Generally speaking, when most CISOs think about their cloud security, they’re keyed into their cloud infrastructure held at big providers like AWS, Azure, and GCP. Their typical focus is on securing virtual machines, storage and networks that run on cloud infrastructure. All of this is hugely important.

The problem is, however, that view of cloud security is missing what is arguably a larger attack surface that also needs to be protected: Software-as-a-Service (SaaS). Try to think of an enterprise today that is not heavily reliant on vendor-hosted SaaS applications. It doesn’t seem possible.
Think of your own organization’s basic business functions: Sharing files? It's likely you're using Microsoft Sharepoint, Google Drive, Box or Dropbox. Using a Customer Relationship Management (CRM) system? Most companies today rely on Salesforce or other SaaS-based systems. Levering GitHub or GitLab for development repositories? Those rely on SaaS too.

Core aspects of IT operations management have also moved to SaaS, with many organizations using services from vendors like ServiceNow and Zendesk. What about your company's core identity server? Many organizations (and likely yours too) that rely on Microsoft Active Directory migrated to AzureAD (now being rebranded as Microsoft Entra ID).

The simple reality is that many of your enterprise business applications are now handled via SaaS providers and SaaS adoption continues accelerating as organizations shift enterprise applications to the cloud. The pain CISOs and SOC teams are starting to feel, is that security for SaaS behaves differently and can be difficult to wrangle, leaving dangerous gaps.

Security teams today that ignore the unique risks of SaaS do so at their own peril.

Security Challenges in SaaS Environments

While SaaS providers securely manage the infrastructure, infrastructure is only one component of what it takes to be secure for an organization. Are SaaS providers responsible for your users' security? The simple answer is no.

We are already familiar with the shared responsibility model for cloud services, where securing cloud infrastructure is shared between the cloud provider and the companies using it. They are responsible for the security of “the” cloud, and the customers are responsible for security “in” the cloud. Think about how that applies to SaaS, where customers can only configure items, but don’t have any “in” security controls.

Even if a SaaS provider’s platform is secure, if a user credential is compromised that is used to access the SaaS provider, that could lead to a compromise of the organization's data on the system. As organizations increasingly rely on single sign-on (SSO) to access SaaS, the risk of user compromise and the impact of overall security is significant. Additionally, each SaaS platform have different logs. Those logs vary in structure, type, content and even existence. Do you know what logs are available in your SaaS platform—or more importantly, which aren’t?

If there is a breach at the SSO provider or if it's just a single user that gets compromised, that user has single sign-on to multiple SaaS platforms. One compromised user can result in catastrophic data loss. Here's a more concrete example. At Mitiga we created a threat hunt for a major SaaS provider (Salesforce). Our hunt logic that identifies operations that look like a bad actor trying to siphon data out of Salesforce. There are lots of ways to share data from Salesforce through exports, downloads and emails. An attacker with the right access can use those methods to potentially exfiltrate an organization's entire Salesforce database.

So which aspects of SaaS can lead to security challenges?  

  • Identity system compromises provide access to SaaS environments. With single sign-on, one breach can expose multiple applications.
  • Broad internal access presents insider risks. A user can go to the SaaS platform and suck out all the data that they have access to.
  • Lack of visibility into user activity and access. Manual investigation is time-consuming and complex across SaaS platforms.
  • Inability to detect and respond to threats in real-time. Malicious insiders can exfiltrate or destroy data before it's identified.
  • Lack of logs uniformity. Different platforms offer different logs availability, and different log coverage.

Looking at these factors together, it’s easy to understand why SaaS is both a rich target for attackers, and a bit of a headache for security teams.

Bridging the SaaS Security Gap

The complexity of SaaS security requires two key things: automation and correlation. If there is something odd occurring in a SaaS platform, for example a user doing a bunch of exports, that action could be legitimate. It might be a user doing some routine cleanup. Then again it could be something malicious.

Making the determination of which bucket activity falls into requires visibility and context.
It's important to understand what the user is doing overall, across identity providers and different systems. Is the user suddenly logging in from a new location? Context really matters to determine if an action is in fact potentially a risk. Manually figuring out context is not easy, that's where automation and correlation technology comes into play, to help fill the knowledge gap.

To overcome these SaaS security challenges, CISOs must focus on three things:

  1. Proactive assessments. Validate logging and visibility coverage across SaaS apps to identify blind spots.
  2. Real-time visibility. Centralized monitoring of identity, access and activity across SaaS environments.
  3. Contextual insights. It's essential to have the automated capability to connect related identity, infrastructure and application events across an organization's digital attack surface.

Providing clear contextual visibility saves precious investigation time when responding to threats and reduces data exposure risks. As organizations continue rapidly migrating business-critical systems to SaaS, CISOs and their security teams must prioritize protecting these new environments or jeopardize business resilience. The time for action is now.

LAST UPDATED:

May 14, 2025

Want to learn how Mitiga can support your SaaS security posture? Get a demo.

Don't miss these stories:

God-Mode in the Shadows: When Security Tools Become Cloud Risks

By the time the alarms go off, it’s often too late. A trusted third-party security tool, one that promised to protect your cloud and SaaS environments, has been operating with unchecked ‘god-mode’ privileges. These tools, usually classified as SaaS Security Posture Management (SSPM) or Data Security Posture Management (DSPM), have been granted near-unrestricted access to your data, configurations, and secrets.

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.