Software-as-a-Service is becoming increasingly popular among businesses for its efficiency and cost effectiveness, but security is a concern for these environments and it is something that must be carefully planned.
Software-as-a-Service (SaaS) has become increasingly popular for many businesses, especially since the pandemic and the rise of hybrid working. SaaS applications allow communication and collaboration, help businesses manage internal operations more efficiently and allow them to rapidly innovate.
“They are one of the foundation stones of seamless hybrid working; the average medium-to-large UK organisation has over 40 SaaS apps deployed,” says Alex Mann, channel sales manager UK & North at CyberArk.
But while this is helping businesses to be more efficient, it does present threats, he adds. “The cybersecurity threat inherent to the usage of SaaS apps lies in how widely they are used, and what they are used for,” Alex says. “They are often business-critical, including revenue-generating customer-facing applications, ERP, CRM or financial management software. A 2023 CyberArk survey found that nearly half of UK organisations don’t secure access to these apps properly, which essentially means they are vulnerable to targeted attacks that have compromised identity security.
“One of the main reasons for this is almost certainly the old security bugbear of Shadow IT; it’s relatively easy for an individual to buy a subscription with a credit card without going through formal procurement processes or involving finance or IT. When IT security teams don’t approve, manage or even know about the extent of the SaaS landscape, the risk of exposure and data breaches can increase substantially.”
Becky Stables, manager at Catalyst BI, a business intelligence consulting agency that manages data clouds for organisations, adds: “As they grow in popularity among organisations, cybercriminals have focused their efforts on exploiting the vulnerabilities of SaaS to obtain valuable business data.”
She says there are four common ways this is done:
- Data breaches: Cybercriminals try to breach SaaS applications to access sensitive business data, including customer information, financial data and intellectual property. This risks an organisation having its information exposed, causing serious financial loss and damage to the reputation of the business
- Phishing emails: SaaS accounts can be accessed via stolen credentials. These account details can be obtained by cybercriminals who use phishing emails and messages to trick employees into revealing their logins. This allows cybercriminals to gain control of the account and potentially access sensitive data
- Malware: SaaS applications can be targeted by malicious software that can attack multiple accounts in the SaaS environment, leading to data loss and system corruption. Meanwhile, ransomware can encrypt data and block access to the computer system until a payment is made
- Third-party integrations: Many SaaS applications like Spendflo and Nightfall DLP allow for third-party service integration. However, if these integrations are not properly secured, they can serve as entry points for cybercriminals, which risks the security of the SaaS.
Keeping solutions secure
But while there are threats, there are also plenty of solutions for keeping SaaS solutions secure. Becky notes that multi-factor authentication (MFA) can be useful. “The main advantage of MFA is its ability to optimise your organisation’s security system,” she says. “Instead of a conventional username and password, MFA requires additional verification factors. This serves to significantly lower the likelihood of a cybersecurity attack. MFA factors can range from electronic keys and fobs to even your own fingerprint.”
Likewise, data encryption, which encodes an organisation’s important and confidential information, meaning it can only be accessed by a user with the correct logins, is important, whether it is ‘encryption at rest’ where encrypted data is kept or stored to keep information safe even when it is not actively being used or ‘encryption in transit’ where encrypted data is being transferred between two nodes.
Access control systems, which work by identifying users by identifying different types of login credentials like usernames, passwords, PIN codes and biometric scans, are another common security solution. “When combined with MFA, SaaS requires multiple authentication methods to verify a user’s identity,” Becky says. “Discretionary access control allows owners of the data to set the policies for who is allowed access, while mandatory access control
grants people access through an intensive information clearance.”
Markus Rex, managing director, SYNAXON Managed Services, adds that another approach that works well is ‘bring your own encryption key’. “By enabling customers to use their own encryption software and manage their own keys, this significantly enhances protection, and it’s something we’d recommend partners should look for in a SaaS offering,” he says.
Alex adds that treating all administrative access to SaaS applications, such as admin accounts used to set up single sign-on integrations, as privileged can help. “Credentials are often shared across teams and even third-party contractors and are rarely changed, making them easy targets for external attackers and malicious insiders,” he says. “Specifically, privileged credentials should be secured in a central vault, automatically rotated and all activity must be recorded and available for audit. Human, machine and application users with access to sensitive information for SaaS applications should also be considered privileged.”
