Today, organizations approach their cyber posture in an entirely different way. The move away from on-premises security hoarding to Software as a Service (SaaS) apps has propelled this evolution. Those old, understandable lines that used to create security perimeters have vanished, along with them is a matrix of all the powerful connected applications. Just like you, organizations are finding it hard to live without these platforms. Yet, at every turn, they face security hurdles that put their data integrity and operational continuity at risk.
This article focuses on the failure of traditional security paradigms. It tries to explore how “data sprawl” and the growing challenge of third-party risk management are shifting the cybersecurity landscape. This deep insider knowledge, especially from JPMorgan, has huge implications and provides profound insights. Their claims emphasize the new principles of security that we require in our cloud-first age.
The Dissolution of Traditional Security Perimeters
The old concept of the security perimeter has been completely upended in today’s periphery-less, digital world. On-prem experiences are not adequate to prepare channel partners. Organizations don’t just connect one SaaS app, though. Each application has its own unique set of settings, permissions, and data-sharing options. This new paradigm provides serious challenges to ensuring security.
With each SaaS application managing their own authentication separately, the danger of “data sprawl” grows more severe. Data that flows out through these applications mostly avoids the protections of traditional security perimeters. The implications are clear: sensitive information can be exposed without adequate oversight.
“SaaS models are fundamentally reshaping how companies integrate services and data—a subtle yet profound shift eroding decades of carefully architected security boundaries.” – Pat Opet
This move makes it all the more difficult to ensure those using the data aren’t jeopardizing its integrity or violating confidentiality. Organizations are now faced with the challenges of different user access and areas for exposure due to misconfigurations. In doing so, essential data can seep outside of the known security perimeters.
Customer Access and Potential Vulnerabilities
I think the other big issue is that there’s a pattern with SaaS products that they come with a customer support account. These accounts usually have complete tenant-level access to customer environments, which has left many to wonder what the security risks of this kind of access are. One extreme case is on the Sailpoint application, where built-in admin accounts exist with very high permissions.
“Previously in March 2023, the U.S. Treasury found an BeyondTrust backdoor admin account.” This alarming finding exposed the real dangers of these accounts, given that this one was tied to Chinese state-sponsored threat actors. This breach highlights the need for hospitals and other third parties to pay close attention to who has access and to implement strict controls.
Given these vulnerabilities, organizations are recommended to deploy strong monitoring solutions. One promising approach involves utilizing tools like Reco, which continuously track access patterns and data flows to detect when sensitive information is shared beyond designated boundaries. All of these risks associated with bad tokens can be easily prevented through proactive measures. Cybercriminals often exploit these vulnerabilities to move through linked SaaS environments undetected and bypass typical security warnings.
“We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers’ vulnerabilities.” – Pat Opet
The Challenge of Third-Party and Fourth-Party Risks
Though third-party risk management has received a lot of focus over the last several years, most organizations still don’t see the fourth-party risk that’s hiding in plain sight. Four-party risks are another term for vulnerabilities introduced by vendors of vendors—an already difficult enough landscape made even harder to navigate.
Legacy security techniques such as network segmentation and protocol termination are simply insufficient at this point. In an era of collective impact or ecosystem integration models, we can’t just abandon our strategies. Impacts and Challenges Organizations that embrace these tools frequently find themselves wrestling with challenges. They need to be crystal clear about the dozen or more connections and dependencies along their supply chains.
A recent Federal Reserve case study on one large financial institution showcases the dangers lurking in this evolving terrain. In fact, within 24 hours of the platform’s launch, the institution had more than 500 staff members register. This tool was a pretty clear violation of the institution’s policies. This event is a prime example of how quickly and unexpectedly entities can find themselves caught up in unauthorized technologies that create security vulnerabilities.
The fallout from the disastrous CrowdStrike outage in July 2024 also showed just how dangerous and vulnerable complex, yet inter-linked SaaS systems can be. This incident caused a lot of harm—particularly the sizeable operational disruption. It also exposed our over-dependence on a long supply chain of downstream, direct SaaS providers.
“In practice, these integration models collapse authentication (verifying identity) and authorization (granting permissions) into overly simplified interactions, effectively creating single-factor explicit trust between systems on the internet and private internal resources.” – Pat Opet
These types of architectural regressions undermine basic security tenets that have historically been foundational to organizational safety. The more SaaS offerings that companies deploy, the more they need to understand how their security frameworks should evolve. Adapting to these new realities is what makes them go from good to great.
Moving Forward: The Need for Adaptation and Vigilance
Agencies and companies alike need to focus on changing their approach to security. This is key to maximizing their value to better target emerging threats in an omnichannel environment. Defining new security tenets that address the SaaS applications’ inherent challenges is key to protecting critical data.
Ongoing oversight and careful attention will be critically important to ensuring data sprawl and invasion of privacy through unauthorized data access don’t become the new normal. Organizations must invest in technologies that provide comprehensive visibility into their SaaS ecosystems and facilitate rapid response to potential breaches.