Introducing Zero Trust Posture Management (ZTPM)— Extending Zero Trust Beyond Network Access

3 Surefire Ways to Make SaaS Security Relevant to Customers

How system integrators and service providers can better serve customers by raising awareness of key SaaS security risks.

Securing SaaS can’t be taken for granted, but most mid-market and even enterprise organizations aren’t giving SaaS security its proverbial seat at the table. As a trusted partner to your customers, this puts you in a powerful position to provide a deeper understanding of SaaS security — and the risks of neglecting its importance.

These three battle-tested methods will help shift your customers from SaaS security laggards to relying on your team for strategic direction as they build and mature their SaaS security programs.

1. Show the Real-World Business Impact of SaaS Incidents

Neglecting or underinvesting in SaaS security isn’t a role of the dice if an incident will occur. It’s a waiting game of when a data leak or breach will surface.

Your customers likely don’t realize the full impact of SaaS-related breaches. Consider emphasizing the recent identity-centric HAR breach, which successfully targeted a leading IdP’s customer support portal as the means to steal session cookies and tokens. Or illustrate that shortly before the HAR event, a major American hospital system’s breach led to exposure of 11 million patient records. Even Salesforce customers have experienced data leaks due to misconfigured sites. And the damages SaaS security incidents levy can linger for years, as the October 2023 $13.4 million fine for an Equifax breach from 2017 shows.

These examples amount to a small fraction of the SaaS security incidents continually making headlines and devastating bottom lines. While Equifax’s fine might seem excessive and unlikely your customers would face similar penalties, IBM’s Cost of a Data Breach 2023 report shows that the average data breach now comes to $4.45 million. Smaller organizations may consider themselves outliers for this study. But Big Blue discovered that the average cost amounts to $165 per compromised data record for breaches involving as few as 2,200 records. While CISOs across the board are tightening their belts, the ROI of avoiding a breach is clear.

With proper SaaS security posture, monitoring, and remediation, the overwhelming majority of these breaches are preventable. Gartner has reported that 99% of cloud-related breaches can be traced to misconfigurations and vulnerabilities made by end-users.

With 45% of North America-based organizations employing more than 100 SaaS apps, threat actors have numerous attack vectors to target. Even though CISOs who participated in our 2023 State of SaaS Security research ranked SaaS security as a top cybersecurity priority, 79% of them admitted to suffering from SaaS cybersecurity incidents in the past 12 months. Astonishingly, 71% of respondents rated their SaaS cybersecurity maturity as mid to high despite the prevalence of incidents.

When you make the SaaS security case in these terms, your customers and prospects will grasp that SaaS security perception and reality are worlds apart.

2. Define the Cybersecurity Requirements and Responsibilities for SaaS Application Owners

Your customers’ software vendor review procedures and rigor may vary wildly, and they may extend more leniency to enterprise SaaS solutions. But the cybersecurity requirements for safely onboarding and maintaining SaaS are considerable.

Your customers must consider and define:

  • Data security and access policies, including what employees and outside contractors will have access — and what levels of access
  • Achieving visibility into cloud systems and enforcing (and/or modifying) security policies
  • Methods for detecting and remediating malicious behavior in SaaS apps
  • SaaS app delivery methods, including SaaS platforms that offer portals for sharing data with external parties
  • 3rd party risks associated with SaaS apps, including SaaS supply chain vulnerabilities
  • Maintaining compliance for a growing list of regulatory and industry requirements for cloud systems, which extend to SaaS

A simple way to communicate these points comes courtesy of the SaaS shared responsibility model illustrated below. Every SaaS vendor creates their own variation of this model, and vendors strive to educate customers on the division of responsibilities. While SaaS companies normally bear the burden for the vast majority of security responsibilities, your customers are usually on the hook for the two areas where most incidents occur: application configuration and identity access management (IAM). All too often, these customer responsibilities are ignored or underserved by enterprise security.

Shared Responsibility Model
Figure 1: The shared responsibility model.

No two SaaS applications share the same security settings, and SaaS apps are updated frequently. This means application configurations change constantly, often without the security or IT team’s knowledge. On top of this, failing to monitor and enforce strict access controls results in users being granted excessive access rights.

Overlooking application configuration and access controls produces considerable vulnerabilities. A traditional cloud security method such as a CSPM, CASB, or MFA doesn’t monitor or remediate these critical risks. And the attack vectors multiply exponentially as employees enable SaaS-to-SaaS connections via OAuth tokens that don’t require re-authorization.

3. Start Incorporating SaaS Security Into Your Customers’ Roadmap

When organizations aren’t giving SaaS its due, you can capitalize on the opportunity by regularly and consistently integrating SaaS into your materials. If you haven’t already, begin by folding SaaS into your security assessments, roadmaps, and messaging.

Customers depend on your security landscape guidance for their education and prioritization of projects. Include SaaS security in these types of executive briefs, and keep tabs on the latest SaaS security incidents so you can delineate how they transpired, the impact, and a customer’s risk rating for a similar attack.

Rather than proposing SaaS security as a new undertaking, frame it as expanding the scope of existing security services. This approach is typically more palatable from both a resources and budgetary perspective. These expansion opportunities are most commonly:

  • IAM programs, where your customers will need granular data on which users, roles, and groups have access to what data throughout their SaaS estate
  • Cloud and app security programs, as visibility into all app and cloud resources must incorporate SaaS
  • Monitoring and response, a glaring blind spot for many organizations that don’t fold SaaS into their MDR solutions
  • Risk and compliance, as means to keep pace with the rapidly maturing SaaS compliance requirements, particularly if your customers conduct business in the EU, UK, or Australia
  • SaaS app delivery, where you can provide a value add for additional security services to app build and run projects (and differentiate your shop from competitors)

AppOmni offers SaaS security posture management (SSPM) software that provides comprehensive visibility while alleviating the burden on IT and security teams. By continually scanning APIs, security controls, and configuration settings, AppOmni’s SSPM solution equips your customers with the insights and intelligence needed to align security best practices with their business objectives.

If you’re interested in learning more about AppOmni’s INFINITY Partner Program, please contact our Partner team anytime.

Related Resources