The current state of SaaS security is sometimes like a game of hot potato—everyone knows it’s critical, yet no one wants to hold onto the responsibility long enough to claim ownership. SaaS apps are multiplying at a rate that IT and security teams can barely keep pace with. Meanwhile, identity and access management (IAM) teams focus on identity governance of known applications, not the hundreds (or thousands) of shadow SaaS applications organizations use.
The irony is glaring: SaaS is now an essential business enabler, yet securing it is treated like an afterthought. Businesses expect IT departments to manage every app, but in reality, IT teams are overwhelmed. Shadow IT, driven by individual teams and departments who choose convenience over compliance, only adds to the chaos. And shadow AI is throwing another wrench into the mix—how do you govern access and usage of AI-powered SaaS tools when you don’t even know which ones your teams are using?
All this begs the question, who really “owns” SaaS identity risk management? Some argue it’s a CISO problem—after all, the buck usually stops with them when data leaks or an incident occurs. Others push it onto identity teams, assuming they should own everything related to SaaS access and securing identities. Some view it as an extension of vendor risk management because most third parties are SaaS-related. Meanwhile, GRC professionals want to implement policies and ensure regulatory compliance but struggle to enforce the rules when they lack visibility into the SaaS landscape.
And that’s precisely the problem. SaaS security is as clear as mud for many enterprises. Not only is internal ownership unclear, but many organizations think they have a grip on SaaS security because they have a CASB or another tool scanning for app usage. But these tools are reactive, focused on monitoring known applications, while the real threat is the unknown—the shadow SaaS lurking outside formal IT channels. Responsibility for identifying and securing them simply slips through the cracks.
So, where do we go from here?
Securing SaaS: A Multidimensional Problem
Securing SaaS isn't a straightforward task; it’s a multifaceted issue that demands more attention than it often receives. Many organizations still prioritize security spending on public cloud models like IaaS and PaaS or on-premises environments, often overlooking SaaS security. As a result, SaaS applications—despite supporting mission-critical activities such as CRM, finance, team collaboration, HR management, and ERP—are frequently managed with inconsistent, piecemeal controls that vary from one company to another.
The traditional approach to assessing SaaS security relies heavily on outdated frameworks, often modeled after on-premises setups. These assessments focus on irrelevant metrics, like patch schedules or vendor involvement in operational processes—areas that, under the shared responsibility model, are typically the domain of the SaaS provider itself. By treating all SaaS applications under a single lens, organizations miss the unique risk profiles and use cases each application presents, ultimately adding unnecessary pressure on security teams.
Furthermore, the emphasis is often misplaced. Organizations are quick to scrutinize SaaS providers for potential vulnerabilities, but in reality, most security incidents stem from misconfigurations or misuse by the organizations themselves, not the providers. The same holds true for IaaS and PaaS services—it's human error and mismanagement on the client side that pose the greatest risks.
When mitigating these risks, SaaS vendors offer various built-in controls, but they are far from standardized. Some controls are add-ons (read: additional cost) and specific to each provider, meaning organizations must adapt to a fragmented control environment. Take identity management as an example: while it’s a crucial piece, its implementation varies—some apps integrate with enterprise identity providers, though often at a significantly increased cost. Similarly, blocking IP addresses might work for one app but can impede business operations or conflict with other security measures in another. Multifactor authentication (MFA) is another essential layer, but inconsistent adoption and implementation hurdles make it a less reliable safeguard across the board.
Related content: The Challenge of MFA Everywhere
Incomplete Solutions Produce Incomplete Results
Despite the variety of tools available to manage SaaS security, many solutions fall short of addressing the full scope of the problem. They often focus on isolated aspects, leaving significant gaps that organizations struggle to fill.
Security service edge (SSE) solutions aim to extend visibility across diverse SaaS apps, focusing primarily on access management and data protection. They can enforce access rules using federated identities and device information, but challenges arise when identities are managed locally within SaaS apps, making it difficult to regulate unauthorized or unmanaged devices. The complexity grows when considering SaaS configuration and integration, areas where many security teams lack the necessary expertise. Each application demands different controls and configurations, increasing the likelihood of inconsistencies.
