Software-as-a-service applications have long been the target of cyberthreats. A new study reveals that these threats remain a priority for 78% of US technology leaders as more SaaS applications make their way into the enterprise.
While businesses have prioritized data privacy and security, their continued reliance on SaaS and cloud offerings means they remain at risk, according to The SaaS Disruption Report: Security & Data from Onymos and Enterprise Strategy Group.
Shiva Nathan, founder and CEO of Onymos, told TechRepublic that a significant risk of this dependency is that when companies purchase a SaaS system to speed up application development, they must grant data access to the third-party SaaS provider in return.
Granting this access could lead to cyberattacks and accidental data leaks. This could be especially problematic today, as the average enterprise relies on more than 130 SaaS applications compared to just 80 in 2020, Nathan explained.
“That's a 62% increase,” he said. “Each of those [SaaS apps] “It’s a new attack surface that can be exploited by state and non-state malicious actors. And they are. The number of software supply chain attacks is increasing, especially against the healthcare industry, which had to shift to a virtual care model during COVID-19.”
Healthcare entities have long relied on third-party vendors to make that transition happen, Nathan added. According to the report, other sectors that rely heavily on SaaS applications include:
- Government.
- Logistics and supply chain.
- Manufacturing.
- Retail.
- Banking and financial services.
- Education.
Gartner predicted that 45% of organizations globally will have experienced attacks on their software supply chains by 2025. The report reinforces this projection, as nearly half (45%) of technology leaders reported that they experienced a cybersecurity incident through a third-party SaaS application in the past year.
The importance of data retention
The survey, which drew input from 300 application development, IT and security leaders, also revealed that 91% of respondents emphasized the critical importance of data retention for custom-built internal applications, reflecting its importance in their application development priorities.
Nathan said he was surprised by this statistic because these “tech leaders recognize how crucial it is to retain their data, but they still rely heavily on SaaS. Clearly, there is a tension within these organizations between speed of production and ownership of data,” he noted. “That tension has always existed, but it is increasing.”
IT Leaders' Priorities
Nearly three-quarters (72%) of leaders surveyed highlighted “security” as a top priority, closely followed by 65% who cited “data privacy.”
These priorities are also reflected in the assignments, responsibilities and tasks of organizations’ software and application development projects, according to the report. Three of the top five priorities were:
- Ensure data privacy (60% responded that it was a high or top priority).
- Building secure applications (49% said this was a high or highest priority).
- Maintain full control over data ownership (42% reported this was a high or highest priority).
The survey also revealed that 65% of internally developed applications are business-critical and only 36% of technology leaders run all their applications on-premises or in private clouds.
SaaS applications require increased attention to their security posture
With data security concerns at such high levels, organizations need to re-evaluate their current business model to take advantage of SaaS and cloud offerings, the Onymos/ESG report notes.
“Today, it’s very common to hear technology leaders talk about their ‘security posture’; having a ‘data posture’ is equally important,” Nathan emphasized. “This includes asking what data they are sharing with their SaaS providers to receive their service; whether they actually need that data; what they are doing with it; and where it goes.
“The rise of AI products and services only makes answering these questions more important,” he said.
The report made a number of recommendations, including a significant shift from current common SaaS and cloud practices by adopting “data-less” architecture principles that prioritize data privacy and security.
“This type of architecture allows companies to retain full ownership and control of their data, eliminating the need to share or grant access to third-party SaaS and cloud providers and reducing the associated risk,” the report states. “Companies should also be able to own and modify the code associated with the SaaS solutions they use to develop their applications and software.”
This allows enterprise engineering teams to verify and test code as if they had created it themselves, the Onymos/ESG report states. “With this approach, organizations can have full confidence in the validity, reliability, and security of the code,” the report says.
Additionally, IT should prioritize and periodically conduct rigorous third-party security audits and penetration testing. “These tests should include understanding how the organization’s data flows across different applications and SaaS solutions so that issues of unwanted data access and sharing can be mitigated,” the report states.