Richard Foulkes, UK chief solutions consultant at Exclusive UK, agrees that it is important to have a good identity policy, making sure only the right people have access to what they need to. “One Identity will manage the privilege of users to ensure if someone does get compromised the damage they can cause is minimum,” he says.
Meanwhile for malicious insiders – people wanting to take or steal data that they can access anywhere – a DLP solution such as Netskope can help protect SaaS applications, he adds.
Zero trust
Neil Langridge from e92 adds that zero trust should be considered. “Not a product, but a framework is used based on ‘never trust, always verify’ where cybersecurity solutions are used to verify all devices and users when accessing corporate resources, including those SaaS apps outside the perimeter,” he says. “We’re seeing this shift from an enterprise-only option to an approach available to SMBs as cloud-delivered cybersecurity lowers the cost and complexity barriers to access more advanced tools.”
He adds that evolving the approach is essential. “Including it as part of the cybersecurity technology stack brings benefits such as continual updates, flexible deployment and a cloud-first architecture that’s designed for today’s multi-cloud world,” he says. “That will also drive a strategy for customers that needs to encompass data, devices and apps outside of their perimeter – including social media, spoof domains and stolen data on the dark web. Organisations no longer have a network perimeter to manage and secure, but a complex intertwined web of connections, and data can be held anywhere.”
Alison Nixon, director – security business unit, UK, TD SYNNEX, adds: “A robust cloud and data security posture management strategy would take a multi-layered approach that includes everything from next-gen firewalls and XDR for endpoints, through to advanced threat protection and intelligence and data loss prevention – and more in between.
“There needs to be a ‘zero trust’ mentality for SaaS security management and it needs to scale, be developer friendly, and make security easy to incorporate. There needs to be a continuous and rigorous SaaS security strategy that focuses on business outcomes such as reduction of friction and employee and customer productivity.
“Taking the right SaaS security posture will also bring gains in compliance and governance, whether it be NIST or any other framework.
“A platform approach and consolidating solutions is the way forward – but not to the point of putting all your eggs are in one basket. Partners also need to recognise that container utilisation is continuing to grow. More code will be stored in the cloud and more compute instances will be needed – virtual and physical – and security will need to be baked into all of them from the outset.
Purpose-made
Lance Williams, chief product officer at Distology, adds that the best solutions are purpose made, such as SaaS Security Posture Management (SSPM) technologies, like Adaptive Shield and Obsidian. “As ever, identity and access management (IAM) sits at the heart of the defences though and IAM solutions need to integrate with SSPM and vice versa to get the best results,” he says. “Key things to consider in the security of SaaS are user (people) and entity (i.e. machines) behaviour, device security, password management and multi-factor authentication.
“Your IAM solution secures from the front and your SSPM solution continually scans and assesses for vulnerabilities. Finally, it’d be remiss to overlook security awareness training and testing solutions – these play a key role alongside the security defence systems to educate people on what good looks like and how to avoid bad behaviour. If you can integrate SAT with your messaging security, as Ironscales do, then you’ve got a robust defence for your people.
“SaaS is more straightforward to impersonate than on-prem apps, as its cloud provisioned and so interaction with third party login is the norm. Is it difficult to keep ahead of cybercriminals? Always. SaaS therefore suffers the same fate – educate your users, protect their identities, tighten up security on the SaaS and deploy a tool to continually assess your SaaS security posture.”
Winning arms race
But Markus adds that it is important to keep the threat in perspective. “While they may be juicy targets, one advantage that most SaaS service providers have is they are quite large and well-resourced,” he says. “They have extensive in-house skills and good awareness of current threats and how counter them. That makes it less likely that any attack will penetrate their defences. Even so, we’d still advise that all other preventative measures are put in place to ensure data is as well-protected as possible.”
Dr Klaus Schenk, SVP Security and Threat Research at Verimatrix, adds that SaaS in the cloud is in better shape to win the cybersecurity arms race against hackers. “This is for several reasons,” he says. “The cloud model provides inherent security advantages based on centralisation, scale and agility.
“SaaS providers have dedicated cybersecurity teams composed of experts who rapidly analyse threats across their massive customer ecosystem. This birds-eye network effect spots trends early. Standardised architectures also allow coordinated defence evolutions across customer instances. Cloud automation enables fast reaction to new vulnerabilities.