SaaS security posture management (SSPM) tools attempt to bridge these gaps by offering visibility into configurations and some app interconnections, helping to standardize and rectify discrepancies across providers. While these capabilities are increasingly incorporated into SSE products, stand-alone SSPM tools often provide broader, more detailed coverage. However, this also highlights the fragmented nature of SaaS security controls, further complicating the landscape for organizations trying to secure their SaaS environments effectively, especially given the rise of shadow SaaS and shadow AI (which SSPMs struggle to detect). SSPMs integrate with a small number of major, sanctioned apps, and they do not provide coverage for the vast majority of the apps used by employees.
Modernizing SaaS Security: The Path Forward
According to Gartner research, “to establish SaaS security, security and risk management leaders must work to establish a multilevel and multidisciplinary approach.” The report also states that, “SaaS is an ever-increasing part of most organizations’ application ecosystems, yet its security is often overlooked, misunderstood or just assumed to be ‘good enough.’”
The report offers the following recommendations:
- “Initiate a SaaS discovery and risk assessment process using existing tools. Consider not just the criticality of the data in the application, but also who the users are, how many users it has, the risks associated with SaaS-to-SaaS communication, and the security of the provider itself.
- Establish a formal process for assigning both responsibility and accountability for SaaS applications, as well as a governance and approval process.
- Focus your efforts first on selecting appropriate SaaS providers and then on implementing controls to secure them effectively, whether native to the provider or via a third party. Do not expect visibility into how the SaaS provider is operating.
- Prioritize and implement multi-layered controls, from your own governance and processes to technical controls for SaaS applications. Ensure that the effort and expenditure are aligned with the application’s criticality; one size does not fit all.”
Gaining a clear understanding of SaaS in use and the business purpose
Organizations today face significant challenges with shadow SaaS—applications that bypass IT oversight, leading to security gaps and compliance issues. Modernizing SaaS security starts with proactive discovery tools that uncover all SaaS applications, including shadow SaaS, and map them to their respective business functions. It's not enough to simply identify these risks; organizations must also align SaaS usage with business owners and objectives, eliminate redundant applications, and establish clear policies on which apps IT should manage. This approach ensures that security and operational efficiency work in tandem.
Governing SaaS using a defined process and democratized ownership
The future of SaaS security also depends on establishing baseline standards, a clear governance framework, and criteria outlining when SaaS applications are reassessed. Organizations should implement structured processes and accountabilities by assigning explicit ownership and responsibility to risk management leaders within security teams. This approach transforms SaaS risk management into a collaborative effort among CISOs, IAM leaders, TPRM, GRC, and other key stakeholders, ensuring the right mix of governance, policies, and controls is in place and evolving with the organization’s needs and as SaaS usage, ownership, or integrations change.
Implementing technical controls to control and manage SaaS
Fragmented SaaS security is a critical issue for many organizations. The solution lies in integrating IAM, TPRM, and SaaS risk management platforms to establish a unified SaaS identity system across the enterprise. This would create a cohesive approach to authentication, access control, user provisioning, asset inventory, and license management, ensuring consistent security policies are applied to all SaaS applications—including shadow SaaS—throughout their lifecycle. Shadow SaaS is often the overlooked piece, undermining other controls and jeopardizing regulatory compliance. Automation plays a crucial role in closing these gaps and maintaining security at scale.
Moving From a Reactive State to a Proactive SaaS Security Posture
The days of reactive SaaS security must come to an end. By leveraging advanced tools that provide holistic visibility, real-time monitoring, anomaly detection, and automated response capabilities, organizations can shift from putting out fires to anticipating and mitigating threats before they escalate. Proactive management allows organizations to stay ahead of emerging risks, adapt quickly, and maintain a secure SaaS environment that scales with business growth.
To learn more about Grip’s SaaS identity risk management capabilities and platform integrations, we invite you to book time with our team.
Sources cited: Gartner, Strategic Roadmap for SaaS Security, Charlie Winckless, Dennis Xu, Craig Lawson, 5 September 2024.
Gartner is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.