The enterprise SaaS layer is where attackers go to find weak and duplicate credentials, to gain access to systems, networks, and the organization's crown jewels. Business-led IT and shadow SaaS add to the complexities of securing a SaaS environment, amplifiying the need for a comprehensive SaaS security program.
Download PDFIn today's digital landscape, the enterprise SaaS layer has become a prime target for attackers seeking to exploit identities, weak and duplicate credentials, launch phishing and smishing campaigns, and disrupt numerous SaaS and cloud services. Additionally, the business-led IT movement has only accelerated SaaS identity sprawl causing more security issues and data breaches. Experts estimate that by the year 2030, 80% of enterprise SaaS services will be business-led SaaS, characterized by functional teams identifying and sourcing technology outside of an organization’s IT selection, procurement, or security oversight. Often called "shadow SaaS", this leaves security teams with the challenge of protecting sensitive data, business operations, and untamed identity sprawl within a technical environment they do not own, control, or even know exists.
The evolving risk landscape necessitates a strategic shift, focuing on identity security measures— the point at which SaaS services enter your environment.This guide delves into the complexities of SaaS security and offers a framework to safeguard SaaS applications— including those beyond the direct oversight of IT departments. Here, we explore practical strategies to secure your SaaS infrastructure and ensure robust protection against the escalating threats in the SaaS ecosystem.
SaaS security encompasses a comprehensive framework of architectures, processes, and strategies that organizations deploy to safeguard their data and information handled within cloud-based applications accessible over the Internet. While SaaS models typically operate on a subscription basis, many providers also offer limited, freemium versions to users at no cost. Accessing these services simply requires setting up an account with login credentials.
The distinctive challenge of SaaS security lies in the minimal control organizations have over the underlying infrastructure. Unlike applications hosted internally or through private servers, SaaS does not allow companies to manage the servers, dictate the authentication processes, oversee the network connections, or sometimes even control the endpoints (as in the case of unmanaged devices). This necessitates a multi-dimensional approach to security, tailored to address the unique vulnerabilities of operating in a SaaS environment.
The rapid adoption of SaaS services across various sectors—from HR to IT, from operations to finance—has not only transformed the digital enterprise but also introduced a dual threat: identity attacks and the hijacking of critical SaaS tools. SaaS security is integral to enterprise security because it governs access to a vast array of critical systems, including production, security SaaS, IaaS systems, and repositories. The best practices in SaaS security are primarily identity-centric, focusing on minimizing risks associated with SaaS identities and thereby sealing security gaps. This includes:
Identity-Centric Security: As identities form the backbone of SaaS interactions, securing SaaS effectively revolves around safeguarding these identities. This approach entails managing identities meticulously to ensure safe interactions with current and future SaaS deployments. The primary goal of SaaS security solutions is to offer universal identity protection across the enterprise SaaS layer, starting with identifying all SaaS-related identities, including those in historic user accounts that may still pose a risk due to lingering access rights or exposed credentials.
Contextual Risk Analysis: A significant advantage of thorough SaaS discovery is the ability to perform retrospective risk assessments, tracing back over a decade of user-SaaS interactions. This historical insight enables organizations to eliminate longstanding vulnerabilities swiftly, informed by a comprehensive understanding of past and present user engagements with SaaS services, groups, tenants, and policies.
Closing Security Gaps: Once initial SaaS risks are mitigated, many organizations use their SaaS security framework to pinpoint and address gaps in access control, conduct user access reviews, and refine authentication methods, including IdP, OAuth, OIDC, and password protocols. These efforts are crucial as they help secure critical enterprise functions managed through SaaS—from HR and finance to engineering and DevOps.
The foundation of SaaS security lies in identity risk management. Neglecting identity security can lead to compounded risks where a single compromised identity could jeopardize multiple critical SaaS services. Similar to securing the cockpit door on a Boeing 737 where unauthorized access is unequivocally off-limits, protecting identities in SaaS is about ensuring that security measures are robust and non-negotiable. By universalizing security controls at the identity level, security teams can effectively secure access without having direct control over each SaaS service, allowing business-led IT to flourish while simultaneously enhancing identity protection.
