By 2025, the shift towards cloud-native platforms such as Software-as-a-Service (SaaS) is expected to dominate the implementation of new digital workloads, encompassing more than 95% of such initiatives. Furthermore, the increasing rate of using AI and Generative AI (GenAI) in software products, given the black-box nature of AI models resulting in “Shadow AI,” has made ensuring legality, fairness, and transparency of AI decisions a formidable task – contributing to additional regulatory challenges.  

Undoubtedly, ensuring compliance with stringent legal regulations like the General Data Protection Regulation (GDPR) and obtaining certifications such as ISO/ISE 27001 underscore a business's commitment to maintaining the safety and privacy of sensitive data. However, these regulations also present unique challenges for SaaS providers around data subject rights, data minimization, and accountability. Additionally, the cross-border nature of SaaS operations often complicates matters, requiring careful consideration of data transfer mechanisms. For instance, some jurisdictions are imposing data localization requirements, mandating certain types of data be stored within the country's borders, and introducing challenges for businesses operating globally.

Consequently, in keeping with these emerging regulatory frameworks and evolving standards, enterprises find balancing security and compliance increasingly complex today.  However, sustaining security compliance is not a static achievement but rather an ongoing and adaptable process for enterprises.

What’s influencing the current state of SaaS security compliance?

As a host to a variety of data ranging from less sensitive corporate information to highly critical IPs, employee records, and more – SaaS products are also serving as a pivotal entryway for some of the top concerns driving the security compliance imperative, especially with the increased use of AI in SaaS. Let us take a closer look.

Democratizing SaaS

SaaS applications may have revolutionized how organizations procure and deploy software, but each app employs unique settings and terminologies to delineate its security features. Subsequently, there is no universal guidance document that can fit all scenarios when configuring these settings. Further, product owners must navigate through disparate security configurations, each requiring tailored approaches for compliance adherence. This absence of standardized guidelines inevitably leads to more inconsistencies in security posture across applications, exposing sensitive data to vulnerabilities. For example, according to a recent report, roughly 10% of all breaches in the leaky Salesforce Community sites were caused by ‘configuration confusion.’

Identity as a Safety Net

Threat actors continually focus on potentially compromising authorized user accounts within SaaS applications. Once they gain access, these adversaries typically employ various up-to-date Techniques, Tactics, and Procedures (TTPs) to maneuver through the system and locate valuable data. Therefore, traditional network perimeters are no longer adequate in  safeguarding sensitive data. The attack on Microsoft using malicious OAuth apps to breach accounts is an ideal example. The threat actors employed password spray tactics on accounts without MFA, focusing on targeted user identities. Notably, identity—specifically, the management and security of user identities and access rights—has emerged as the new frontline defense or de facto perimeter for SaaS applications.

Cross-border compliance & geo-specific tenants

In order to keep data segmented and adhere to different local regulations, the coming years will see a significant rise in geo-specific tenants and the added efforts in securing them. Each geo-specific tenant requires its own setup and management tailored to the specific rules of that region. Including setting up security measures and encrypting data according to local standards like GDPR in Europe or other regional privacy laws. Managing multiple tenants across varied regions only adds to the complexity of ensuring consistent security practices. For example, the AWS SuperGlue vulnerability that was exposed to cross-tenant boundaries, with failure of data isolation being one of the many causes. Here, the security of, say, one instance of a SaaS-based application does not guarantee the security of all tenants.

Misconfigurations or insecure APIs

Accounting for almost 63% of enterprise security incidents, default misconfigurations, for instance, in a SaaS-based application’s ‘Access Control Lists’, can lead to unauthorized users pulling data from company records. Based on the nature of the data leaked, misconfigurations can turn into an onerous fine. Further, any vulnerabilities present in APIs, since they serve as vital components underpinning the functionality and connectivity of SaaS and cloud platforms, will lead to immediate exposure of sensitive data to unauthorized users. Much like the Hubspot data breach, wherein the application’s insecure API keys exposed the sensitive data of over 1.6 million users.

Is it safe to say offensive security drives defensive security in the SaaS compliance landscape? Maybe. In Cisco’s platform breach, nation-state-backed hackers were exploiting two zero-day vulnerabilities in their firewalls for as long as five months. The latest network compromise being against their Adaptive Security Appliances (ASA) firewalls. Another example could be the Snowflake breach, which exposed the confidential data of as many as 165 customers, reportedly owing to threat actors bypassing authentication mechanisms.

Security by design, not as an afterthought

By embedding security best practices at every phase of product development, be it architecture, design, or coding, businesses can proactively mitigate risks and ensure robust protection for their SaaS offerings.

Take for example, Crowdstrike, in its root-cause analysis for the global outage affecting 8.5 million Windows systems revealed tests during development and release of the Falcon EDR sensor did not uncover the latent out-of-bounds read issue, thereby resulting in a system crash.

Given the nature and longevity of such incidents, the crucial need for integrating security into the product engineering lifecycle cannot be overstated. Here’s a bird-eye view of a few best practices.

  • Early Threat Modeling: Identify potential security threats and vulnerabilities during the design phase to proactively implement countermeasures.
  • Secure Coding Practices: Adhere to secure coding guidelines and best practices such as data encryption, input validation, and authentication and authorization to minimize coding vulnerabilities.
  • Continuous Testing and Validation: Conduct security testing regularly, like penetration testing and code reviews, to identify and address security weaknesses beforehand.
  • Secure Deployment and Configuration: Use configuration management tools to maintain consistent and secure deployment environments, minimizing configuration drift or potential misconfigurations.
  • Monitoring and Incident Response: Establish real-time monitoring mechanisms to detect anomalous activities and promptly respond to security incidents, minimizing potential impacts.
  • User Education and Awareness: Educate users about security best practices and ensure they understand their role in maintaining the security of their data and interactions with the SaaS product.

Notably, with the current advancements in AI, including SaaS Security Posture Management (SSPM) tools, many of these best practices can now leverage the power of AI, especially in monitoring and automating compliance.

Product engineering with a security-first mindset not only strengthens the overall cybersecurity posture of SaaS offerings but also makes security a shared responsibility across all teams, right from the design stage through deployment to support. Partnering with SaaS providers who have this mindset makes for compliant products that not only mitigate legal and regulatory risks but also build on customer trust, which is critical to the end outcome.

About the Authors

Neil Gomes:

Neil Gomes is a Partner with Wipro’s Hi-Tech Domain & Consulting practice, bringing over 24 years of expertise in driving consulting and digital transformation initiatives. He focuses primarily on clients in the Hi-Tech Industry. At Wipro, Neil leverages his deep experience to lead transformative projects that align technology strategies with business goals. He holds a Graduate degree in Technology Management from Carnegie Mellon University and is an APICS Certified Supply Chain Professional.

Deepanjan Banerjee:

Deepanjan Banerjee serves as the Global Account Executive for The Networking and Edge Providers Cluster at Wipro Limited, based in Raleigh, NC, USA. With nearly 30 years of industry experience, he specializes in guiding clients on their transformation and modernization journeys. At Wipro, Deepanjan leverages a robust framework of software engineering to deliver integrated propositions that meet client needs. He also champions a strong ecosystem of partnerships and alliances to drive success.