Organizations worldwide used an average of 130 software-as-a-service (SaaS) applications in 2022 alone, according to Statista. That number continues to grow steadily, all thanks to 2020’s pandemic-induced acceleration of digital transformation.

Per one report by McKinsey, “the adoption of digital technologies, including SaaS, leaped five years forward in just eight weeks during the early months of the pandemic.” Another report by BetterCloud estimates that 85% of business apps will be SaaS-based by 2025.

One reason SaaS has become the preferred choice for organizations is its efficiency compared to traditional on-premise solutions. “SaaS platforms are easy to deploy and reduce the operational burden associated with hardware maintenance and software updates,” says Gal Nakash, cofounder and CPO at full lifecycle SaaS security solution company Reco.

However, as organizations embrace a more interconnected ecosystem of SaaS applications, the traditional security perimeter has become increasingly blurred. The shift towards SaaS adoption, says Nakash, has also introduced new security challenges that can expose companies to threats they didn’t anticipate.

So, how do business leaders stay secure even as they continue to use the hundreds of SaaS applications across their networks? Nakash offers a way out.

The SaaS Security Posture Management

To address the security challenges that come with using SaaS apps, Nakash emphasizes the importance of understanding the SaaS security posture management (SSPM) and its shared responsibility model. Under this framework, cloud service providers secure the infrastructure, while users are responsible for managing data security and access controls. “Many companies assume that the cloud provider handles everything, which is a misconception,” he explains. This misunderstanding has been a significant factor contributing to security breaches.

SSPM is today,  a critical component of modern cybersecurity strategies. It involves continuously assessing and managing the security risks associated with SaaS applications. By providing visibility into misconfigurations, unauthorized access and other vulnerabilities, SSPM helps organizations protect their sensitive data and maintain compliance.

To effectively manage SaaS security, Nakash identifies three critical components:

Configuration Management: Configuration missteps are often the root cause of security vulnerabilities in SaaS applications. “Improper configurations can leave doors open for attackers,” Nakash says. A study by IBM shows that misconfigurations in cloud environments account for 19% of data breaches, emphasizing the need for diligent configuration management. Trend Micro also notes that 65-70 of all security issues in the cloud start with a misconfiguration.

Identity and Access Governance: Controlling who has access to what is vital. For Nakash, identity governance isn’t just about granting access; it’s also about continuous monitoring to ensure access levels are appropriate. A recent survey by Varonis revealed that “15% of companies found 1,000,000+ files open to every employee,” highlighting how lax identity governance can lead to major security incidents.

Event Monitoring: Event monitoring ensures real-time detection of anomalous behavior, which could indicate a potential breach. According to Nakash, “AI-driven event monitoring is a game-changer. It allows us to catch suspicious behavior before it becomes a full-blown breach.” Studies show that organizations using AI for event monitoring experience “up to 50% faster detection of security incidents.

It’s a double-edged sword, as shown by a recent report from Barracuda and the Ponemon Institute, with 50% of IT pros expecting to see an increase in attacks because of AI. But with generative AI, adds Nakash, threat actors can cut down on the time used to gather data and coordinate attacks.

AI in SaaS Security

AI plays a crucial role in enhancing the capabilities of SSPM solutions. To different extents, SSPM solutions leverage AI-powered modules for app discovery and identity context creation. By analyzing user behavior and network activity, AI can detect anomalies, identify potential threats and provide valuable insights for security teams.

But Nakash also acknowledges the potential risks associated with AI-powered tools. The integration of GenAI can lead to data leaks, compliance issues and privacy violations if not implemented carefully. Businesses must be vigilant about the data that AI systems have access to and ensure that appropriate safeguards are in place to prevent unauthorized access and misuse.

“GenAI can be incredibly powerful, but it must be used with caution,” Nakash warns, and adds that “if not properly managed, it can expose sensitive data or generate misleading insights.” As one report by Forrester notes, 71% of organizations have concerns about the security risks associated with AI, especially since many organizations are unaware of the full scope of applications within their SaaS environments.

“Shadow IT is a major problem,” says Nakash, referencing the unauthorized use of SaaS applications by employees. Reco’s app discovery feature leverages AI to map all SaaS applications in use, providing a clearer picture of the security landscape.

The Future of SaaS Security

Nakash predicts that SaaS security will become an increasingly critical area of focus for businesses of all sizes. As organizations continue to adopt more SaaS applications, the need for comprehensive security solutions will only grow. Reco’s identity-centric approach, which provides visibility into the entire SaaS ecosystem, positions the company as a leader in this emerging field.

Following the best cybersecurity practices today remains key, and Nakash offers some advice to IT leaders:

Full Visibility: You can’t protect what you don’t know about. Gaining full visibility into your SaaS ecosystem is the first step.

Regular Audits: Conducting frequent audits to identify misconfigurations and unusual access patterns is crucial.

Zero-Trust: Implement a zero-trust framework. In SaaS environments, no user or system should be trusted by default.