2022 Shadow SaaS-to-SaaS Integration Report

This report covers key trends and challenges organizations face when trying to gain visibility and control over the growing and fast-changing world of SaaS-to-SaaS third-party integrations – known as the SaaS mesh. This mesh grows via API tokens, OAuth third-party apps, SaaS marketplaces, and no/low code automated workflows that place sanctioned business-critical SaaS apps at risk of supply chain attacks.

Executive Summary

SaaS Mesh Risks

The democratization of IT has empowered business users across organizations to manage best-of-breed SaaS applications directly, without IT security review or governance. This has greatly reduced deployment time and enhanced business agility, productivity, and collaboration. However, the indiscriminate connection of SaaS applications also increases the risk of unvetted supply chain access to business-critical applications like Salesforce, Microsoft 365 and Google Workspace.

These high-risk connections are typically driven by end users that are encouraged to consent to OAuth apps by SaaS vendors, without understanding the security implications of their actions and how to revoke the access they granted. In addition, business owners often generate over-privileged API tokens that significantly increase the blast radius of any supply chain vendor breach. Lastly, citizen developers automate workflows by creating complex data flows that are hidden from security teams who lack visibility into no/low-code platforms.

‍Survey Methodology

The survey queried decision-makers with job titles relevant to cybersecurity such as CISOs, CIOs, and Directors/VPs of IT security distributed across organizations ranging in size from under 1000 employees to more than 20,000 employees. Respondents were recruited via email invitations containing an embedded link to the online survey. The email invitations were sent to a select group of YL Venture’s qualified database.

Valence Security was responsible for all survey design, data collection, and data analysis. These procedures were carried out in strict accordance with standard market research practices and existing US privacy laws.

Survey Terminology

Core SaaS application - Any business critical SaaS application (i.e. Microsoft 365 or Salesforce) that is typically deployed and managed by the IT team.

SaaS-to-SaaS connection - Any connection between two SaaS applications created via API, no/low-code workflow, etc. (i.e Salesforce connected to Hubspot via API)

Third-party integration - Any connection to a core SaaS application created by a third-party vendor (i.e. Calendly or Grammarly). These integrations may be configured (using OAuth) by an employee or business department without IT oversight or security review.

No/low-code platform - Platforms like Workato, Zapier, Mulesoft, and Microsoft Power Platform that connect to core SaaS applications and allow citizen developers to easily build logic and applications without dependence on software development teams.

Continuous Onboarding of New Third-party Integrations

As SaaS-to-SaaS third-party integrations are rapidly adopted by employees and business units, it becomes a challenge for security and compliance teams to ensure proper coverage of their third-party risk management (TPRM) programs since they lack visibility and context into which vendors have access to their applications and the scope and exposure of such access.

This is problematic since SaaS admins typically provision integrations with excessive privileges due to the difficulty of manually configuring API scope access with least-privilege. Without a security review process in place, over-privileged integrations facilitate the lateral movement of threats, placing your data at elevated risk of cross-SaaS compromise once an attacker gains access to your supply chain. 

What the Survey Says…

Q. On average, how many new SaaS-to-SaaS connections and third-party integrations are connected on a monthly basis to your core SaaS applications?

A. 76% of CISOs believe they have under 20 new integrations added every month.

Q. Do you currently have a process to review and vet new vendors that receive access tokens to your SaaS applications?

‍A.65% of CISOs have a process in place, but only 27% have a process that applies to all vendors, including those adopted by employees and business units.

Ungoverned Citizen Developers Automating With No/low-code

No/low-code workflow misconfigurations by citizen developers are relatively common, and can lead to exposed sensitive data and PII. Most organizations do not have the appropriate equivalent of AppSec and DevSecOps for such automation workflows in platforms like Workato, Zapier, Microsoft Power Platform, etc.

For CISOs who either believe their organizations don’t use these workflows, don’t know, or don’t have processes in place to monitor them, they are leaving a significant part of their SaaS attack surface unmanaged and exposed.

What the Survey Says…

Q. How do you monitor applications developed by citizen developers on no/low-code platforms like Workato, Zapier, and Microsoft Power Platform?

A. 35% of CISOs said that they do not use these tools in their environment.

On the State of SaaS-to-SaaS Integration Security

Existing security solutions such as managed devices, endpoint security, IdP, CASB and ZTNA focus on securing human-to-app connections. But in the new world of the SaaS mesh, they are inadequate, leaving non-human app-to-app access ungoverned and unsecured. Again, this increases the risk of supply chain attacks and the lateral movement of threats.

What the Survey Says…

Q. How big of a priority is SaaS security in your organization in 2022/2023?

A. Only 9% of respondents in the survey said that SaaS security is a low priority, With 91% indicating that it is a medium or major priority. 

Q. What solutions do you have in place to secure your core SaaS applications? (Choose all that apply)

‍A.Of those who have a traditional security solution, most had either a CASB or an IdP – Neither of which secure non-human identities.

Q. Do you feel that your existing solutions provide the appropriate visibility and protection from the risks of SaaS-to-SaaS connections and third-party integrations?

‍A.The fact that 85% of CISO respondents were unhappy with their current solutions suggests the need for more solutions specifically designed to protect the SaaS mesh.