“Of course, the adversaries continue evolving as well. Attacks grow more frequent, automated and destructive using AI and social engineering. Supply chains and third parties introduce new weak links. But SaaS providers counter by sharing intelligence and best practices globally. Their continuous learning, coupled with the cloud’s innate structural advantages, enables customers to focus on business goals rather than security one-upmanship. Together, SaaS and cloud reinforce each other’s strengths in a secure symbiosis that tilts the odds favourably against the barrage of cyber threats.”
Reseller role
To keep customers’ SaaS solutions secure, resellers have a vital role to play. “True SaaS security requires examining the full technology stack,” says Dr Klaus. “Resellers should start by identifying the foundational cloud provider. Industry leaders like AWS, Azure and Google Cloud supply robust native security services and global threat intelligence. Understanding available tools and practices establishes a baseline.
“Resellers should then probe SaaS vendors on how they utilise and complement the cloud’s capabilities. Specifically, whether they employ a cloud-native architecture optimised for security, follow rigorous frameworks like ISO 27001, integrate monitoring for rapid threat detection and conduct ongoing audits and penetration tests. Detailed incident response plans and independent certifications also demonstrate diligence. By aligning questions to the shared responsibility model between cloud and SaaS, resellers elicit meaningful conversations around security partnerships. Customers gain assurance that providers mutually reinforce strong, adaptable protection.”
Richard adds that resellers should start simple in their conversations with customers. “Get them thinking about how many SaaS applications they are currently using and what is the security strategy around them?” he says. “Often most end users will be at the early stage or just in denial! However, we know attackers are targeting them and will keep targeting them and there will always be someone who will accidentally share financial data or confidential information.
“Companies need to have a proper strategy as they will be using applications no matter what, but security cannot be assumed, and since it sits outside of the normal security network, it can be scary! However, it’s still their data and they need to protect it, whether it’s through managing identity or managing applications.”
Greg Jones, vice president of business development EMEA at Kaseya, adds that resellers need to have many conversations with customers covering various topics. “This includes data protection and privacy, authentication and access controls, compliance and auditing, employee training and awareness, security best practices, regulatory compliance, disaster preparedness and budget for security,” he says.
“This market is not slowing down any time soon and it presents a huge opportunity for managed service providers (MSPs) and managed security service providers. The threat landscape will keep evolving and MSPs must adopt a proactive and multi-layered approach to cybersecurity. This includes regular security assessments, threat intelligence sharing, continuous monitoring, incident response planning and employee training.
“Collaboration with cybersecurity experts and the use of advanced security technologies such as AI and machine learning (ML) can also help organisations stay ahead of cybercriminals. However, it’s essential to recognise that no system is entirely immune to cyber threats.”
Eduard Doroskevic, principal consultant at Adarma, adds that resellers need to understand the customer’s business. “Take the time to learn about your client,” he says. “That said, cybersecurity is relatively industry agnostic. A buyer and the supplier who engages in a business transaction form a contract. Given this relationship, cybersecurity often becomes a shared responsibility. As such, there needs to be a discussion as to how this responsibility is shared between the organisations to help both parties manage expectations.”
Future
Security for SaaS evolves quickly, as it must to counter the myriad threats to it. Eduard says that the market continues to adopt AI and ML to automate and enhance cybersecurity. “Though these technologies are in the early stages of their maturity, they hold great promise, but we need to be realistic about our expectations,” he says. “Can they add value? Absolutely! Can they solve all your cybersecurity problems? No.
“The market will certainly evolve and adapt to the new threats. We can expect great things from AI and ML implementations in cybersecurity, both good and bad. As we adopt these technologies for defensive purposes, we need to be aware that adversaries can and will employ the same technologies for offensive purposes. After all, the creativity of malicious actors is boundless.”
Becky agrees that AI will play a crucial role in the future of SaaS security. “Global AI software revenue is expected to reach £93.88 billion by 2025 and SaaS providers are beginning to take notice of this and integrating AI and ML into their products,” she says. “These technologies can prevent cyberattacks by analysing patterns and detecting anomalies to mitigate potential threats.
“SaaS are more likely to adopt zero trust architecture in the future, which operates on the premise that trust given to users to access applications should not be assumed by default. This is regardless of whether individuals are within or outside the organisation. Instead, SaaS applications will undergo continuous authentication and verification before granting access to users.
“SaaS providers will invest substantially in improving security measures to better protect customer and employee data in organisations. These investments will involve advanced encryption techniques, real-time identification of threats, and the proactive assessment of vulnerabilities.”