SaaS deployments sometimes exemplify a common CISO lament: they have accountability without responsibility.
Software-as-a-service (SaaS) is easy to deploy. So easy, the decision, and the deployment, is sometimes undertaken by the business unit user with little reference to, nor oversight from, the security team. And precious little visibility into the SaaS platforms.
A survey (PDF) of 644 SaaS-using organizations undertaken by AppOmni reveals that in 50% of organizations, responsibility for securing SaaS rests entirely on the business owner or stakeholder. For 34%, it is co-owned by business and the cybersecurity team, and for only 15% of organizations is the cybersecurity of SaaS implementations wholly owned by the cybersecurity team.
This lack of consistent central control inevitably leads to a lack of clarity. Thirty-four percent of organizations don’t know how many SaaS applications have been deployed in their organization. Forty-nine percent of Microsoft 365 users thought they had less than 10 applications connected to the platform – yet AppOmni’s own telemetry reveals the true number is more likely close to 1,000 connected apps.
The attraction of SaaS to attackers is clear: it’s often a classic one-to-many opportunity if the SaaS provider’s systems can be breached. In 2019, the Capital One hacker obtained PII from more than 100 million credit applications. The LastPass breach in 2022 exposed millions of customer passwords and encrypted data.
It’s not always one-to-many: the Snowflake-related breaches that made headlines in 2024 most likely stemmed from a variant of a many-to-many attack against a single SaaS provider. Mandiant suggested that a single threat actor used many stolen credentials (collected from many infostealers) to gain access to individual customer accounts, and then used the information acquired to attack the individual customers.
SaaS providers generally have strong security in place, often stronger than that of their users. This perception may lead to customers’ over-reliance on the provider’s security rather than their own SaaS security. For example, as many as 8% of the respondents don’t conduct audits because they “rely on trusted SaaS companies”.
However, a common factor in many SaaS breaches is the attackers’ use of legitimate user credentials to gain access (so much so that AppOmni discussed this at BlackHat 2024 in early August: see Stolen Credentials Have Turned SaaS Apps Into Attackers’ Playgrounds).
AppOmni believes that part of the problem may be an organizational lack of understanding and potential confusion over the SaaS principle of ‘shared responsibility’.
The model itself is clear: access control is the responsibility of the SaaS customer. Mandiant’s research suggests many customers do not engage with this responsibility. Legitimate user credentials were acquired from multiple infostealers over a long period of time. It is likely that many of the Snowflake-related breaches may have been prevented by better access control including MFA and rotating user credentials.
The problem is not whether this responsibility belongs to the customer or the provider (although there is an argument suggesting that providers should take it upon themselves), it is where within the customers’ organization this responsibility should reside. The unit that best understands and is most suited to managing passwords and MFA is clearly the security team. But remember that only 15% of SaaS users give the security team sole responsibility for SaaS security. And 50% of companies give them none.
AppOmni’s CEO, Brendan O’ Connor, comments, “Our report last year highlighted the clear disconnect between security self-assessments and actual SaaS risks. Now, we find that despite greater awareness and effort, things are getting worse. Just as there are constant headlines about breaches, the number of SaaS exploits has reached 31%, up five percentage points from last year. The details behind those statistics are even worse – despite increased budgets and initiatives, organizations need to do a far better job of securing SaaS deployments.”
It seems clear that the most important single takeaway from this year’s report is that the security of SaaS applications within companies should be elevated to a critical position. Regardless of the ease of SaaS deployment and the business efficiency that SaaS apps provide, SaaS should not be implemented without CISO and security team involvement and ongoing responsibility for security.
Related: SaaS Application Security Firm AppOmni Raises $40 Million
Related: AppOmni Launches Solution to Protect SaaS Applications for Remote Workers
Related: Zluri Raises $20 Million for SaaS Management Platform
Related: SaaS Application Security Firm Savvy Exits Stealth Mode With $30 Million in Funding
