribe to the tools, often in a pay-as-you-go model.
The rewards associated with SaaS are numerous, but their consequences can be even greater if your organization and third-party providers don’t take the necessary steps to protect SaaS tools.
Talk to your SaaS providers about the security options they provide, ensure that internal SaaS users learn to work with security best practices, and consider investing in tools like SaaS security posture management to provide extra protection and support for your SaaS applications.