93% of security leaders have increased SaaS security budgets

58% of the organizations were affected by a SaaS security incident in the last 18 months, according to Valence Security’s 2024 State of SaaS Security Report.

Likely, as a result, 96% security leaders have made SaaS security a top priority and 93% have increased SaaS security budgets in 2024. In addition, confidence in current SaaS security programs or processes is high, with 84% saying they are very or extremely confident.

“There’s no denying that the ease of SaaS subscriptions and SaaS integrations have helped organizations scale their businesses quickly and increase employee productivity,” says Yoni Shohet, CEO at Valence Security. “The goal of this report is to provide a unique and more comprehensive examination of SaaS security by combining survey findings from security leaders with analysis from our own tenants to expose the gaps between security investment and effectively addressing the complexities of SaaS environments.”

Historically, SaaS applications have been overlooked in terms of security programs which leads to increased misconfigurations and exposure of sensitive data. Recent high-profile breaches, such as the Microsoft Midnight Blizzard breach and the Cloudflare breach following the Okta attack campaign, highlight that malicious actors have identified SaaS
as a new prime target.

Top SaaS security challenges

The survey revealed the top security challenges the recipients are experiencing in securing their SaaS applications. 50% identified distributed management of SaaS applications outside of IT/security teams as one of their top 3 challenges.

50% indicated that governing generative AI adoption is a top challenge, while 43% indicated the complexity of SaaS configurations as one of their top challenges.

Interestingly, when asked which tools their organizations are currently using to protect their SaaS applications, 52% of respondents said they are using a Cloud Access Security Broker (CASB) while 48% said SaaS security posture management (SSPM) solutions.

While CASBs have been around for over a decade, the fact that SSPMs have a similar adoption rate highlights a significant shift in how organizations address SaaS Security. This is likely due to the realization of CASB limitations to address modern SaaS security risks.

Overprivileged third-party integrations

The tenant research revealed that 22% of external data shares utilize open links, so “anyone with the link” can access the data. 94% of these open link shares are inactive, meaning that people have access to these files, folders, recordings, records, etc. when they don’t need access anymore.

The tenant analysis revealed that 100% of organizations grant full access to sensitive data (emails, files, calendars, source code) to at least one third-party integration and one third (33%) of integrations are granted access to sensitive permissions and data.

SaaS-to-SaaS integrations are increasingly targeted by attackers since traditional access controls are less effective when it comes to these non-human identities and organizations typically don’t have the same monitoring capabilities as they have for human identities.

The rapid adoption of SaaS applications has transformed how businesses operate. However, this shift comes with a new set of security challenges, particularly around lifecycle management and offboarding. Incomplete or inefficient offboarding practices can leave behind “dormant” external shares, user accounts and unused integrations, creating significant opportunities for attackers to exploit.

“While a staggering 96% of security leaders prioritize SaaS security, Valence’s report shows the complexity of SaaS security,” says Chris Steffen, VP of Research – Information Security at EMA. “Security executives responded that their SaaS security challenges are hindering effective security and they’re looking for innovative solutions that address these complexities and empower organizations to navigate an evolving SaaS security threat landscape.”