Prioritizing Security in SaaS Solutions: Understanding the Importance and Methods

In an article, Alex Thompson, the chief security officer (CSO) at Goldman Sachs, emphasizes the importance of securing software as a service (SaaS) applications in the current digital environment.

As businesses adopt remote work, the usage of SaaS applications becomes essential for promoting collaboration, improving efficiency, and fostering innovation among a dispersed workforce. However, while these applications enhance a company's productivity, they also present new risks.

“The rapid advancements in technology create opportunities for vulnerabilities if companies are not careful in the manner they develop and implement these capabilities for employee access,” Thompson points out.

Given that your organization is likely using SaaS applications, it's likely that you've introduced security risks. But fear not. Nearly every company today could benefit from enhancing its SaaS security capabilities with updated solutions.

Here's why you should prioritize SaaS security in 2025.

SaaS Ecosystems Are Continually Evolving

Businesses rely on numerous SaaS applications to support operations. These range from service management systems to enterprise resource planning to email and communication platforms, and the average enterprise depends on approximately 490 SaaS applications—a number that is steadily increasing.

Furthermore, SaaS applications are consistently being updated with new features. This allows businesses to adopt the latest technologies, but it also results in constant change and the potential for misalignment.

Suggestions:• Focus on discovering SaaS applications: Keep a dynamic inventory of all SaaS applications in use across the enterprise.

• Keep an eye out for unauthorized SaaS applications: Utilize tools to detect unauthorized SaaS applications.

• Implement automated security updates and configuration reviews: Monitor changes in SaaS applications and flag vulnerabilities introduced by updates.

You Need to Keep Track of Who's Who and What's Going On

Onboarding with SaaS is as simple as providing someone with a username and password. However, this leads to the creation of numerous identities, making it challenging to keep track of who's who and what they're doing. While many apps maintain their own activity logs, sifting through them for hundreds of apps is practically impossible—until something goes wrong. And by that time, it's usually too late to prevent a breach.

Suggestions:• Implement centralized identity and access management (IAM) tools: Deploy platforms that centralize user provisioning, authentication, and access control.

• Adopt zero-trust principles: Assume no user or device is trustworthy by default.

• Monitor user activity using centralized logs: Aggregate logs from all SaaS applications into a centralized logging or security information and event management (SIEM) tool.

Your Applications Connect to Other Applications

When we store data in third-party apps, we trust those third parties to safeguard our information. A common practice among vendors is relying on other vendors to ensure security, which creates an interconnected network of applications that is nearly impossible to track. These app-to-app integrations increase the value of SaaS but also come with a downside: a flaw in one app could serve as a backdoor into another app.

Suggestions:• Limit app permissions: Equip applications with only the data and functions required for their intended purpose.

• Implement real-time monitoring and alerts: Utilize tools to track unusual behavior.

• Monitor app-to-app integrations: Provision tools that offer visibility into app-to-app integrations and their actions.

You Need to Identify and Manage Shadow Applications

Our research reveals that shadow SaaS applications—unsanctioned apps used without IT or security's knowledge—account for 26% of all SaaS usage within organizations. With an average of 129 shadow SaaS apps per company, these apps bypass established security controls and significantly increase the risk of data exposure.

Suggestions:• Employ SaaS discovery tools: Utilize solutions that identify all SaaS applications and rank their level of risk.

• Restrict data sharing to approved apps: Implement policies that restrict API integrations or data sharing with unknown applications.

• Incorporate shadow IT into compliance audits: Integrate shadow app detection into regular compliance workflows.

The Majority of Ransomware Attacks Begin with SaaS Applications

Alongside SaaS security, Thompson highlighted increasing ransomware threats as a significant focus in their cybersecurity strategy. Ransomware attacks usually start with a phishing scheme: Users are duped into clicking malicious links, which then lead them to sites where they're asked to input their login credentials, which attackers subsequently take and use to access the enterprise network.

According to one recent report, 61% of ransomware attacks originate from SaaS applications. Organizations that wish to strengthen defenses against ransomware should prioritize SaaS security.

Suggestions:• Strengthen email security: Implement solutions to detect and block phishing emails before they reach users.

• Establish and enforce cybersecurity best practices: Implement multifactor authentication (MFA), IAM security, and least privilege access policies.

• Provide frequent security awareness training: Conduct phishing simulations and educate employees to recognize and report suspicious emails.

Despite Your Best Efforts, Vendors Will Still Have Vulnerabilities

In most breach cases, the intruder exploited a SaaS provider environment that was not protected with MFA. This initial access was then used to infiltrate other organizations using that application.

Suggestions:• Limit application permissions: Employ applications with only the data and functions required for their intended purpose.

• Continuously monitor for threats: Provide tools to detect and respond to anomalous application behavior.

• Implement zero-trust architecture: Continually verify access based on identity, device, and location.

Modern businesses are encountering visibility gaps in their SaaS security utilizing traditional methods such as Cloud Application Security Brokers (CASB), which enforces policies externally like a firewall. Consequently, a fresh surge in SaaS security solutions is emerging. These innovative tools can identify and catalog all applications, pinpoint configuration errors, and recognize and react to indications of infiltration.

The popularity of SaaS security is on the rise. The recent CrowdStrike announcement has sparked a significant discussion about SaaS security in the realm of cybersecurity, and we've noticed a rising sense of urgency from Chief Information Security Officers (CISOs) looking to strengthen their SaaS security to cover essential vulnerabilities, similar to OPet from JPMorgan Chase.

Our Technology Council is a selective, exclusive network for distinguished CIOs, CTOs, and technology leaders. Am I eligible?

In the context of enhancing SaaS security, it's crucial to keep track of both authorized and unauthorized SaaS applications. Implementing tools to detect unauthorized applications can help mitigate potential risks.

Moreover, as businesses utilize numerous SaaS applications, centralized identity and access management tools become essential for managing multiple user identities and their activities across various platforms.