The enterprise SaaS layer is complex and multifaceted and has a significant impact due to identity sprawl. These identities are often duplicated and vulnerable, stretching across hundreds of SaaS relationships. Moreover, this layer is a hotbed for identity attacks, with continuous threats from phishing, smishing, and vishing schemes. Breaches like the Microsoft Midnight Blizzard attack, Snowflake, Disney and Zapier are proof that identities are prime targets for attackers, underlining the critical importance of mitigating SaaS identity risks to maintain control over the digital enterprise and to shield it from relentless attacks.
The Impact of a SaaS Breach: Cyber-attacks and SaaS breaches have been well-documented, from the 0ktapus threat campaign of 2022 to the schemes that impacted Twilio, Plex, Dropbox, Signal, Uber, and Digital Ocean, among others. What is less well-documented is how to prevent these attacks in the first place. SaaS security teams must aim to increase the threat actor's cost by making the SaaS service layer inhospitable and costly, becoming an unattractive target.
Identity-Dependent SaaS Breaches: Understand identities and SaaS connections, acceptable and justified use, and analyze authentication methods to gain visibility to the global identity fabric in contact with SaaS services.
Mitigate Identity Risks and Attack Paths: Neutralize threats by eliminating opportunities for attackers to acquire credentials or gain unauthorized access. Even though many business-led SaaS applications fall outside traditional IT and security oversight, it is possible to secure identities through robust policies applied to both existing and new SaaS integrations. By implementing strong authentication standards and credential management, security teams can safeguard identities while accommodating the use of unsanctioned SaaS.
Offboarding Unnecessary Risks: Finally, to further diminish attacker opportunities, eliminate unnecessary SaaS identity risks. This includes destroying credentials and transitioning to secure, on-demand SaaS access. With millions of credential attacks occurring monthly, focusing on the removal of overly permissive access and dangling credentials from former employees, contractors, and shadow accounts is imperative.
By annihilating credentials, security teams can thwart attacker attempts to compromise the enterprise SaaS layer — turning each identity into a moving target with double-blind credentials on continuous rotation.
SaaS adoption by enterprises of all sizes and industries is a natural corollary of their ongoing migration to the cloud. Many trends have led to an unprecedented reliance on SaaS that, paired with targeted attacks against identities and credentials, punctuates the serious threats to unguarded SaaS services. This has consequently generated demand for meaningful SaaS security outcomes that vendors have yet to meet—let alone offer concerted best practices for CISOs to safeguard identities across the SaaS service layer.
Time and again, CISOs express the same concerns: identity, visibility, complexity, and cost.
For more than a decade, identities and credentials have remained the top target for cybercriminals and threat actors. With the rise of SaaS services and the advancement of business-led IT strategy, the global identity fabric has expanded and grown mostly out of sight. Identities and credentials are targets, and the targets are growing.
While many organizations have adopted business-led IT strategies and encourage bring-your-own-app (BYOA) to enable user choice, visibility across the enterprise SaaS layer has become more challenging. Simply knowing which SaaS services are being used and how SaaS is being accessed can seem out of reach for most security leaders. Consequently, security leaders are often unaware of identity sprawl as the natural outcome of SaaS sprawl, where nearly 3-out-of-4 credentials are duplicates, with over 100 duplicate passwords per user, on average.
Most organizations today operate in a complex environment that includes multiple operating systems, diverse, multi-faceted SaaS services, along with security tools, dashboards, and portals. Operating these technologies requires various skills and disciplines to deploy fragmented protections with multiple “owners” across IT and security teams — if the controls exist. Additionally, many organizations must deal with challenges like ad-hoc integrations, API maintenance, and skills spread across silos.
The cost to secure identities and SaaS connections has become a $23 billion industry (Gartner, 2022). Most organizations have redundant identity providers, single sign-on (SSO), MFA, and directories.
Additionally, many SaaS services charge for SSO-enabled versions of their app (SSO tax). While many of these costs go unnoticed when first introduced, they became more costly and complex with the rise of business-led SaaS and modern work.
