Apr 29, 2025
Apr 29, 2025
In an open letter to its suppliers, JPMorgan Chase issued a stark message: security must come first. Security leaders are now prioritizing SaaS as a primary risk domain, not an afterthought.
There’s a new urgency rippling through cybersecurity circles, and it’s not just about ransomware, data breaches, or zero-days. It’s about the sprawling, often invisible world of SaaS applications — and the gaps they’ve quietly introduced into even the most mature environments.
In an open letter to its suppliers, JPMorgan Chase issued a stark message: security must come first. They aren’t asking for faster patches after the fact. They aren’t asking for best-effort compliance. They are demanding that third-party SaaS vendors build security into their products from the start, even if it means slowing down development and delaying feature releases.
The Cybersecurity and Infrastructure Security Agency (CISA) has also reinforced this message with its Secure by Design initiative, calling for a complete shift in how technology products — including SaaS — are built, deployed, and secured. The old approach of shipping fast and securing later is no longer acceptable.
Security leaders are now prioritizing SaaS as a primary risk domain, not an afterthought.
SaaS security lingered in the background for years while organizations focused on endpoints, networks, and clouds. But as SaaS has become the default way business gets done, it’s also become how attackers get in.
In this article, we’ll look at what JPMorgan and CISA are telling us, what it means for security teams, and how you can make your SaaS security program intentional, accountable, and built into how your organization operates.
SaaS almost overnight became the backbone of modern business. Starting a new SaaS subscription doesn’t require procurement cycles, infrastructure provisioning, or even IT involvement. A username, password, and a credit card are enough to get started with a new tool. Convenience became the default, but governance struggled to keep up.
While SaaS has redefined how teams collaborate, ship, and scale, most security programs have remained anchored in assumptions from another era: that applications were centrally managed, identities were neatly tied to directories, and risks were confined to what could be scanned or segmented. They weren’t. That gap has only widened. JPMorgan is calling it out, and they’re right. SaaS security must be prioritized. Given current SaaS adoption trends, SaaS security needs to be a shared responsibility between both the SaaS provider and the organization integrating the application into its environment.
JPMorgan’s letter wasn’t vague. It calls out specific, non-negotiable requirements for any supplier handling sensitive data: enforce multi-factor authentication, manage third-party integrations carefully, and implement continuous monitoring of security risks.
These aren’t new concepts. However, meeting those expectations in today’s SaaS environment is more complicated than it sounds, especially when traditional security tools weren’t built for this level of dynamic risk.
Here’s where the real-world gaps emerge and how Grip Security helps close them.
Both JPMorgan Chase and CISA’s Secure by Design initiative make one expectation crystal clear: multi-factor authentication (MFA) and single sign-on (SSO) should be standard features, available at no extra cost, across all applications. Security can’t be treated as an upsell or an optional add-on; it must be built into SaaS offerings by default. In theory, these protections create a strong foundation against credential-based attacks. In practice, how SaaS is adopted today makes enforcing it much harder.
Many SaaS applications — especially shadow SaaS adopted without IT oversight — aren’t integrated with corporate identity providers. Users sign up directly, sometimes using personal credentials, and configure their own security settings. Even when apps offer MFA, it’s often optional, and users, eager for convenience, leave it disabled. Worse, OAuth-connected applications can bypass the login flow entirely, granting persistent access without triggering an MFA prompt.
Grip doesn’t rely on integration. It maps risk through identity and usage, exposing gaps traditional tools leave behind. Instead of assuming that SaaS apps are neatly managed through SSO, Grip uncovers every app, identifies who is using it, and how it’s being accessed, including those outside traditional controls. Grip enforces security policy through identity. It flags accounts without MFA and reveals access paths like OAuth that often escape detection. By treating identity as the source of truth, Grip makes hidden risks visible and gives security teams complete coverage of authentication gaps across all SaaS usage.
JPMorgan emphasizes the need for robust controls surrounding third-party integrations, especially OAuth grants, and for good reason. OAuth permissions can often be unclear, overly broad, and susceptible to abuse. A single user connecting to a poorly vetted plugin can inadvertently create a backdoor to sensitive corporate data without setting off any alarms. Remember the Midnight Blizzard attack on Microsoft, where attackers took advantage of a legacy OAuth permission to gain access to Microsoft’s corporate environment? This breach exposed how a single over-permissive OAuth grant can undermine an entire security program.
In a modern SaaS environment, users authorize new apps every day, sometimes even every hour. These integrations request extensive permissions — access to email inboxes, cloud drives, and internal chat logs — yet most security teams are unaware of them. Furthermore, the OAuth tokens they issue don’t expire easily and aren’t captured by traditional endpoint or network defenses.
OAuth grants are rarely audited, poorly scoped, and often invisible to traditional tools, even in well-managed environments. Grip actively detects OAuth grants in real time, evaluates the scope of access for each integration request, and highlights the riskiest connections before they can be exploited. Grip empowers security teams to revoke risky OAuth access immediately, eliminating hidden pathways attackers can use to move across environments.
The JPMorgan letter goes beyond static requirements and calls for continuous monitoring. This shift reflects an uncomfortable truth: point-in-time assessments, whether once a year or once a quarter, are ineffective in a SaaS environment where new apps and accounts appear daily.
Yet many organizations still rely on periodic audits or traffic logs to monitor SaaS usage. These methods miss the pace and scale of modern SaaS adoption, creating blind spots that attackers can exploit. Meanwhile, shadow SaaS, orphaned accounts, and risky integrations proliferate in the gaps between scheduled reviews.
Grip closes the visibility and governance gaps SaaS introduces. It continuously monitors SaaS activity throughout the environment, identifying new applications, new accounts, and new access patterns as they emerge. Instead of waiting for quarterly surprises, security teams receive real-time, actionable visibility, and built-in automation to respond immediately.
Finally, JPMorgan also highlights another foundational principle: access must be provisioned and deprovisioned cleanly. But once again, in SaaS, that’s easier said than done.
Many SaaS apps aren’t tied into central HR systems or identity providers. When employees leave, their core accounts may be deactivated, but dozens of disconnected SaaS and shadow accounts often remain active: orphaned credentials quietly waiting to be abused.
Grip closes this door decisively. By mapping every SaaS account to a real user identity, Grip ensures SaaS access is shut down cleanly, including unmanaged and forgotten accounts. OAuth tokens, unused licenses, and shadow accounts are revoked along with primary access.
JPMorgan’s letter sets a higher standard for SaaS vendors and every organization that relies on SaaS to operate. Meeting this standard requires more than just policies; it requires a new operational discipline.
Grip Security brings that discipline into reach.
Through full discovery, continuous monitoring, identity-based governance, and real-time control, Grip transforms SaaS security from a scattershot effort into an intentional, accountable process. When SaaS is embedded in how every team works, security has to be part of that workflow from the start. Grip makes that possible, without slowing the business down.
Ready to rethink your SaaS security strategy? Book time with our team and see how Grip can help you stay ahead of the bad actors.
Fill out the form and watch webinar's video.
