Professional Documents
Culture Documents
2022年SaaS安全调查报告
2022年SaaS安全调查报告
Survey Report
© 2022 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.
Designers:
Claire Lehnert
Stephen Lumpe
Special Thanks:
Eliana Vuijsje and Caroline Rosenberg at Adaptive Shield
Adaptive Shield commissioned CSA to develop a survey and report to better understand the
industry’s knowledge, attitudes, and opinions regarding SaaS security and related misconfigurations.
Adaptive Shield financed the project and co-developed the questionnaire by participating with
CSA research analysts. The survey was conducted online by CSA from January to February 2022
and received 340 responses from IT and security professionals from various organization sizes and
locations. CSA’s research team performed the data analysis and interpretation for this report.
Key Finding 1
SaaS misconfigurations are leading to security incidents
Misconfigurations have been a top concern for organizations since at least 20191. Unfortunately,
at least 43% of organizations dealt with one or more security incidents because of a SaaS
misconfiguration. This number could be as high as 63% as a notable amount were unsure if their
organization had experienced a security incident due to a SaaS misconfiguration. This fact is
particularly striking when comparing similar data
20% Unsure on IaaS misconfigurations; 17% of organizations
experienced security incidents due to a
misconfiguration2.
Key Finding 2
The leading causes of SaaS misconfigurations are lack
of visibility and too many departments with access
The leading causes of the security incidents are two related issues: too many departments have
access to the SaaS security settings (35%) and a lack of visibility into changes in the SaaS security
settings (34%). This finding is not surprising for two reasons: 1. Lack of visibility into SaaS security
settings was rated a top concern when adopting SaaS applications. 2. On average, organizations have
multiple departments with access to security settings (see the section titled “Responsible for SaaS
app security settings” for more details).
Key Finding 3
Investment in business-critical SaaS applications
outpacing SaaS security tools and staff
Over the past year, 81% of organizations have increased their investment in business-critical SaaS
applications, but fewer organizations report increasing their investment in security tools (73%)
and staff (55%) for SaaS Security. This change means there is an increasing burden on the existing
security teams to monitor SaaS security. As seen in another key finding, the use of automation for
monitoring SaaS security can help to decrease this pressure, but only 26% of organizations utilize
this technology. Security teams are spending more time manually assessing security, detecting, and
remediating misconfigurations. Organizations must consider this when investing in business-critical
SaaS applications as the current investment pattern will be unsustainable long-term.
3%
Business-critical
17%
SaaS application
81%
4%
Security tools for
23%
the SaaS stack
73%
7%
Staff for SaaS
38%
Security
55%
Monthly 18%
Continuously 3% 6% Unsure
11%
Continuously
18%
13%
Daily
25%
21%
Weekly
35%
18%
Monthly
12%
15%
Quarterly
4%
10%
Yearly
4%
2%
Within minutes or
near-real-time 10%
11%
Within
6 hours 10%
23%
Within
1 day 53%
25%
Within
1 week 8%
15%
Within
1 month 14%
8%
Within
6 months 4%
1%
Longer than
6 months 0%
Unsure 14%
2%
150
100
50
0
200 400 600 800 1000
Number of SaaS Applications
IN CR EA SE
Lack of visibility into 3rd Part application access to the core SaaS stack
56%
54%
41%
38%
35%
32%
Security
59%
IT
50%
GRC team
19%
I don’t know
10%
Other
4%
12 © Copyright 2022,
2021, Cloud Security Alliance. All rights reserved.
Applications assessed for misconfigurations
Organizations monitor a wide range of SaaS applications for misconfigurations. The most highly
selected applications were IAM (52%), communication and collaboration platforms (49%), and File
sharing/storage (49%). With small differences between concerns, it is clear that organizations are
worried about their whole SaaS app stack.
Other
2%
Forty percent of organizations check their SaaS security configuration monthly or less frequently; 1 in
10 organizations reported that they only checked yearly. The most common response, however, was
weekly (23%).
17% Monthly
Governance &
Cybersecurity Risk 23% 2% Other
Security
Security Operations 21% 16% Engineers
Within minutes
or near-real-time 4% 12% Unsure
Longer than
Within 6 hours 11% 1% 6 months
43% Yes
Conclusion
The key ways organizations can improve their SaaS security.
1. Provide security teams with proper visibility into SaaS app security settings, including 3rd party
app access, and user permissions. This visibility allows multiple departments to maintain their
access without risking improper changes that leave the organization vulnerable.
2. Utilize automated tools to monitor and remediate SaaS security misconfigurations like SSPMs.
Automation allows security teams to fix these issues in near-real time, reducing the time the
organization is left vulnerable or preventing the problem from occurring altogether.
These changes provide support to their security team while not preventing other departments from
continuing their work and avoiding major security incidents.
y,
fe
og
de
es
ol
om
hn
g
in
s
s
s c
H
ce
ic
ud
ic , Te
st
&
vi
cl
ac ry
gi
on s
e
y,
er
(in
os live
tr on
ur
Lo
er
lS
is
e
ec ti
e
ia
t&
Le
hi
El ica
D
nc
ac
p
or
&
t&
, & un
na
M
g
pp
n
et m
en
er
in
Fi
tio
n,
t
Su
e
rn m
en
r
A
nm
&
io
tu
iv
ta
te co
t
e
&
nm
ct
ot
e
ss
ofi
io
ac
or
nc
ai
nc
s
In ele
ru
at
m
ne
sp
uf
ne
pr
rt
ra
er
na
nt
uc
to
T
te
an
si
on
su
an
ov
rli
Fi
Co
%
Au
Bu
Ed
En
Ai
M
In
Tr
25
%
4%
4%
8%
6%
9%
2%
2%
2%
2%
3%
1%
22
e
s
ge
al
le
at
tin
tic
ab
st
ke
r
lE
ur
eu
ve
ar
D
a
ac
Be
M
Re
er
m
&
&
um
1%
ar
g
d
in
Ph
o
ns
Fo
is
Co
&
rt
2%
ve
re
&
ca
Ad
il
th
ta
2%
Re
l
ea
H
2%
2%
the decision-making
process of introducing
new strategies?
39% I run the process
ct
y
m
ite
rit
ss
er
ch
er
cu
se
ne
st
io rt
Ar
Se
y
As
tr xpe
y
Te
rit
gi
y
rit
n
SO
En
cu
rit
io
sk
n
cu
E
cu
at
Se
CI
Ri
Pe ics
y
Se
at
rit
er
m
Se
y
or
er
s
ut
th
cu
r
d
2% ren
IT
fo
SO
ne
b
nd
aS
ou
ep
O
Cy
Se
In
%
Ve
Fo
Sa
CI
Cl
3%
D
16
%
%
%
8%
3%
3%
5%
7%
1%
14
16
12
y
ns
ct
rit
CI
ite
io
cu
t
2%
ch
ra
Se
Ar
pe
aS
y
rit
Sa
y
rit
cu
1%
cu
Se
Se
d
ou
3%
Cl
4%