Heading into the rest of 2024 it’s clear that protecting SaaS data from data breaches, corruption by new AI tools, and insider risk, remain important challenges for security pros.
On the data breach front, the numbers don’t lie: Wing Security recently found that 96.7% of organizations used at least one SaaS app that had a security incident in the past year. And four out of five organizations had at least one SaaS app used by single user in which a security incident occurred.
What’s underneath these numbers? While SaaS appeals to the C-Suite because the apps make workers more productive and save on-premises data center costs, the shared responsibility model puts the onus on the user companies to secure the data, configurations, and APIs that SaaS apps run on.
Therein lies the rub.
As more workers use Google Docs, Office 365, and hundreds of other productivity apps to get work done, an avalanche of data gets exposed to the network – and IT and security teams are having a hard time keeping up.
Keep in mind that Wing Security found that the average employee uses 29 SaaS apps, and 85% of organizations have users outside their organization with access to their data, so the complexity of securing all those apps and data increases exponentially every day.
Frank Dickson, group vice president for security and trust at IDC, said in fairness to IT and security teams, they are not equipped with the tools to protect SaaS.
“Traditional tools are not designed to work well with SaaS, said Dickson. “Adding to the complexity, while SaaS providers are wholly responsible for operation and protection of network layer technologies, SaaS customers have little or no visibility into these systems and must trust the SaaS provider for their protection. Compounding the issue, most SaaS application providers do not own or operate these systems on their own as they rely on third-party cloud infrastructure providers such as AWS, Microsoft Azure, or Google.”
The impact of AI
Adam Gavish, co-founder and CEO and DoControl, said that adding to the complexity of managing SaaS data employees are now experimenting with new AI tools that don’t always conform to security best practices.
“Everybody uses these SaaS apps to collaborate on AI models and as more people use AI apps the attack surface grows,” said Gavish. “I’m not talking about Open AI and the ChatGPT users. Most AI companies are startups that don’t have an established security model.”
Gavish said as more data gets exposed and people in the organization come and go, the threat of insider risk grows. He said what companies need today is better telemetry into the context around SaaS data.
Companies need to answer the following questions:
- Who’s leaving the company and what SaaS data access did they have?
- How was that data used in daily business operations?
- How can the team analyze patterns so it can identify meaningful trends that can protect the business?
“It’s really easy for developers to use ChatGPT out of their home Wi-Fi and then take those results and bring them into their work environment and go forward, so organizations are concerned about protecting all this new data,” said Steve Boone, head of product growth at Checkmarx.
Chad Graham, manager of the cyber incident response team at Critical Start, pointed out that as the adoption of AI technologies accelerates, the risk of data corruption and manipulation by AI systems becomes a significant concern.
“AI algorithms, while powerful, can be susceptible to biases and malicious inputs,” said Graham. “Ensuring the integrity and accuracy of data used by AI systems is crucial to prevent erroneous outcomes and maintain trust in AI-driven processes. This can be achieved through stringent data validation protocols, continuous monitoring, and implementing safeguards that detect and mitigate anomalies in real-time.”
Start by understanding the attack surface
Checkmarx’s Boone advised that security teams focused on SaaS security should start by taking a step back and thinking through why SaaS apps are so vulnerable?
SaaS apps have wide adoption, they are online and can be accessed from multiple locations, they also have centralized data stores so criminals can mine hundreds or thousands of customer data sets. SaaS apps also rely heavily on APIs and it’s become a big struggle for many organizations to understand their API footprint.
The reality: “SaaS apps are uniquely vulnerable to supply chain attacks, malicious packages, cryptominers, malware, and spyware because they are internet-facing and always on,” said Boone.
In some ways, the concern around SaaS security is all very good news for CISOs who have struggled to get the attention of the C-suite. With a new data breach popping up in the news almost every day, many a result of poorly managed SaaS apps like the MOVEit breach, CISOs may find that they’ll now have a more receptive audience when they pitch their SaaS security strategies to top management.
(Editor's Note: This is the first in a series of articles to feature the 15 Top Cybersecurity Trends of 2024 & 2025)