SaaS is a pivotal element of digital transformation, which involves integrating digital technologies into all areas of a business to enhance agility, accelerate market responsiveness, and reduce operational costs. This transformation impacts nearly every facet of IT, from network infrastructure to the daily applications used by employees. Unlike past technology transformations, much of today's change is driven by business units rather than IT or security teams, presenting unique challenges.
As SaaS applications proliferate, security teams often struggle to keep pace with the rapid expansion of services that power digital enterprises. This situation underscores the necessity for IT and security leaders to embrace a governance and risk management approach that aligns with the realities of modern workplaces.
SaaS security is unique due to the rapid adoption of new services, decentralized decision-making processes, and the expanding scope of SaaS in managing critical business functions and technologies. The acronym "DISCO" encapsulates the essential components of an effective SaaS security strategy: Discover, Insight, Secure Access, Continuous Evaluation, and Orchestration. By adhering to these principles, security teams can achieve significant milestones toward the ultimate goal of providing on-demand identity protection wherever and whenever SaaS is utilized. Let's explore each in more detail.
Capture, graph, and identify SaaS use and identity risk throughout the enterprise SaaS layer — business-led and IT-delivered SaaS services and apps — uncovering use history, authentication methods, weak credentials, duplicate passwords, and rogue or abandoned SaaS services. Through identity-based discovery, security teams gather a true picture of SaaS usage as it happens.
Prioritize SaaS identity risks based on context, accounting for key facets of SaaS capabilities and current mitigations against compromise. This may produce a lower risk score if controls like SSO are enabled or use justification is documented. Conversely, risk scores increase when users consume SaaS with critical control functions, like code repositories, production system control, or SaaS-delivered security tools. The result is the inherent risk of the SaaS factored with the presence of risk mitigations (or lack thereof). Insight signifies the need for relevant, actionable SaaS risks to prioritize what matters most beyond “sanctioned or unsanctioned” status.
Universalize identity security with strong credentials on continuous rotation turning SaaS identities into moving targets for attackers. Users get easy login and adaptive safeguards for all SaaS types, and security teams can respond to secure identities in the wake of SaaS compromise, phishing campaigns, or risky SaaS services or functions entering the environment. By securing identities first, security programs have the ability to remain adaptive and flexible to SaaS changes because the identity is secured regardless of the SaaS in use.
Change happens. Newly discovered SaaS comes into the environment, decommissioned SaaS needs user offboarding, former employees leave the organization, and identities change roles and job functions. These are just some of the changes that happen every day. Multiple sources cite that 6 out of 10 SaaS apps will “churn” every two years. With change being continuous, security must be as well. Continuously monitor and detect changes to the SaaS environment, including how identities access and use SaaS services.
Finally, make use of existing controls, technologies, people, and programs by orchestrating security for the distributed identity fabric. Automate SaaS security and leverage playbooks, including onboarding, offboarding, sanctioning, and applied protections like SSO. Respond to SaaS risk insights, leveraging integrations for policy enforcement, governance, risk, and compliance.
By following these general practices to discover, analyze, and act on SaaS identity risks, security teams can enable secure protection for identities relevant to their organization, adaptive to change and integrated with their existing controls.
SaaS security plays a crucial role in risk management; however, without modern technologies, this model can also introduce potential risks, particularly because legacy technologies weren't designed to detect shadow SaaS or keep pace with the rapid adoption of SaaS in use today. Such scenarios can lead to cybersecurity gaps and unsafe practices, such as the use of weak passwords or shared credentials. Since SaaS tools are cloud-based and internet-accessible, you can’t control access to the enterprise perimeter in the same way. This SaaS security checklist is designed to help you build a proactive SaaS security strategy and put the necessary controls in place to manage the growing risks from independent SaaS and AI tool adoption.
Because employees are acquiring SaaS apps independently, monitoring needs to cover every device and app they use, regardless of whether they’re connected via VPN or ZTNA. According to Grip research, organizations can have as much as 85% of SaaS apps in use outside of IT visibility. Traditional security tools struggle with SaaS discovery because they rely on network traffic analysis or endpoint agents, which are limited by device or access type. Newer SaaS security platforms, however, offer continuous discovery, effectively tracking apps across all devices and networks without those restrictions.
