The News: SaaS security provider Valence Security announced the release of its 2023 State of SaaS Security report, which features five key types of SaaS breaches, how they happen, and real-world examples. The report also includes 14 SaaS security recommendations, based on the lessons Valence Security has learned from its customers, and three predictions about the near-term future of SaaS security and the most impactful trends on the SaaS security market.
Read the press release on Valence’s website.
Valence Releases Its 2023 State of SaaS Security Report
Analyst Take: As the SaaS market continues to increase its footprint across SMB, mid-market, and enterprise companies, the cybersecurity threats to organizations are rising in lockstep, according to the 2023 Valence State of SaaS Security report. The security vendor-authored report contains the company’s perspective on SaaS security, details the top threats to organizations using SaaS applications, and offers security recommendations and predictions for this increasingly vulnerable market.
SaaS Security Practices, Rather Than the Apps Themselves, Create Security Holes
SaaS platforms have become increasingly popular, as they can be deployed with far less effort, and far more quickly than traditional on-premises software, Further, because these software platforms can be accessed from any internet connection across a multitude of devices, many organizations, from SMBs through large enterprises, have implemented security practices that are inadvertently creating security holes.
For example, workers often complain that being required to input usernames and passwords each time they want to access the software can create excess friction, largely due to forgetting these credentials, and needing to reset them. To speed up access, SaaS apps have turned to authentication tokens, which permit users to bypass usernames, passwords, and two-factor authentication. According to commentary by Valence on the report, the use of these tokens grants easy access for users, tokens are trivial to steal. A stolen tokens let an attacker log in without needing to follow the authentication policies.
Indeed, it is not the SaaS applications that are security risks, but the relatively lax login procedures that create holes through which malevolent actors can use as an entryway to SaaS applications. Stolen authentication tokens, often from dormant accounts, can be used to access these applications easily, resulting in the potential for data theft and loss. As such, these security practices need to be re-evaluated and tightened to ensure that bad actors are not provided with red-carpet access to valuable company systems and data.
“Uncontrolled” File Sharing Is Creating Additional Risks
Another activity that is generating security risks is what Valence calls the increasing amount “uncontrolled file sharing,” which Valence defines as users sharing files with personal accounts, thereby bypassing any corporate security controls. Valence says that on average, there are 54 shared resources (e.g., files, folders, SharePoint sites) per employee, and 193,000 shared resources per company, most of which are idle and unused, creating unmonitored pathways for hackers to use to infiltrate SaaS platforms and software.
Some of other findings of the Valance report related to weak security practices include:
- Over half (51%) of an organization’s SaaS third-party integrations are inactive
- 90% of shared assets (files, folders, anyone-with-the-link permissions) remain unused for 90+ days
- 1 in 8 employee accounts are dormant (1 in 3 in some companies)
- 53% of CISOs do not have a process to ensure proper correlation between third-party risk management and integrations
Remedying and Closing Security SaaS Security Holes
Valence says that the key to ensuring better SaaS security practices will need to evolve beyond visibility to include automated remediation, and indicated that organizations need to take specific, proactive steps to address weak security practices. Some of their best security practices include:
- Avoid SaaS misconfigurations by investigating how to leverage native security controls embedded into each SaaS application and configuring them according to industry best practices based on standards from NIST, CIS, and CSA
- Extend threat detection to ensure maximum coverage and analysis of SaaS applications events, activities, and admin logs, to detect anomalous and malicious activities
- For identities and permissions, closely manage accounts with high privilege and admin access and apply least privilege principles to ensure each user has the minimum required permissions
- Ensure SaaS account deactivation is included in identity lifecycle processes and investigate idle accounts and deactivate if the employee has left the organization
In the quest to improve convenience, eliminate effort, and reduce time, many organizations have implemented processes that, on their surface, maintain the use of security protocols. But any process that makes it easier for legitimate users to access a system comes with tradeoffs that generally make it easier for bad actors to access resources as well. Ultimately, the strongest SaaS security practices do not come without some user friction, with which companies and the workers must learn to live.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other insights from The Futurum Group:
AWS re:Inforce: Bridging the Shared Responsibility Divide
Dynatrace’s Hypermodal AI: Revolutionizing Observability and Security in the Digital Age
Author Information
Keith has over 25 years of experience in research, marketing, and consulting-based fields.
He has authored in-depth reports and market forecast studies covering artificial intelligence, biometrics, data analytics, robotics, high performance computing, and quantum computing, with a specific focus on the use of these technologies within large enterprise organizations and SMBs. He has also established strong working relationships with the international technology vendor community and is a frequent speaker at industry conferences and events.
In his career as a financial and technology journalist he has written for national and trade publications, including BusinessWeek, CNBC.com, Investment Dealers’ Digest, The Red Herring, The Communications of the ACM, and Mobile Computing & Communications, among others.
He is a member of the Association of Independent Information Professionals (AIIP).
Keith holds dual Bachelor of Arts degrees in Magazine Journalism and Sociology from Syracuse University.
