SaaS Security Enters the Spotlight
Over the past two years, attackers have changed both their targets and strategies as they search for the most lucrative backdoors into organizations and their critical assets. As companies migrate from network-based infrastructure to the cloud, these assets are now shared and stored outside the well-secured organizational perimeter in multiple SaaS applications that are much more haphazardly secured. This shift has benefitted business collaboration and productivity, but it has also presented a new set of security risks that grow with every new SaaS application, SaaS-to-SaaS integration, external data share, unmanaged identity and SaaS misconfiguration.
Recent SaaS breaches involving Okta, GitHub, Microsoft 365 and Google Workspace among others have grown ever more complex, involving SaaS supply chain attacks and the exploitation of SaaS misconfigurations, ungoverned data sharing privileges and over privileged identities - all leading to account takeovers and data loss that can span multiple companies, data repositories and SaaS services.
Security practitioners and vendors must now evolve along with the SaaS environment, hackers and threats, leaving behind legacy SaaS security solutions that provide only partial visibility that lacks business context for SaaS adoption and usage. They must embrace the SaaS sprawl while also keeping up with attackers as they become more sophisticated and more determined.
As the CEO and Co-founder of Valence Security, a cybersecurity company striving to help security and business leaders improve their SaaS security posture, I believe that 2023 will be the year that SaaS security truly enters the spotlight. These are our top predictions for the coming year:
Security teams will shift their focus from proprietary apps to third-party SaaS apps.
The frequency and complexity of SaaS attacks we've seen in the past two years have shown that hackers shifted their focus to third-party SaaS applications due to their sprawl, interconnectivity and flood of ungoverned data sharing and user permissions that comprise an expansive yet marginally secured attack surface. The 2022 Shadow SaaS-to-SaaS Integration Report by Valence Threat Labs for instance noted that the average organization has 917 SaaS-to-SaaS third-party integrations - 4-5 times the amount estimated by CISOs. SaaS will be increasingly seen as the weak link in the security posture of organizations as security teams and their SaaS security vendors have heavily invested in securing IaaS, production, proprietary applications and code at the expense of securing SaaS. They will increasingly realize that SaaS environments must be hardened as the scope and expense of breaches grow exponentially.
SaaS security will evolve beyond visibility to include automated remediation.
Traditional SaaS security solutions have focused primarily on providing visibility into security SaaS adoption and use, with some light capabilities around risk mitigation. This is in spite of the fact that overworked and under-resourced security teams need tools that not just uncover risks but help them actually remediate them. The need for security solutions that provide automated remediation will be seen as critical tools in the security team's arsenal in 2023 vs. nice-to-haves as they have been considered over the previous few years. Security teams no longer want to just know about their problems, they want to be able to measure continuous scalable risk reduction.
SaaS security will increasingly be seen as a collaborative effort.
The democratization of IT has proven beneficial for the booming SaaS market. As users adopt and use SaaS applications independently, security teams will try to keep up. Going beyond visibility and alerts, remediation of SaaS risks and misconfigurations will increasingly require more business context as security professionals strive to empower users to leverage the benefits of SaaS while ensuring its security. In order to do so, SaaS security will be seen in 2023 as a collaborative effort going beyond direct security responsibility and driving engagement with business users through collaborative, decentralized workflows that will provide security teams with business insights they need to balance security and business productivity.
Zero-trust will need to be rethought for the SaaS mesh.
Enforcing Zero-trust principles for SaaS is vastly different from enforcing it on-prem as application adoption, use and management is decentralized. It requires not just a "policy of no," typical of on-prem enforcement, but a deep understanding of each application and how multiple, integrated SaaS apps as well as the sprawl of ungoverned data sharing, user identities, etc. work together to both enhance business productivity as well as create a massive risk surface. In 2023, security teams will increasingly realize that the vast mesh of SaaS-to-SaaS integrations, non-human and human identities and their privileges, and external data sharing permissions, must be mapped, monitored and their risks remediated using zero-trust principles in ways that still allow the mesh of SaaS integrations to grow at the pace of business.