After discovering a SaaS app, assessing its risk is the next step. Users need to inform IT/security about the app's business purpose and the type of data it will handle. Automating this with a survey streamlines the process, especially given the sheer volume of SaaS apps in an organization. Without automation, managing this at scale would be impossible. Once the risk level is identified, IT/security can enforce the necessary policies. The success of this process hinges on thorough and continuous SaaS detection.
Most companies use an IdP or an SSO solution and have a policy that when a SaaS app supports one of those two, the employee should be using them to access the app. Using IdP to create accounts gives IT/security teams centralized visibility and control. However, many employees still resort to traditional logins and passwords despite the policy. Enforcing the proper IAM methods is important for centralizing SaaS risk management. Traditional SaaS security tools often fall short in tracking this, while modern platforms offer the necessary insights. Additionally, not all SaaS apps support IdP or SSO integration, making IAM enforcement challenging (if not impossible) with older security solutions.
Multi-factor authentication (MFA) strengthens SaaS security by requiring more than just a username and password for access. Since most SaaS apps offer at least two-factor authentication, it should be mandatory. The challenge for security teams is identifying apps that don’t support MFA and then preventing their use. Modern SaaS security platforms can automate this process, flagging apps without MFA and reporting them efficiently.
Single Sign On (SSO) boosts employee productivity by reducing the number of usernames and passwords that could be compromised, while also providing an audit trail for SaaS app access—essential for compliance and security certifications. However, adding apps to SSO isn't automatic and can be costly due to licensing fees; insight is needed into which SaaS apps are most widely used and pose the highest risk. Traditional SaaS security tools don’t offer this level of visibility, but modern platforms do.
Sharing SaaS accounts among multiple users poses significant risks. When an employee leaves, the password should be changed, but this often gets overlooked due to the inconvenience. In some cases, account sharing may be necessary for business reasons, but a process must be in place to secure accounts when personnel changes occur. SaaS security platforms can monitor account sharing and even automate password resets for all users if needed.
The simplicity of creating SaaS accounts means employees often have more accounts than they realize. Many may have signed up for a free trial or abandoned an app after finding a better alternative. Each of these dormant accounts becomes a potential security risk, possibly storing sensitive company data. Modern SaaS security platforms can regularly discover and secure these unused accounts, reducing the chances of them becoming attack vectors.
When a SaaS app doesn’t support a company’s IdP or SSO, the only option is a username and password. The problem is that many employees reuse passwords across apps and rarely change them. While password managers are an option, employees often ignore password strength and update guidelines. A more effective solution is to eliminate the need for usernames and passwords altogether by using a SaaS security platform. This extends IdP or SSO policies to all SaaS apps, ensuring a consistent and secure risk management approach.
Remember, there are no silver bullets when it comes to SaaS security. While many of the steps are well known, the key lies in consistent execution. Detecting SaaS applications is the crucial first step, followed by automating processes to minimize human error. Modern SaaS security platforms, built specifically for the SaaS ecosystem, provide the tools needed to help organizations meet their security goals effectively
The increasing complexity of digital environments necessitates a robust approach from security and risk management teams, especially as traditional tools struggle to address modern challenges like identity and SaaS hijacking. Originating from network-based architectures, traditional security measures often fall short in the face of business-critical operations performed outside the corporate network. Gartner highlights that new security controls are essential to adapt to these evolving demands.
“Increasingly, business-critical operations are performed via SaaS services, existing entirely outside the corporate network, making traditional controls ineffective. New controls are needed to address these new realities.”
- Gartner, 2022
Security leaders repeatedly express the same concerns about their overall cloud security exposure and risk, and in 2023, visibility, risk, and access control remain the top challenges. The most common platforms used for SaaS security today include:
Cloud Security Posture Management (CSPM): CSPM solutions automate the monitoring, identification, alerting, and remediation of compliance risks and configuration missteps in cloud environments. A key function is its proactive process for ensuring enterprise-wide asset visibility and configuration assessment to maintain a desired security state.
