Welcome to Obsidian’s SSPM Week. Every day of this week, we will release new products and features designed to help security and governance teams measurably increase the SaaS security and compliance posture of their organizations. Our teams have been working to solve complex engineering challenges for our customers and we can’t wait to unveil them to you over the course of this week.
SaaS applications are the lifeblood of businesses. And increasingly, they are also where sensitive data is stored and processed. By some estimates, more than 32% of business-critical data now resides in SaaS. But the sprawl, ease of deployment, and the distributed and interconnected nature of SaaS applications have lent them to be inefficiently managed, opening up businesses to increased organizational risk and data breaches. While traditional SaaS security vendors address some fundamental issues related to the misconfiguration of core applications, the SaaS deployment landscape has evolved faster than traditional solutions have been able to keep up.
Since the earliest days of Obsidian, we’ve been contending with and developing solutions to the most notable challenges in the world of SaaS security. Today (and throughout this SSPM week), we wanted to focus specifically on three particular issues that teams today face before sharing the exciting ways we’re enabling our customers to solve them.
SaaS applications are designed to be interconnected, offering a seamless user experience with data synchronization across multiple services. While this interconnectivity empowers users, it also complicates SaaS environments, making them more challenging for security teams to minimize risk and protect sensitive data.
Every OAuth integration, API key, and low/no-code workflow opens a potential attack vector. At Obsidian, we have observed that on average, a medium to large-sized organization has over 900 OAuth integrations to Google Workspace, 750 to Microsoft, and 150 to Salesforce—and over 70% of these integrations are inactive (more than 90 days with no activity) before they onboard with Obsidian.
With numerous inactive integrations and a lack of standardization among SaaS platforms, CISOs are left questioning the state of their SaaS ecosystems, the data at risk, and how these third-party integrations impact their organization’s risk profile.
Knowing the posture of a specific handful of individual SaaS applications alone is not enough. CISOs need a holistic view of the entire SaaS mesh, including the data flows between applications. Unfortunately, most security vendors have either ignored SaaS or have tunnel vision when it comes to addressing these challenges.
Most modern organizations use hundreds of SaaS applications. But traditional approaches to SaaS security have prioritized protection for large SaaS applications, such as Salesforce, Microsoft 365, and Google Workspace, leaving niche, custom, or on-premises applications at risk. Partial coverage is just that—partial. Attackers are opportunistic and will look for any vulnerabilities they can exploit. Neglecting to secure any application creates a weak point for attackers to gain unauthorized access and compromise sensitive data. It’s like locking some doors in a building but leaving others open for attackers to gain access. But that’s what most vendors today offer—partial coverage, partial security.
In a post-COVID era, where hybrid work is the norm, a continued increase in SaaS adoption is creating vast stores of business-critical data inside SaaS apps like Salesforce, Microsoft 365, and Google Workspace. At the same time, in the US, at the state level, GDPR-style privacy regulations are more commonly being enacted which will have implications on how sensitive data in SaaS is handled. For example, earlier this year, the California Privacy Rights Act (CPRA) took effect. Virginia, Connecticut, Colorado, and Utah will have laws on the books by the end of 2023 with more states proposing their own. Any organization that stores or processes sensitive data in SaaS or IaaS will be covered by these regulations.
One of the vexing challenges facing security and GRC teams is that even when companies establish tight security controls within SaaS, it is really hard for them to know how and where those policies are being followed. Additionally, many businesses still monitor their controls manually. Because of this, many teams are overwhelmed by the volume and constant drum of potential violations they have to sift through and prioritize.
But the hard reality is that GRC and compliance teams today lack basic tooling and often take several months to gather the evidence they need in SaaS to demonstrate and verify compliance with local and industry regulations. Manual approaches are error-prone and cost prohibitive.
The implications for violating regulatory standards are steep. For every health record exposed under HIPAA, an organization could be fined as much as $50,000 per record with potential prison time for those responsible. In the EU, GDPR can issue fines of €20 million or 4% of the firm’s worldwide annual revenue from the preceding financial year based on the highest amount. Aside from the economic and penal implications, customers are increasingly privacy conscious, and trust is paramount in their present-day information economy.
SaaS security needs to evolve to meet the realities and challenges of global SaaS adoption today. As organizations continue to increase their reliance on cloud technologies, moving away from on-premises data centers to hybrid and cloud-based workloads utilizing IaaS and SaaS, the IT compute layer has become increasingly decentralized. And just as IT witnessed a paradigm shift in being viewed from blocker to enabler of key business initiatives (such as M&A, new vendor onboarding, or compliance initiatives), SaaS security desperately needs to follow suit.
For years now, our team has been at the forefront of enabling teams to deliver better SaaS security outcomes for their organizations. In this week—our inaugural product launch week—we’re excited to share the new ways in which we’re helping our customers address the three distinct challenges we’ve just identified: a complicated SaaS mesh, incomplete coverage, and strict compliance obligations.
So buckle in for an exciting and full week of exciting, new announcements this SSPM Week. Stay tuned!