Innovation has always been a catalyst for transformation, driving significant changes across industries. Amazon introduced a new way of buying everyday products and groceries, altering the brick-and-mortar model. Similarly, the shift from traditional software licenses to a SaaS model has transformed not only the tech industry but also how customers purchase tech. And when ChatGPT exploded with unprecedented customer adoption, we saw a tsunami of AI releases from other SaaS tools. Now, tech innovations are fueling changes in SaaS security.
Understanding SaaS Security
SaaS security is all about the architectures, processes, and strategies companies use to protect their data and information stored in cloud-based applications. These applications are delivered over the Internet as a service, often through a subscription model, although many SaaS apps offer a freemium version that users can access for free with certain limitations. Acquiring SaaS today is typically as simple as creating an account, which usually just requires a login and password.
What sets SaaS security apart from other security programs is the lack of control companies have over the infrastructure and connectivity of the applications. Unlike internal or privately hosted applications, companies don’t control the servers, authentication methods, network connections, or sometimes even the endpoints if unmanaged devices are used. Because you can’t control the variables, a multi-dimensional approach to SaaS security is needed to ensure comprehensive protection.
Businesses have come to rely upon SaaS applications to achieve business outcomes more efficiently and cost-effectively. However, as quickly as SaaS adoption has grown, the methods used to evaluate its risks have not kept pace. Today’s SaaS risk landscape significantly differs from just two years ago, emphasizing the urgent need for a more evolved approach to assessing the associated risks. Organizational security now hinges on understanding the new dynamics at play.
What’s driving the changes in SaaS security and what are the identity risks that can no longer be ignored? In this article, we explore four ways SaaS has transformed.
1. SaaS Procurement is Individualized
While the trend for many years has been tech consolidation, the opposite occurs in today’s fast-paced business environment. Employees select tools that cater to their unique workflows and preferences rather than relying solely on the primary platforms sanctioned by their organizations. Though this trend can be widespread across an enterprise, it is particularly evident in fields where niche tools can significantly enhance productivity and efficiency.
In the 2024 MartechComposability Survey by Chiefmartec and Martech Tribe, 83% of respondents admitted that they chose an alternate app for some of their use cases even though the feature was available in their primary (sanctioned) platform. Why? The answers ranged from better functionality to an enhanced user interface, easier governance and control, and less expensive vs. upgrading to a higher tier on the corporate-sanctioned application.
For example, your organization’s marketing automation platform likely underwent a traditional procurement process and a vendor security review. However, the marketing team wanted better data analytics capabilities, so they started a subscription to a new app, even though analytics are part of the marketing automation system.
While business-led IT maybe practical and justified, the ramifications introduce new security complexities. Not only was the specialty app (likely) acquired outside of IT without proper review, but these apps often have a smaller user base within the organization, sometimes used by only a single employee or a small team. As a result, the app tends to go unnoticed by anyone but those using it.
Whether they know it or not, organizations have a proliferation of identities across various SaaS platforms, also known as SaaS identity sprawl. Each new application an employee adopts typically requires a unique set of credentials, leading to an increase in the number of identities that need to be managed. As these individual tools accumulate, it becomes increasingly challenging for IT departments to maintain visibility and control over all the user accounts and associated data, not to mention the zombie account risk when the employee leaves.
2. SaaS Access is Harder to Control
The permanence of remote and hybrid work models has added complexity to how SaaS applications are accessed. With employees working from various locations, often using home networks or (gasp!) public Wi-Fi, the lack of control over the security and reliability of these connections is a genuine concern. And as we all know, malicious actors can easily exploit unsecured networks to access sensitive corporate data.
The Bring Your Own Device (BYOD) trend adds more complications, as personal devicesmay not have the same security measures as company-issued hardware, andemployees might not always follow best security practices.
While single sign-on (SSO) can streamline access and enhance security by providing a single point of authentication, SSO implementation can be challenging for several reasons:
· Many apps charge a premium for SSO integration. Adding SSO can significantly increase budget expenses, especially when your app ecosystem grows exponentially.
· SSO can only be enabled on known SaaS applications. Identity providers (IdPs) are blind to shadow SaaS or the apps employees acquire independently.
· Many organizations are struggling to keep upwith SSO implementation. The rapid pace at which new applications are being adopted, combined with a shortage of IT and security resources, means that security teams are often overwhelmed, potentially leaving gaps in the organization’s defenses.
