
Source: Yuri_Arcurs via iStock.
For organizations, SaaS is increasingly the preferred form factor for application adoption. For vendors deploying SaaS, the advantages to building competitive moats are meaningful, as network effects from consumption and the shared insights of user adoption guide more precise A/B testing and end-user organizational agility. With the move to SaaS, security teams must provide different assurances against risk. Here we cover the security tools designed to assess and initiate remediations for deficiencies in SaaS security posture.
The Take
The variety of operating approaches within SaaS makes organization security challenging. While there have been improvements in governing and controlling initial user authentication, accounting for and securing usage of sensitive data within SaaS applications is a distinct challenge that SaaS security posture management addresses. Yet challenges remain for SSPM vendors; SSPM controls are particularly dependent on integration with the SaaS environments they protect. Integrating with each SaaS vendor’s APIs, given the variety of different operating approaches, forces SSPM vendors to be reactive to SaaS. SSPM vendors must choose to integrate with the SaaS providers that enable suitable API integration and are common enough to justify the integration expense. Organizations still must account for, understand and protect the data they have, regardless of venue. A layered, resilient approach to security is needed even as integrations with SaaS vendors continue to evolve.
Context
According to a study conducted by 451 Research, a part of S&P Global Market Intelligence, 86% of all organizations said that they used or were planning to use SaaS in the next 12 months, compared with 61% using IaaS public cloud infrastructure and just 40% using colocation or third-party datacenters. While the barriers to developing, deploying and hosting applications have fallen with the advent of cloud, the barriers to SaaS application adoption are even lower. Mission-critical applications in collaboration, human resource management (HRM), supply chain, enterprise resource planning (ERP) and customer relationship management (CRM) are delivered as SaaS. Even conventional tooling for core IT infrastructure is deployed as SaaS; source code control, development CI/CD pipelines, ITSM systems and even databases are delivered as SaaS, abstracting away many hosting, deployment and operational challenges. Business models and organizations value of SaaS companies prize the customer loyalty and stickiness of recurring revenue.
Definitions, originations and characterizations
SSPM guides security teams, SaaS program administrators, developers and users in better understanding risks when using SaaS. To an extent, they also intervene to mitigate those risks. SaaS security risks are the combination of assets, threats, vulnerabilities and subsequent impacts when users or processes interact with these SaaS offerings.
SaaS vendors have narrowed the shared responsibility model with their customers. In general, the sole baseline integration IT task with SaaS is to specify which users will have access and how they will authenticate and access that SaaS service. Subsequent SaaS roles and permissions are configurations defined within SaaS, rather than attributes associated elsewhere within other infrastructures or platforms. Roles and permissions may be populated from users defined in identity platforms such as Microsoft Corp.’s Entra ID and they may leverage a single sign-on like Okta Inc.’s to access a given SaaS application with a single set of credentials. For example, consider the general customer journey to adopt a SaaS-based CRM. Organizations select users or groups of users from their own identity platforms such as sellers and marketers. The marketing campaigns, accounts and purchase transactions are examples of SaaS-specific data types. Subsequent permissions, roles or workflows and audited events are configurations defined by users and enforced by the SaaS platform. SaaS security leans heavily on the SaaS provider to furnish controlling features and is dependent on how often SaaS vendors update their API sets. SSPMs are at the mercy of the SaaS vendors’ APIs.
Pure-play SSPM vendors unify the security risk posture for all SaaS adoption within an organization. Security administrators can integrate deeply into SaaS platforms and automate interventions that minimize risky user behaviors. For example, a Google Workspace item such as a Google Sheet may be easily shared with other users via a simple URL reference. SSPMs can understand how many Google workspace items have been shared, how long they have been shared and whether that sharing is active or dormant. SSPMs can further reduce risks, either overtly expiring dormant asset sharing or by prompting users to explicitly continue. While data loss prevention is the ultimate end goal, organizations must actively account for their data. Data discovery and classification have been top initiatives and have fueled both the growth and consolidation in the adjacent DSPM segment. Specialist DSPM and broader data security suites are making plays themselves into SSPM.
