- SaaS misconfigurations were reported among the top three risks that today’s organisations are aware of, with 85 per cent of companies calling out the threat.
Security professionals recognise that securing the SaaS estate without a solution in place is not maintainable as SaaS apps become the system of record for most companies across all industries.
SaaS misconfigurations were reported among the top three risks that today’s organisations are aware of, with 85 per cent of companies calling out the threat.
Interestingly, many of the other threats that are mentioned as a risk to today’s security posture can also come as a result of misconfigurations, showing that indirectly, the threat level is even greater.
With SaaS misconfigurations considered a top threat, you would expect that the more SaaS apps a company has, the more regularly they would check them. In reality, the opposite is true.
The more apps a company has, the less they check security settings and permissions for misconfigurations.
Only 12 per cent of companies with 50-99 applications check them weekly.
The concern over SaaS apps and their configurations could be attributed to the constant changes in the SaaS apps themselves — from native software updates and adding new users to the systems (internal, third parties, and employee turnover), to define roles and permissions, and more.
As a result, one might expect to see the frequency of checks increase with the reported concerns.
Frequency of checks remains low
A survey conducted by Global Survey for Adaptive Shield revealed that SaaS security posture management (SSPM) has risen to the top of the operational agenda and that it has become a top priority for CISOs and security professionals.
In 2020, Gartner named a new category of cloud security —SSPM.
Not covered by existing tools such as cloud security posture management (CSPM) or cloud access security broker (CASB), the most recent addition to the hype cycle can continually assess security risks from the SaaS app estate.
Often left unsecured or handed over to less-trained employees who manage marketing, product, or sales, SaaS errors such as misconfigurations, inadequate authentication protocols, insufficient identity checks, credential access, and key management leave companies at risk.
Despite the majority of survey respondents (60 per cent) reporting a high concern with more than 25 per cent of their SaaS app configurations, their frequency of reported checks remains low.
One of the biggest challenges for security teams is the ability to configure the settings of all internal SaaS apps. Each app has different settings, a different user interface, its terminology and its distinct complexities.
Impossible task
Manually configuring settings for these disparate apps for hundreds to thousands of users is an impossible task.
52 per cent of companies report delegating responsibility for app security to the SaaS owner, who may be in departments such as sales, marketing, or product, and is unlikely to be trained in security and compliance.
“One of the biggest challenges for security teams is being able to manage the many disparate and complex settings and configure them correctly for all of their SaaS apps. Each app has unique settings, a distinct UI, and its own ‘language’,” survey revealed.
Any human error by the SaaS owner, who is often not trained in security, can lead to an increase in SaaS security misconfigurations, a reported high concern of CISOs and security professionals.
Yet, in another paradox, one in four companies report that departments outside of security have access to the SaaS app security settings.
As opposed to the other cloud security solutions in the market, today, there are no real tools in wide usage that enable security teams to have full and continuous visibility of SaaS security settings and configurations.
The survey results show that SSPM has become the “top priority” for 48 per cent of companies in 2021.
With the high risk posed by a lack of SSPM, and this technology being reported as the top priority for investment, it should come as little surprise that 63 per cent of companies are either using or planning to use SSPM.