Highlights:

  • Even though many do not make SaaS security a top priority, 66% of the respondents said that the proliferation of SaaS apps had increased complexity and security risk in their organizations.
  • According to Sysman, IT and security teams often struggle to identify the resources at their disposal.

A new analysis from cybersecurity asset management firm Axonius Inc shows that SaaS security is lagging even though enterprises have been quick to adopt SaaS.

The study, which polled organizations in the United States and Europe, found that 74% of the respondents said that half of their applications were SaaS-based. This is up from 66% over a year. But SaaS security ranked lower, four or less, on their list of current security priorities. Over a third of the people surveyed were worried about the rising expenses of using SaaS-based applications.

Even though many do not make SaaS security a top priority, 66% of the respondents said that the proliferation of SaaS apps had increased complexity and security risk in their organizations. Among those who do not give SaaS security a high priority, 28% mentioned a lack of time and resources, 23% claim pressure from the C-suite to concentrate on other concerns, and 15% identify a lack of staff as the reason they have not taken more action.

“The biggest concern with SaaS adoption right now is that most organizations are underestimating the number of SaaS applications that exist within their environment,” Dean Sysman, co-founder and chief executive officer of Axonius, said in a statement. “SaaS offers numerous benefits… but that also presents an enormous risk.”

According to Sysman, IT and security teams often struggle to identify the resources at their disposal. Because of the nature of SaaS applications, it is more difficult for IT departments to handle mundane tasks like managing infrastructure, fixing security holes, monitoring license and usage data, and determining the true cost of the service.

The study found that the consequences of insecure SaaS settings are already visible. For example, the March attack on Okta Inc triggered a chain reaction of similar attacks on other services. In April, OAuth user tokens were stolen from Heroku and Travis-CI through GitHub, illustrating how the vulnerability of one system can lead to the compromise of multiple services.

“The appetite for SaaS will only continue to grow, further exacerbating data sprawl and security implications,” noted Jerich Beason, Commercial Bank chief information security officer and an adviser to Axonius. “These risks are no longer hypothetical, and without full visibility into the SaaS application landscape, organizations will continue to find themselves vulnerable to data loss from shadow SaaS, non-compliance with federal and industry regulators, and financial strain from lack of insight into organizational spend.”