While adjacent tools in IAM and security service edge (SSE) do not necessarily account for data within SaaS apps, they can control authentication and network access. For example, identity threat & response (ITDR) polices how users have accessed their SaaS applications. ITDR traces harm such as credential stuffing or exploits in faulty OAuth implementations to minimize account takeovers. SSE and preceding solutions such as cloud access secure brokerage (CASB) police all activities between users and the SaaS apps they access. CASB could be argued as a predecessor to SSPM offerings. Now, SSE solutions are integrating greater data loss prevention (DLP) tools. Both IAM and SSE approaches are perimeter-like controls in that they do not necessarily assess or harden the SaaS application or underlying data usage itself. SSE also limits “shadow SaaS” adoption that can incur additional risks.
Operational keys to success
While it may be overwhelming to consider all ingress and egress of data, it is also useful to employ phased approaches to progressively address risks, and to do so consistently whenever possible. For example, standardizing strong authentication and centralized identity and access management would allow greater organizational control and reduce risks across all users. An additional basic step includes inventorying what SaaS is used, identifying any shadow SaaS usage. Yet reconciling app user accounts that were initially provisioned with their own sets of identities to a central IAM system may be a significant challenge. This is especially true for multiple SaaS solutions coupled together. Consider the use case of a seller accessing a CRM system with centralized SSO yet also leveraging LinkedIn Sales Navigator with their own individual account to better understand contacts within a key target account. Security teams must reconcile the identities of the SSO user and their externally or separately authenticated accounts.
Data, policy and behavior discovery within SaaS applications remain critical. Certain object types are well known and easier for both security and SaaS program administrators to account for. Structured items with obvious personally identifying information are natural candidates. Semi-structured or unstructured content items may require more analysis; within an HRM, ERP or CRM system, items may have multiple dependencies to discover and classify accurately. Additional discovery about events, permissions and policies must be made. Given an account takeover or insider attack, understanding what any given user or process has accessed and has access to is imperative to understanding and containing the harm.
SSPM consolidates and translates data, policy and behavior discovery into existing security operations. Even if security teams mastered the ins and outs of any given SaaS provider, they would still need to rationalize alert or remediation priorities. Some applications may have very good reasons to make their data more public than other applications, even if it is the same classification of data.
For larger or more complex organizations, other challenges remain, with no easy fixes. Organizations that have grown by consolidation may have multiple instances of different ERP, collaboration or even IAM users to consolidate. If a complex supply chain management or ERP system is in scope for SSPM, many third-party SaaS apps will have to be considered. Additional challenges come from integration with legacy or proprietary systems, regulatory or data sovereignty requirements.
Other security posture management (DSPM, CSPM, ASPM, etc.) have various levels of remediation and SSPM is similar. In general, SSPM does not directly permanently alter or intervene in SaaS platforms to remediate weaknesses in security posture. Rather, suggestions are made for SaaS program managers to initiate more permanent policy fixes directly by the SaaS tool itself. Other SSPMs can make loose remediations — disabling excessive sharing of neglected items, for example — but they would not necessarily delete or redact sensitive information.
For security teams, the greatest challenge is understanding both the organizational risk and rewards for any given SaaS application. Security teams can help promote or relegate any given SaaS app faster to boost agility, reduce risk and optimize SaaS spending. Overall, organizations need clear understanding of their data. In CXC-focused study conducted by 451 Research, a part of S&P Global Market Intelligence, managing the volume, variety and quality of customer data was the most significant inhibitor to growth for customer experience leaders who are economic buyers for CRM. Yet using more data for richer intelligent experiences and strong data security, consent and governance were their greatest initiatives. By understanding the specific concerns among lines of business about how data is used within SaaS, security teams can provide better support and proactive assurance.
Still early
For SSPM vendors, it is still early. In addition to the relative novelty of software delivered as a service, SaaS platforms themselves have undergone significant changes. Microsoft 365 has unified its substrate layers to consistently expose REST APIs and client libraries, to consistently access Microsoft 365 core services, Windows services, organizational mobility and identity platforms like Entra ID.
Yet uncertainty remains, with cloud economics and the motivations for SaaS providers changing. An enabled product integration that drives platform consumption one day might become an indirect competitor the next. We will be publishing a subsequent report evaluating current trends and analyzing what may be next for SSPM.
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
This content may be AI-assisted and is composed, reviewed, edited and approved by S&P Global in accordance with our Terms of Service.