Home
/
Blog
/
Uncategorized
/
SaaS Security is an Efficiency Problem
PUBlished on
July 9, 2020
updated on
November 5, 2025

SaaS Security is an Efficiency Problem

OBSIDIAN SECURITY

Organizations around the world have moved their critical business processes and sensitive data into SaaS applications. While SaaS adoption is delivering enormous business value, it has outpaced the ability of security teams to stay updated on new applications to monitor and secure them. Security teams, often understaffed and overworked, have to figure out how to safely enable the use of SaaS without slowing down the business.

Even experienced security teams that understand risks and threats grapple with operational challenges when it comes to actually doing it 24/7. Many of these challenges are unique to SaaS. For example, each application maintains authorization and entitlement management inside the platform. Entitlements are buried deep in application specific formats, creating visibility silos. Every application  implements its unique model of access, privileges and roles that determine what users can access and do in the applications.

Applications also vary a lot in terms of security configurations and controls they expose to customers. Office 365 and Salesforce offer a rich set of controls and hundreds of configurations, while Slack has just a few. Customers are responsible for configuring these applications appropriately and consistently according to security best practices, and ensuring that configurations don’t drift. This is easier said than done. Even a seemingly small misconfiguration can leave users and data exposed and unprotected. Security teams are often out of the loop when it comes to configuring and managing SaaS apps.

Take 1: “Roll Up Your Sleeves” Approach

Security teams often start tackling SaaS security manually. An administrator inspects and monitors users, privileges, activities, configurations, and application-generated alerts regularly for each of the apps that she is securing by following these steps:

  1. Log into a SaaS application’s admin console.
  2. Check if there are any alerts generated by the SaaS application that need investigating. Applications are at different levels of sophistication in what security risks and threats they can detect and alert on.  
  3. Navigate to the activity log and see if there is anything suspicious or inappropriate. Has someone shared a file or data store broadly? Was there a large number of unsuccessful login attempts from an unfamiliar location? Did an admin login without using MFA? This data is presented in different places and in different formats in each app.
  4. Navigate to where the data about users and privileges is located.  Check who has privileged access, and make sure that there are no unexpected privilege assignments (e.g., backdoor accounts and rogue privilege elevation). Navigation is app-specific. To see what a user has access to, you need to first understand each application’s privilege and access model.
  5. Check if there are stale admin or user accounts that haven’t been accessed recently and can be reclaimed.
  6. Examine security configurations to make sure that everything looks good and there has been no drift.

Even by following these steps, admins can miss threats that are only visible when they look at privileges and activity across applications. Does a user have a toxic cocktail of privileges across multiple SaaS apps? Has a user downloaded a large number of files from G Drive and reports from Salesforce?

An (over)simplified view of SaaS security operations.

A lean security team tasked with defending SaaS applications that may be managed by application admins with limited (or no) security expertise can be overwhelmed by the demands of SaaS security. So what is the beleaguered security team to do to protect SaaS efficiently? The key to efficiency is automation and the use of purpose-built tools that protect the time of scarcest resources.

Automating Cloud Security Operations

Security must find ways to eliminate manual work wherever it’s possible, and augment manual effort with automation elsewhere. Cloud detection and response (CDR) capabilities can help organizations automate the most labor-intensive and time-consuming areas of SaaS security. Let’s look at a few of these areas:

Visibility

The first step in achieving comprehensive security is having continuous visibility of access, privilege, and activity. Security teams need:

CDR provides consolidated and centralized visibility and data-driven analytics to detect, investigate, and mitigate threats in the cloud. CDR solutions automatically aggregate data about users, privileges, activity, and configurations through API integrations. The data is normalized and enriched with context about users, devices, and locations. Rather than needing to manually poll applications for the data they need, security operations and IR teams can look at the data that has been pulled for them in one place.

Detection

Even with access to high quality data, security teams often have limited bandwidth to hunt for threats. CDR solutions offer out-of-the-box alerts based on detecting unmitigated risks, data breaches, account compromise, and insider threats. CDRs analyze privileges and activity within and across applications and apply machine learning and user behavior analytics to flag signs of trouble. For example,

By ranking alerts according to impact, CDR gives lean teams a prioritized list of things to focus on. By providing rich consolidated activity data and all the analytics required to investigate potential issues in a single dashboard, CDR makes the lives of analysts, threat hunters, and incident responders on the team easier.

Response

When it comes to incident response and recovery, speed of data retrieval and analytics is key. Having ready access to data about users, privileges, and activity that IR teams need to analyze the situation makes a big difference in the outcome and impact. CDR gives investigators the data they need in a timely manner.

CDR solutions can also be configured to take remedial action for issues that require immediate attention. For example, security admins can tell the system to automatically lock compromised accounts, unshare files, and/or remove malicious mail forwarding rules and then send a notification to investigate further.

For organizations that use security orchestration, automation and response (SOAR) or IT service management to handle remediation, CDR tools provide downstream integration with these external tools.

Hardening

Posture management and security hardening is critical for reducing the attack surface and effectively blocking threats in SaaS applications. With the right kind of visibility, security teams can ensure that SaaS applications are configured according to best practices, detect and fix configuration drift, and remove stale accounts.

Conclusion

SaaS environments are inherently multi-cloud. The heterogeneity of identity and access, security controls, service maturity, and API access across SaaS apps makes the work of securing these applications particularly onerous. With some planning and preparation and using tools that are designed specifically for SaaS security such as Cloud Detection and Response, teams can improve their efficiency of SaaS security operations significantly. CDRs help to automate time-consuming repetitive tasks for visibility, monitoring, detection, response and security hardening, and allow threat hunters, SOC analysts, and IR teams to focus on security.

Interested in learning more? Read our whitepaper for actionable insights and strategies.

Frequently Asked Questions (FAQs)

What are the main challenges security teams face when securing SaaS applications?

Securing SaaS applications is challenging because each app handles authorization, entitlement management, and security configurations differently, leading to visibility silos and inconsistent security controls. Security teams must manually monitor user activity, privileges, and app configurations, which is time-consuming and error-prone, especially when teams are understaffed. Additionally, misconfigurations or privilege mismanagement can easily go unnoticed, leaving sensitive data exposed.

Why is manual SaaS security monitoring often insufficient for organizations?

Manual SaaS security monitoring is insufficient because it requires administrators to individually inspect multiple apps, each with its own unique data formats and security models. This fragmented approach increases the likelihood of missing threats that span across apps, such as privilege escalation or abnormal activity patterns, and does not scale as businesses adopt more SaaS solutions.

How can automation improve SaaS security operations?

Automation can streamline SaaS security operations by using tools like Cloud Detection and Response (CDR) to continuously monitor, detect, and respond to threats. CDR platforms aggregate and normalize user, privilege, and activity data from multiple SaaS apps, provide centralized visibility, generate prioritized alerts, and enable automated incident response, saving significant time for lean security teams.

What is the importance of visibility in SaaS security?

Continuous visibility into access, user activity, privilege assignments, and third-party app authorizations is critical for effective SaaS security. Without centralized visibility, security teams struggle to detect unusual behavior, misconfigurations, or compromised accounts across their SaaS environment. Automated tools provide consolidated dashboards and analytics, allowing teams to quickly identify and mitigate risks.

You May Also Like

Uncategorized

2020: The Year of SaaS
3
MIN
January 6, 2021

Uncategorized

SaaS Security is an Efficiency Problem
6
MIN
July 9, 2020

Uncategorized

Data Guardianship Core Principles: 1 of 3
6
MIN
October 8, 2019

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo