In 2019, a breach of a global financial services company resulted in the theft of 100 million credit applications, a $80 million regulatory fine, and an additional $190 million in subsequent customer lawsuits. The root cause? A misconfigured AWS cloud account. This scenario, while alarming, is far from unique. As organizations increasingly rely on cloud accounts and SaaS applications to drive business operations, many fail to prioritize security from the outset, assuming these applications are inherently secure.
The problem often starts with visibility—or the lack thereof. When business units adopt SaaS tools or start accounts without involving IT, these applications operate outside the organization’s security perimeter. This trend, known as shadow IT, creates blind spots that threat actors can exploit. A 2023 report found that 11% of cyber breaches were due to the unauthorized use of shadow IT, and Gartner predicts that in three years, the majority of SaaS will be acquired outside of IT’s visibility. In other words, shadow IT isn’t going away—it's growing.
As demonstrated by the financial services breach example, the stakes are high, and organizations must take a proactive approach to SaaS security. In the following sections, we’ll explore common pitfalls, share takeaways from SaaS identity incidents, and provide actionable strategies to help you build a robust SaaS security foundation before it’s too late.
Common Pitfalls in SaaS Security
Regardless of industry or size, every organization has shadow SaaS challenges, which can be easily exploited if left unaddressed—it’s what we call “SaaS risk creep:” vulnerabilities that increase over time from overlooked or unmanaged SaaS risks.
Based on Grip Security’s extensive experience with global clients, 80-90% of SaaS tools in use within an organization are often unknown to IT departments. Further, both unsanctioned and sanctioned SaaS can pose unforeseen risks to the organization if not properly secured. Understanding the common pitfalls in SaaS security is crucial to mitigating these risks effectively.
80-90% of SaaS tools in use within an organization are often unknown to IT departments
Lack of Visibility and Control
One of the primary challenges to securing SaaS environments is the limited visibility IT teams have over the applications being used. Shadow SaaS is the fastest-growing SaaS risk—more tools are acquired outside of IT than through traditional procurement channels. These are tools that have never been vetted by IT or security teams. As such, IT and security teams cannot enforce security protocols, monitor user activity, or ensure compliance with regulatory standards unless they have proper visibility into the tools employees independently adopt.
Complexity of SaaS Ecosystem
The SaaS ecosystem within an organization is inherently complex, continually evolving as new applications are introduced and others are dropped. The rapid pace at which SaaS tools are swapped out for something better adds another layer of complexity, making it challenging for IT to maintain a clear, up-to-date picture of the entire SaaS landscape. According to multiple sources, SaaS churn rates average about 42% annually. This fluidity necessitates ongoing monitoring and dynamic security strategies to manage risks effectively throughout the SaaS lifecycle, including detecting new apps and ensuring outdated ones are offboarded.
Assuming SaaS is Siloed
Another common pitfall is the assumption that SaaS applications operate in isolation. In reality, today’s SaaS environment is highly interconnected, with users frequently granting permissions, integrating apps via APIs, and linking different platforms together via OAuth scopes. This interconnectedness creates pathways for data to flow from one application to another, often without adequate security measures. For example, an organization may have robust protections around App A, but if users connect App A with a less secure App B—whether through misconfigurations, API integrations, or user-granted permissions—the data from the well-protected application could be exposed to vulnerabilities in the weaker application. The interconnected nature of SaaS apps also means that a security lapse in one application can lead to other serious security incidents, such as a breach in one app that can quickly cascade into others.
Maintaining Data Security Standards
Each SaaS application operates uniquely within the organizational structure, integrating with various systems and processes. Employees may access these apps in multiple ways, including using local or social credentials. However, some applications may need more robust authentication measures like SSO or multi-factor authentication (MFA) to meet compliance standards, especially in highly regulated industries. For example, PCI-DSS 4.0 will soon require more robust authentication controls like MFA. Similarly, NYDFS Cybersecurity Regulation and HIPAA require MFA for tools used to access sensitive data. Knowing what you have is critical to knowing how to secure it. As such, the first task is understanding SaaS usage.
Trying to Boil the SaaS Risk Ocean
It’s not uncommon for organizations to have hundreds—or even thousands—of SaaS applications in use. The problem is that IT and security teams not only have limited visibility into their entire SaaS ecosystem, but they also lack effective methods to prioritize the riskiest applications. Since not all SaaS tools carry the same level of risk—some manage sensitive information, while others serve less critical functions—attempting to address all SaaS risks simultaneously is impractical. Instead, organizations need a robust system to score and prioritize SaaS identity risks based on the severity and impact each application has on the organization, enabling more strategic and systematic risk mitigation.
Lessons Learned the Hard Way
Securing SaaS environments is complex; unfortunately, many organizations learn the hard way through costly breaches. Below are examples of how a lack of proper SaaS security measures has led to significant consequences.
Case Study 1: Unprotected and Forgotten Test Account
The Midnight Blizzard cyberattack on Microsoft, attributed to Russia's Foreign Intelligence Service (SVR), was a wake-up call for the tech industry. What began as a breach of a seemingly insignificant test account quickly escalated into a full-scale operation, allowing attackers to infiltrate and extract sensitive information from the emails of Microsoft's top executives. Threat actors launched a password spray attack targeting a legacy test account that lacked multi-factor authentication (MFA). To avoid detection, they cleverly utilized residential proxy networks to obscure their activities and carefully throttled their login attempts to bypass account lockout mechanisms. This initial breach allowed them to exploit an outdated OAuth application with privileged access to Microsoft’s corporate systems. Leveraging this foothold, the attackers expanded their reach by creating new OAuth applications, broadening their access to email accounts, and extending their control within the compromised environment.
