The 2022 SaaS Security Survey Report, in collaboration with CSA, examines the state of SaaS security as seen in the eyes of CISOs and security professionals in today’s enterprises. The report gathers anonymous responses from 340 CSA members to examine not only the growing risks in SaaS security but also how different organizations are currently working to secure themselves.
The majority (71%) of respondents were located in the Americas, another 17% from Asia, and 13% from EMEA. Of these participants 49% influence the decision-making process while 39% run the process itself. The survey examined organizations from a variety of industries, such as telecommunications (25%), finance (22%), and government (9%).
While there were many lessons to be learned from this survey, we chose these seven.
1: SaaS Misconfigurations are Leading to Security Incidents
Since 2019, SaaS misconfigurations have become a top concern for organizations, with at least 43% of organizations reporting they’ve dealt with one or more security incidents caused by a SaaS misconfiguration. However, since many other organizations state they are unaware if they had experienced a security incident, the number of SaaS misconfigured-related incidents could be as high as 63%. These numbers are striking when compared to the 17% of security incidents caused by IaaS misconfiguration.
|Figure 1. Companies experienced a security incident due to a SaaS misconfiguration|
2: Lack of Visibility and too Many Departments with Access Reported as Leading Cause for SaaS Misconfigurations
What are the causes of SaaS configuration misconfigurations in your SaaS environment? While there are several factors to consider, the survey respondents narrow it down to the two leading causes – having too many departments with access to SaaS security settings (35%), and a lack of visibility into the changes in the SaaS security settings (34%). Both of these issues are related and are not surprising considering that SaaS adoption is a major concern for many organizations. The main reason for lack of visibility is that many departments have security settings and not enough departments are trained and focused on security.
|Figure 2. The main causes of SaaS misconfigurations|
3: Investment in Business-Critical SaaS Applications are Outpacing SaaS Security Tools and Staff
It’s well-known that businesses are adopting more apps – this past year alone, 81% of respondents say that they have increased their investments in business-critical SaaS applications. On the other hand, investment in security tools (73%) and staff (55%) for SaaS security is lower. This is a significant burden for existing security personnel to ensure SaaS security.
|Figure 3. Companies’ investment in SaaS apps, security tools, and staff|
4: Manual detection and remediation of SaaS misconfigurations keeps organizations exposed
46% of organizations that manually monitor their SaaS security are conducting checks only once a month or less, while 5% don’t conduct checks at all. Security teams take additional time to fix a problem once they have discovered it. Approximately 1 in 4 organizations take one week or longer to resolve a misconfiguration when remediating manually. Organizations are vulnerable because of this long turnaround time.
|Figure 4. How often companies to manually check their SaaS misconfigurations|
|Figure 5. How long it takes companies to manually fix SaaS misconfiguration|
5: Use of an SSPM reduces timeline to detect and remediate SaaS misconfigurations
The flip side of the coin for finding #4 is that the organizations that have implemented an SSPM can more quickly and accurately detect and remediate their SaaS misconfigurations. The majority of these organizations (78%) utilize an SSPM to check their SaaS security configurations once a week or more. When it comes to resolving the misconfiguration, 81% of organizations using an SSPM are able to resolve it within a day to a week.
|Figure 6. Frequency of SaaS security configuration checks|
|Figure 7. Length of time to fix SaaS misconfigurations|
6: 3rd party app access is a top concern
Third-party apps (also called low-code and no-code) can increase productivity and enable hybrid work. They are essential for scaling and building a company’s work processes. However, many users quickly connect 3rd party apps without considering what permission these apps are requesting. Once accepted, the permissions and subsequent access granted to these 3rd party apps could be harmless or as malicious as an executable file. Without visibility into the SaaS-to-SaaS supply chain, employees are connecting to their organization’s business-critical apps, security teams are blind to many potential threats. As organizations continue to adopt SaaS applications, one of their top concerns is the lack of visibility, especially that of third-party application access to the core SaaS stack (56%).
|Figure 8. Companies’ top concern when adopting SaaS apps|
Planning Ahead and Implementing SSPM
Despite being launched to the market in 2012, the category is rapidly maturing. When assessing four cloud security solutions, SSPM receives an average rating of “somewhat familiar.” Furthermore, 62% of respondents report that they are already using an SSPM or plan to implement one in the coming 24 months.
|Figure 9. Companies currently using or planning to use SSPM|
The 2022 SaaS Security Survey Report offers insights into how organizations are using and protecting their SaaS applications. It is without a doubt that as companies continue to adopt more business-critical SaaS apps, there is more risk. To face this challenge head-on companies should begin securing themselves through two best practices:
- The first being to enable security teams to gain full visibility into all SaaS app security settings, including 3rd party app access and user permissions, which in turn allows departments to maintain their access without risk of making improper changes that leave the organization vulnerable.
- Secondly, companies should utilize automated tools, such as SSPMs, to continuously monitor and quickly remediate SaaS security misconfigurations. This allows security personnel to quickly identify and correct problems in near real time. It reduces the time it takes for an organization to become vulnerable, or prevents the issue from ever happening.
Both of these changes provide support to their security team while not preventing departments from continuing their work.