This backlog and resource strain illustrate the need for scalable security solutions to keep pace with a continually changing SaaS landscape.
3. AI in SaaS Applications Has Introduced New Risks
SaaS capabilities have expanded by leaps and bounds, propelled significantly by the integration of artificial intelligence (AI). The AI era is now in full swing, transforming SaaS from a collection of useful tools into powerful platforms capable of advanced functionalities. What started as experimental and seemingly harmless innovations, such as AI-driven chatbots and automated customer service agents, have rapidly evolved into mainstream features that organizations across all sectors are adopting at an accelerating pace. Applications like Salesforce have incorporated AI-driven analytics andforecasting tools that provide deeper insights and more accurate predictions. Similarly, AI-powered features in productivity tools like Microsoft 365 and Google Workspace enhance user experience and efficiency. And Grammarly now includes AI copywriting capabilities.
What makes AI risks more concerning is that they’ve been silently growing. AI additions to sanctioned apps are rolled out directly to the users without IT thoroughly reevaluating the associated risks, including data privacy, intellectual property, and compliance issues. Additionally, AI releases frequently outpace the ability of IT and security teams to assess and manage these risks effectively, even when security teams are in the know.
This graphic provides a snapshot of the AI-powered SaaS tools used by different teams across an organization and the resulting risks:
A plethora of new AI tools are also flooding the market, many of which employees adopt independently. As a result, the fastest-growing risk in SaaS security is “shadow AI,” where unvetted and unsanctioned AI applications proliferate within an organization. Shadow AI introduces significant risksas without proper oversight, employees may inadvertently compromise sensitive data or violate compliance regulations.
According to a study by Oliver Wyman Forum, 55% of employees use AI tools, and 84% admit to publicly exposing their company’s data. As AI continues to reshape how businesses operate, organizations must implement robust evaluation and monitoring processes to manage these new capabilities responsibly and mitigate potential risks.
55% of employees use AI tools, and 84% admit to publicly exposing their company’s data. – Oliver Wyman Forum, 2022
4. Traditional SaaS Risk Approaches Have Gaps
Though SaaS and AI adoption is quickly growing, SaaS risk management is falling behind. Traditionally, managing these risks has been treated as part of a third-party risk management (TPRM) exercise, primarily focusing on evaluating the security practices, controls, and posture of the SaaS vendors. While assessing vendor security is important, it’s incomplete.
What’s missing in the vendor risk management approach is a detailed understanding of how SaaS is used within the organization, who uses it, and the context of its usage. Simply knowing that a vendor has robust security measures in place does not provide insight into how securely the application is being deployed and utilized by employees. For example, if an application is used in ways that expose sensitive data or if employees are bypassing security measures, the vendor’s security controls become less relevant.
Other SaaS security tools, like cloud access security brokers (CASB)also have gaps. While CASBs can detect most shadow SaaS, they don’t provide sufficient context about the risks. Furthermore, it’s very hard for security teams to operationalize the data, producing more data noise than actionable insights.
The Rise of SaaS Identity Risk Management
As enterprises capitalize on the advantages of SaaS applications, they must also confront the cybersecurity risks that arise from their widespread use. Traditional IT governance, once marked by tight control over software procurement and deployment, is now being challenged by the ease with which individual employees can adopt SaaS tools.
SaaS identity risk management (SIRM) is an emerging cybersecurity product category designed to address the unique challenges and risks of our shifting SaaS landscape and the rise of SaaS sprawl. Using identity as the central control point, SIRM provides a holistic approach to managing SaaS security and identity risks, identifying and mitigating the threats from unsecured or unsanctioned SaaS usage.
Download your free SIRM resource: The Ultimate Guide to SaaS Identity Risk Management
The bottom line is that what used to work is no longer effective. Combating today’s hidden SaaS dangers requires a more modern approach to evaluating the risks and overcoming the gaps. In an era of rapid innovation, identity is the one factor that remains constant. SIRM enables businesses to stay ahead of potential vulnerabilities and ensure their SaaS environments remain secure, even as SaaS procurement and AI change.
Want to discuss SaaS identity risk management further and discover what’s lurking in your digital environment? Meet with our team, get a free SaaS identity risk assessment, and uncover the gaps in your security controls. Book your assessment now.
GIPHY App Key not set. Please check settings