31 Jan The Spiraling SaaS Stack: Real-Life Case Study of How a $10B Enterprise Regained Control to Keep SaaS Data Secure

SSPM is emerging as the industry’s mission-critical solution

– Hananel Livneh, Head of Product Marketing, Adaptive Shield

Tel Aviv, Israel – Jan. 31, 2024

The breakneck pace of SaaS application adoption is driving double-digit growth in the size of corporate SaaS stacks as enterprises embrace cloud services to improve collaboration, save costs, and enable the hybrid work model.

As SaaS stacks spiral, so does their attack surface on the thousands of application instances in use by employees of organizations. SaaS app owners today mostly sit outside IT, without the knowledge or training to maintain their security. With this democratization of SaaS ownership in organizations, security managers are struggling to get a full picture of apps and their security settings in their networks, including SaaS-to-SaaS 3rd party connected apps.

This article will explore how a $10B revenue media organization adopted an SSPM solution to gain security control of its SaaS stack and dramatically improve its security posture. A Forrester Consulting Total Economic Impact™ (TEI) study, commissioned by Adaptive Shield, found that investment delivered the enterprise 201 percent ROI in less than 6 months.

For the full TEI study, click here

The SaaS Data Security Challenge

The company interviewed for the SSPM study is a European-headquartered global media and information services company. As experts in image and reputation, data security is a prime concern in an organization that is entrusted with data by high-profile clients.

Three years ago, the company started experiencing incidents that were attributed to a lack of security control over SaaS applications.

The security issues coincided with the large and growing volume of business-critical SaaS applications. The organization was increasing its use of SaaS apps across the IT, HR, finance, sales, marketing, and product teams. To compound the challenge, the company was experiencing increased complexity of application adoption due to mergers and acquisitions and geographically distributed SaaS application tenants.

As the organization’s security and risk team had limited familiarity with each application, they could not ask application owners the right questions.  App owners were neither educated nor equipped enough to exercise security, and were happy to maintain their newfound independence as app managers owning the “keys to the kingdom.”

Despite the efforts of the security team, the company was struggling to get on top of the security challenges from the SaaS apps. The company had experienced six internal security breaches that year. The company security team was also investing a total of 2,400 hours a year in implementing compliance rules.

“We started seeing some small incidents resulting from SaaS misconfiguration, so we needed to do something about it… [It] was a wake-up call for us that we really need to look at all the configurations at scale,” the chief security officer of the company said in an interview with Forrester for the study.

The media firm decided it was time to look at an automated SaaS security monitoring solution and turned to SSPM.

Regaining Control of Data Security

The company began evaluating multiple vendors. In a proof-of-concept (POC) phase with Adaptive Shield, the organization’s security team instantly found issues in their SaaS configurations and fixed them based on the POC results.

In 2022, Adaptive Shield was selected and deployed to secure the organization’s SaaS stack.

Before the POC, the company’s SaaS security posture was measured at 40 percent. In the first six months, the organization experienced rapid improvement in the score which reached 70 percent at the end of the first year.

“When we look at the security score trends, we observed a significant increase over time,” the CSO said.

In the second year, security posture improved to 85 percent, and the company was on track to reach a 95 percent score after three years based on the study forecast.

The substantial improvement in the overall security posture score was attributed to SSPM capabilities to deliver visibility, remediation guidance, and ongoing monitoring, the study found. 

Improvement in misconfiguration management was a specific significant benefit the company achieved with SSPM.

Misconfigured SaaS settings are one of the leading causes of SaaS data breaches, stolen SaaS data, and SaaS ransomware. Security misconfigurations have caused 35 percent of all-time cyber incidents, according to an analysis by SOCRadaar Research.

SaaS applications can have hundreds of security settings to configure, in addition to the continuous need for updates. 

After the deployment of Adaptive Shield, the annual assessment was replaced by continuously monitoring the security posture of each application and communicating its configuration fixes through Adaptive Shield’s platform. The organization experienced significant efficiency gains in misconfiguration detection and allocated more resources to analyze and fix the issues.

Efficiency in the misconfiguration detection process was found in the study to improve by 70 percent using SSPM.

The study also found that the Adaptive Shield platform improved collaboration between security teams and app owners. Deploying Adaptive Shield helped bridge the SaaS app owners’ security knowledge gaps and foster collaboration between the teams.

Many qualitative benefits of SSPM were also found in the study. Transitioning from manual to automated processes allowed security teams to focus on security management rather than conduct interviews with app owners about their configurations. In general, it also helped the organization overcome challenges introduced by the democratization of security management and secure SaaS data.

The study concluded that Adaptive Shield enabled the security team to “gain complete control and increased visibility of the security posture of all business-critical applications.”

Return on Investment with SSPM 

In the case study of the media organization having difficulty managing SaaS security as its SaaS landscape was growing rapidly, the traditional security approach was failing at scale. Adopting an SSPM was found to improve security and efficiency dramatically while saving costs:

• Overall security posture improvement contributed $1.49M
• Improved efficiency in SaaS misconfiguration detection was worth $397K
• Improved efficiency in SaaS security compliance control was valued at $260K
• Improved collaboration between security teams and business app owners delivered another 32K in savings

 The total benefits over three years (at present value) totaled $2.1M. The total licensing and deployment costs over those three years, at present value, was $723,866. Payback was reached in less than six months, and the ROI over the three-year time frame was 201 percent.

With the frequency of SaaS attacks only growing and SaaS incidents continuously exposing organizations to data leaks, breaches, compliance failures, and other potential disruptions in business operations, SSPM is shown in the study as an efficient and effective technology today for organizations to truly secure SaaS data.

Find out how an SSPM can deliver impressive ROI and security benefits

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political Science and Philosophy (PPE). Oh, and he loves mountain climbing.

---