Learn How SaaS is Redefining What Cybersecurity Means

SaaS use in organizations is growing rapidly, and it is largely ungoverned, meaning that companies are likely failing to comply with their own security, risk and data compliance policies. The other problem is that much of the SaaS usage in organizations is unauthorized, meaning that end users are simply finding a SaaS application online and starting to use it, often for free at first.

If you talk to most CISOs, they readily acknowledge this is occurring, and current solutions, such as cloud access security brokers (CASBs), provide data but do not provide clearly prioritized, actionable remediation steps to mitigate SaaS security risk comprehensively.

The reality is that cybersecurity is failing to keep up with the growth of SaaS, and CISOs must adopt a governance and risk mindset that aligns with how modern work is done. SaaS security is unique because of the velocity of new SaaS being adopted and the decentralized purchasing decision process. These two things combined break the traditional cybersecurity frameworks.

Security issues related to SaaS are an increasingly troublesome area of risk for organizations, and this is likely to continue. Spending on SaaS services is the largest of all cloud services according to Gartner, accounting for around 37% of the entire market, much larger than the infrastructure as a service (IaaS) and platform as a service (PaaS) markets. On average as of 2020, large enterprises use 288 SaaS applications, and small businesses use more than 100.

SaaS Security Pillars: Discovery, Prioritization, Orchestration

Traditional frameworks assume that the company controls the endpoint, network access or the authentication method. With SaaS, the company is in a position where they may not control any of them. SaaS security is different, and it requires a framework that can address its unique challenges.

The Cloud Security Alliance (CSA) recently published SaaS Governance Best Practices for Cloud Customers that is designed specifically for SaaS security. The CSA document leverages the Cybersecurity Framework created by the National Institute of Standards and Technology (NIST) and details the specific actions. Based on these recommendations and my experience, this article will look at three areas protecting organizations from SaaS risks: discovery, prioritization and orchestration.


Discovery forms the foundational basis for SaaS security, especially in the age of business-led IT where acquiring technology is decentralized and not governed centrally by IT. Though simple in concept, most companies lack the ability to discover user-sourced SaaS applications, and they are only able to discover a fraction of the apps being used. In my experience, we find that most companies are unaware of the vast majority of the apps being used in their organization, which creates a tremendous amount of unmanaged risk.

Many rely on CASBs for SaaS discovery for unsanctioned SaaS, but they are only able to identify the sites people visited—not when an account has been created—for the hundreds of SaaS applications that are not governed by other systems. In my experience, most SaaS applications are not managed and invisible to IT.


Assessing SaaS risk can be overwhelming because the result is often a list of several hundred apps, which all need to be evaluated from a vendor and data risk perspective. Assuming this can be done in a reasonable time frame, the remediation activity should then be prioritized based on the level of risk. SaaS risk is dynamic and depends on factors such as number of users, type of data stored and even adoption growth. However, many companies take a static view of risk, which I believe does not properly allow security teams to prioritize their work based on the true risk a SaaS app may pose to the company.

Once a company understands the risk it faces, they still face


Orchestrating your SaaS security across your security layers is the final and most difficult step because it requires automation to scale. Since the traditional control points are not as effective, taking an identity-focused approach works best, especially when an app is no longer used and needs to be retired.

Without the first two pillars, this one is near impossible. For example, if IT does not know about a free SaaS application where the employee creates an account with a username and password, any sensitive data loaded or used in the application remains vulnerable and accessible by the employee even if they are no longer employed by the company.

How To Modernize Your SaaS Security

SaaS is how modern work is done, and the challenge in SaaS security is achieving the desired outcomes with the hundreds of apps that are being used by potentially thousands of employees. There is no single product that can solve every problem. But what is clear is that SaaS security is a big enough problem to require a dedicated architectural layer because of its unique requirements. The key elements of this SaaS security architectural layer are:

• Continuous SaaS discovery to find new apps users are using.

• Ongoing SaaS risk assessments that are based on enterprise specific factors and not just vendor risk attributes.

• Identity-centric focus so that access can be secured on-net and off-net for managed and unmanaged endpoints.

• Automated orchestration of SaaS security controls to enforce policies, remediate violations and ensure data security.

Having worked with hundreds of companies to help them discover and secure their SaaS applications, it is clear to me that the industry needs a new approach, and the best practices guide published by the CSA is acknowledgement that we need a new approach that specifically addresses SaaS security.

This article originally ran in Forbes, an American business magazine that features articles on finance, industry, investing, and marketing topics.

*** This is a Security Bloggers Network syndicated blog from Grip Security Blog authored by Grip Security Blog. Read the original post at: