Study shows securing SaaS applications growing in importance
Securing all types of SaaS applications ranks high among security pros, but the broad mandate can mean the need for better SaaS security platforms and tools.
- John Grady,
-
Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
SaaS security has become a clear priority for a majority of organizations, according to recent research from TechTarget's Enterprise Strategy Group. In the study, "Securing SaaS Ecosystems" 41% of respondents said enabling the safe use of SaaS applications is their organization's top cybersecurity priority, with another 32% indicating it's in the top three.
With so many important yet competing priorities to balance, this emphasis on SaaS security speaks volumes. Yet SaaS security can mean a variety of different things, ranging from identifying misconfigurations in sanctioned applications, to protecting data shared with unsanctioned applications, to controlling or preventing the use of specific applications.
An important area where there seems to be a disconnect is with regard to third-party connected SaaS applications and plugins -- applications that connect to another SaaS application to provide additional capabilities. These could be for large applications -- for example, a Zoom plugin for Google Workplace -- or smaller, standalone applications such as Grammarly or Mail Merge. Such apps might also be available in the marketplace of a core SaaS application -- i.e., Salesforce or Microsoft 365.
While these plugins and connected apps provide users additional functionality and a better experience as they go about their day-to-day routine, they also introduce security risks.
Securing third-party applications and data
Just as with unsanctioned SaaS applications historically, it can be difficult for security teams to manage the breadth of this usage, protect the data potentially exposed by these connections and ensure enforcement of corporate policies. But while many organizations appear to believe they understand the scope of usage of these types of applications, their ability to secure them remains in question. Overall, 57% of organizations in the survey said they are very confident in their understanding of the number of third-party connected apps and plugins used by employees, and an additional 42% said they are somewhat confident.
Yet, when it comes to securing these third-party connected applications, respondents said the following:
- Blocking access to unsanctioned and third-party connected apps and plugins was a significant SaaS security challenge for 38% of respondents.
- Maintaining visibility across unsanctioned and third-party connected applications and plugins was a significant SaaS security challenge for 38% of respondents.
- Excessive access granted to third-party applications as one of the SaaS misconfigurations the organization is most worried about was cited by 43% of respondents.
Unfortunately, these concerns appear to be well founded rather than hypothetical. According to the study, among organizations that had suffered an attack on a SaaS application in the last 12 months, 42% reported data leakage from third-party connected apps or plugins.
SaaS security platforms needed
These findings only reinforce the need for comprehensive SaaS security platforms that provide visibility and control across not only sanctioned and unsanctioned applications but third-party connected applications as well. Security teams don't have the time or resources to manually discover and assess these applications. Tools that provide context can help organizations reduce their attack surface and protect their sensitive data more efficiently. The issues such platforms can solve include showing what the connected app is, the permissions it has, which users have enabled it and the activity within the app coupled with the ability to quickly and centrally deprovision access if it is deemed high risk.
John Grady is a principal analyst at TechTarget's Enterprise Strategy Group who covers network security. Grady has more than 15 years of IT vendor and analyst experience.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.
