Valence Security has released the 2024 State of SaaS Security Report. Among the primary themes we saw in the report—which combines an industry survey with data collected by Valence from hundreds of real enterprise SaaS applications—is a clear gap between security leaders’ confidence in their existing programs and processes to protect their SaaS application environment, and a contrasting reality that reflects the complexity and diversity of SaaS security risks. The report highlights concerning trends like rising SaaS breaches, misconfigured security controls, overexposed SaaS-hosted sensitive data, overprivileged third-party integrations including GenAI tools, and more.
A gap between security confidence and a rise in SaaS breaches
Security leaders are prioritizing SaaS security, with 96% identifying it as a high or top priority. Furthermore, 93% of respondents reported an increase in their organization's budget for SaaS security compared to previous years. Alongside focus and investment, confidence in current security programs remains high, with 84% expressing "extreme" or "very" high confidence.
Despite this, over half (58%) of organizations experienced a SaaS security incident within the past 18 months. Recent high-profile SaaS breaches, such as the Microsoft Midnight Blizzard attack and the Cloudflare breach, underscore the vulnerability of SaaS environments and the potential for widespread disruption. These incidents demonstrate the need for a reality check and a shift towards proactive, automated security measures to protect SaaS-hosted data, strengthen management of human and non-human identities, and reduce attack surfaces in SaaS.
The need for a dedicated SaaS security program
The report reveals a critical need for a dedicated SaaS security program. The sheer number and complexity of modern SaaS applications, combined with distributed management practices, creates a constantly evolving security landscape. Traditional security teams struggle to keep up with manual processes like security checklists or periodic audits.
Top challenges and recommendations
The report delves into the specific challenges that security leaders face when securing SaaS applications. These challenges can lead to misconfigurations, inconsistent security practices, and difficulty in maintaining control over SaaS deployments and third-party integrations.
It also includes recommendations for reducing SaaS security risks, from maintaining an inventory of SaaS applications and performing continuous monitoring, aligning configurations with industry best practices, to adhering to PoLP and cleaning up unused accounts, third-party integrations and inactive data shares.
.jpg)
