Most Tech Leaders Worry About SaaS Security Threats

Software-as-a-Service applications have long been targets of cyberthreats. A new study finds that these threats remain top of mind for 78% of U.S. technology leaders as more SaaS apps find their way into the enterprise.

Although enterprises have been prioritizing data privacy and security, their continued reliance on SaaS and cloud offerings means they remain at risk, according to the The SaaS Disruption Report: Security & Data by Onymos and Enterprise Strategy Group.

Shiva Nathan, founder and CEO of Onymos, told TechRepublic that a significant risk to this reliance is that when companies purchase a SaaS system to expedite application development, they must grant data access to the third-party SaaS provider in return.

Granting this access could lead to cyberattacks and accidental data leakage. This could be particularly problematic today, as the average enterprise relies on over 130 SaaS applications compared with just 80 in 2020, Nathan explained.

“That’s a 62% increase,’’ he said. “Each of those [SaaS apps] is a new attack surface for state and non-state bad actors to exploit. And they are exploiting it. The number of software supply chain attacks is rising, especially against the healthcare industry, which had to pivot to a virtual care model during COVID-19.”

Health care entities have long relied on third-party vendors to make that transition happen, Nathan added. According to the report, other sectors that rely heavily on SaaS applications include:

• Government.
• Logistics and supply chain.
• Manufacturing.
• Retail.
• Banking and financial services.
• Education.

Gartner predicted that 45% of organizations globally will have experienced attacks on their software supply chains by 2025. The report reinforces this projection, with nearly half (45%) of tech leaders reporting that they experienced a cybersecurity incident through a third-party SaaS application in the past year.

The importance of data retention

The survey — which drew insights from 300 app development, IT, and security leaders — also revealed that 91% of survey respondents emphasized the critical importance of data retention for custom-built internal applications, reflecting its prominence in their application development priorities.

Nathan said this statistic was surprising to him because these “technology leaders recognize how crucial it is to retain their data but they are still so reliant on SaaS. There is clearly tension within these organizations between speed-to-production and data ownership,’’ he noted. “That tension has always existed, but it’s ratcheting up.”

IT leaders’ priorities

Nearly three-quarters (72%) of surveyed leaders highlighted “security” as a top priority, followed closely by 65% who cited “data privacy.”

These priorities are also reflected in project assignments, responsibilities, and tasks in organizations’ application and software development projects, the report said. Three of the top five priorities were:

• Ensuring data privacy (60% reported it was high or highest priority).
• Building secure applications (49% reported it was high or highest priority).
• Maintaining full control over data ownership (42% reported it was high or highest priority).

The survey also revealed that 65% of internally developed applications are business-critical, and only 36% of tech leaders run all of their applications on-premise or on private clouds.

SaaS apps require greater attention to your security posture

With concerns about data security at such high levels, organizations need to reassess their current business model for leveraging SaaS and cloud offerings, the Onymos/ESG report said.

“Today, it’s very common to hear technology leaders talk about their ‘security posture‘ — having a ‘data posture’ is just as important,’’ Nathan stressed. “This includes asking what data you are sharing with your SaaS vendors to receive their service; do they really need that data; what are they doing with it; and where is it going.

“The rise of AI products and services only makes answering these questions more important,’’ he said.

The report made some recommendations, including a significant change to the current SaaS and cloud common practices by adopting “no-data” architecture principles, which prioritize data privacy and security.

“This type of architecture allows enterprises to retain full ownership and control over their data, eliminating the need for sharing or granting access to third-party SaaS and cloud vendors and reducing the associated risk,’’ the report said. “Enterprises should also be allowed to own and modify the code associated with the SaaS solutions they use for their application and software development.”

This enables enterprise engineering teams to verify and test the code as if they created it themselves, the Onymos/ESG report said. “With this approach, organizations can have full confidence in the code’s validity, reliability, and security,” the report maintained.

Additionally, IT should prioritize and regularly conduct rigorous third-party security audits and penetration tests. “This testing should include understanding how the organization’s data flows through different applications and SaaS solutions so that unintended data access and sharing issues can be mitigated,’’ the report stated.