Cloud Infrastructure Entitlement Management (CIEM): CIEM tools are crucial for managing account entitlements in cloud infrastructure services. They focus on identifying dormant or unnecessary entitlements, enabling remediation and promoting a least privilege security stance. Continuous monitoring of permissions and activities of both human and machine identities is a vital function.
Cloud Workload Protection Platform (CWPP): CWPPs secure application targets within modern cloud environments, including physical servers, virtual machines, containers, microservices, and serverless workloads. They are pivotal in translating on-premise application controls to the cloud, emphasizing system integrity, application control, behavioral monitoring, and sometimes anti-malware features.
Cloud-Native Application Protection Platform (CNAPP): CNAPPs offer an integrated approach to consolidate essential cloud security functions such as configuration and posture management, alongside workload protection capabilities. They enhance the effectiveness and collaboration between developers and security professionals, embedding security deeper into the cloud application lifecycle.
SaaS Security Control Plane (SSCP): SSCPs provide an identity-based framework crucial for discovering SaaS services and analyzing user-SaaS relationships. Grip's SaaS Security Control Plane, the industry's first SSCP, focuses on identifying risky access controls, mitigating credential exposures, and offering unified visibility and control over SaaS services, including shadow SaaS. Automating offboarding processes for SaaS services and users is another critical function, supporting a comprehensive enterprise security strategy alongside CSPM, CIEM, IAM, and CASB.
SaaS Security Posture Management (SSPM): SSPM is integral to continuously assessing security risks for SaaS applications, enhancing security configurations and managing authorization processes efficiently. Grip’s SSPM solution, as part of a broader security strategy, excels in providing detailed insights on configuration statuses and potential risks It also offers benchmarking against security and industry frameworks, ensuring that SaaS permissions are consistently optimized for security and compliance.
SaaS-Delivered IAM (IDaaS): Also known as IAM as a Service, this platform facilitates secure and efficient identity management and governance, delivered as a service rather than through on-premises or IaaS-hosted solutions. Key functionalities include single sign-on access via SAML or OAuth and enhanced options for privileged access management and customer identity access management.
By understanding the unique capabilities of these diverse SaaS security platforms, organizations can more effectively tailor their security strategies to meet the challenges of a complex digital landscape.
Grip stands at the forefront of SaaS security solutions, offering an unrivaled identity-first platform that combines advanced technologies to safeguard digital environments effectively. At the core of this platform is the SaaS Security Control Plane (SSCP), which proactively identifies, prioritizes, and mitigates risks across the SaaS landscape. Complementing this is Grip's SSPM, which focuses on detecting and rectifying misconfigurations in business-critical applications, ensuring configurations are always aligned with best security practices. The Grip browser extension, powered by the SSCP, enhances user security directly within the browser in real time. This tool is pivotal for ensuring that identity and access controls are enforced consistently and securely, even as users navigate various SaaS applications and adopt new tools on their own. Grip's goal is to provide organizations with comprehensive SaaS security and effeciency, including:
Streamlined SaaS Security Management: Grip simplifies complex security landscapes by providing robust, unified visibility and control over SaaS applications. Its continuous monitoring capabilities allow for immediate detection of misuse and proactive responses to emerging threats. This integrated approach ensures that organizations can maintain high security standards effortlessly, mitigating risks before they can impact the business.
Efficient and Effective Security Responses: In the event of security breaches or exposures, Grip quickly equips organizations with the necessary tools to assess and mitigate any impact. The platform's efficient response capabilities are designed to secure compromised identities and provide detailed insights into potential vulnerabilities, enabling swift and decisive action.
Seamless Integration for Future-Proof Security: Grip's platform is built to seamlessly integrate with existing IT infrastructures, enhancing and extending security measures without the need for complex deployments or disruptions. Its forward-thinking approach ensures that organizations maximize the value of existing technologies and are well-prepared to handle current and future SaaS security challenges with confidence.
Discover how Grip can streamline and strengthen your SaaS security operations with a personalized demo. Book your demo today and take the first step towards comprehensive SaaS protection.
This article was originally published on February 13, 2023 and was updated on March 18, 2025 for accuracy and relevancy.
Request a consultation and receive more information about how you can gain visibility to shadow IT and control access to these apps.
Fill out the form and watch webinar's video.