This incident is a stark reminder that even the most advanced and security-conscious organizations are vulnerable to cyber threats. It also underscores the critical importance of security policy enforcement: securing accounts that access sensitive data and systems, maintaining awareness across all aspects of IT infrastructure, and deprovisioning accounts when they are no longer needed, as overlooked accounts can easily become the entry points for significant breaches.
Case Study 2: Inadequate Offboarding Processes
31% of former employees still have access to their former employer’s software accounts, and this story painfully reminds us of the consequences when accounts aren’t properly offboarded and credentials revoked. A former large tech company employee, dismissed for performance issues, sought revenge by retaining his credentials, logging in 13 times, and deleting 180 test servers. The incident cost the organization nearly $700,000 to remedy the situation, and the former employee was sentenced to 2 years and eight months in prison.
Case Study 3: Lack of MFA to Secure VPN Access
One of the worst breaches in Australian history began when a third-party employee of the health insurance provider Medibank saved his login credentials to his personal internet browser and synced them to his personal computer. This became the backdoor bad actors were waiting for, who hacked his personal computer and then infiltrated Medibank’s systems, accessed sensitive patient data, and inserted ransomware into Medibank’s network. The incident highlights several SaaS security failures: using local credentials to log in to Medibank’s web portal and lacking MFA to access the corporate network. All told, 9.7 million patient records were stolen, and Medibank could face fines of up to $21 trillion. An expensive lesson to learn, indeed.
Each case study demonstrates how failing to secure SaaS environments can lead to severe repercussions. Whether due to misconfigured access controls, inadequate offboarding processes, or using local credentials to access sensitive data, these breaches underscore the necessity of a comprehensive approach to SaaS security that includes visibility, control, and proper identity risk management.
Proactive SaaS Security – Start with the Problem, Not the Solution
SaaS environments aren’t static, and your approach to secure them shouldn’t be either. SaaS has fundamentally changed how users procure technology, and business units are developing technical expertise to procure their own IT. Security service edge (SSE) platforms, including Secure Web Gateway (SWG) and Cloud Access Security Broker (CASB), are the default solutions many companies use for SaaS security. However, they were never designed to secure a world where SaaS continuously evolves and new applications are constantly added.
Though many companies use SSEs, they readily admit that they do not have a complete inventory of all the SaaS used in the company. The data may exist; however, SSE was developed for a world where SaaS use was static and centrally managed, which no longer exists. Using the primary data sources of network traffic and API integrations means that SSE products need constant tuning and can never secure the latest SaaS tools being adopted in the business—in other words, they don’t keep pace with the speed of business.
The problem is that SaaS is just as much about hygiene and a holistic risk management process as it is an incident response problem triggered by some key metric exceeding a threshold. Additionally, SaaS security must be addressed today, not after a two-year architectural and operational overhaul.
The Future of SaaS Identity Risk Management
As SaaS evolves, so too must our strategies for managing its risks. Traditional, network-based approaches are no longer sufficient in today’s decentralized environment. Organizations need a more holistic strategy that addresses both vendor and SaaS identity risks, including:
Comprehensive Discovery Beyond Network Limitations
Organizations must adopt discovery methods that go beyond the limitations of network-based approaches. This means identifying all apps, regardless of the device, network path, or proxy used, to achieve a complete inventory of SaaS applications, including those outside IT’s control.
Identifying SaaS Identity Risks
It's essential to shift the focus from just vendor risks to a broader understanding of SaaS identity risks—knowing how each application is used and by whom. Adopting a risk-based evaluation that considers the full context is essential for accurately identifying and mitigating potential vulnerabilities. This approach ensures that you're not only considering the security posture of the SaaS vendors themselves but also how these applications interact with your organization’s users and data.
Prescriptive, Actionable Insights
Future SaaS risk management should offer actionable insights that guide security teams and involve end users and business app owners. Prescriptive actions should be clear and tailored to specific risks, enabling a proactive security approach.
Flexible Risk Mitigation Strategies
Flexibility is key. Instead of merely blocking risky apps, organizations should implement varied risk mitigation strategies, such as automated workflows based on risk thresholds, and integration with tools like Identity Governance and Administration (IGA), Identity Providers (IdP), and IT Service Management (ITSM) workflows. This enables dynamic responses to risks, ensuring that SaaS environments remain secure and adaptable.
Rethinking SaaS Security for the Modern Enterprise
The lessons from failed SaaS security projects make it clear that a reactive, fragmented approach to SaaS risk management is no longer viable. Instead, organizations must recognize that SaaS security is not about managing isolated risks but understanding and controlling a complex ecosystem where apps, users, and data are deeply interconnected. This interconnectedness means that vulnerabilities in one area can quickly cascade, creating broader security gaps.
Therefore, the true challenge—and opportunity—lies in moving beyond traditional thinking. It’s about developing a SaaS security strategy that sees the whole picture, identifying not just the obvious risks but also the hidden connections that can lead to significant consequences. By doing so, organizations can transform their approach from one of constant firefighting to one of proactive, strategic risk management, where the emphasis is on foresight, adaptability, enablement, and continuous improvement. This shift in perspective not only strengthens the organization’s security posture but also aligns with the realities of today’s SaaS environment, where the pace of change demands agility and comprehensive oversight.
Take the next step in modernizing your SaaS security. It starts by understanding the gaps in your security controls and identifying your SaaS risks. Grip offers a SaaS identity risk assessment to illuminate how employees access SaaS, the level of shadow SaaS that exists in your organization, and former employees who still have access to your SaaS accounts. The assessment is free; book yours now.