Blog
September 23, 2024

Why SaaS Apps Don’t Have a Perimeter

Uncover the hidden risks of sensitive data exposure in modern SaaS environments. Learn how the proliferation of SaaS tools has created new vulnerabilities and why traditional security measures fall short.

Download
Download

Key points:

  • The increasing use of SaaS applications has led to a distributed data environment, making it challenging to secure sensitive information.
  • Data breaches, regulatory compliance, and customer expectations have heightened the importance of data protection in SaaS.
  • Traditional security measures are insufficient to address the unique challenges of SaaS security. A solution focused on deep visibility and granular control over data is essential.

SaaS has revolutionised the workspace, and it shows no signs of slowing down. Only 10 years ago, I would have been writing this in a Word document that was saved locally on a network computer, before uploading it to the internet.

Today, I am writing the draft of this article on a Notion workspace, hosted entirely in the cloud. I can embed a Google Sheets document onto this page, which is synced with Hubspot and Airtable. I can then add automatic Slack notifications which will be delivered by Zapier to tell me when someone has opened the page. Data sprawled everywhere… all with a simple /command.

The world is so different. The way data flows between apps, people, and physical locations has never looked like this. Just think, I’m only one click away from sharing my entire CRM with anyone on the internet. In fact, anyone in my company can do this.

And I’m five clicks away from giving another company access to my entire Slack workspace, where you can find all my employees' phone numbers, every lead that’s signed up on our website, every customer action that’s been taken in our dashboard, and so much more.

But it isn't just me that is a matter of clicks away from giving away my sensitive information. I have a team creating Google docs, Airtables, Notion pages, Jira tickets, Slack Connect channels, and probably a bunch of other tools I don’t even know about, every hour of every day.

Every person in my company is a matter of clicks away from leaking sensitive data, simply in the natural course of doing their jobs. And our team is growing fast. How much worse will this problem become when we’re 5,000 people distributed all over the world with dozens of employees coming and going every day? Hundreds of contractors? Thousands more interconnected apps? It quickly becomes a privacy, security, and compliance nightmare.

The risks are becoming scarier by the day

Just five years ago, ‘cybersecurity’ was Googled 30% as often as it is today. Regulations like GDPR and CCPA didn’t even exist, and security breaches were 50% less frequent than they are today. Things are changing, rapidly.

  • The cost of a data breach has never been higher. Data breach costs rose to $4.35 million in 2022 - an increase of 13% since 2020. Nearly half of that cost comes from lost business due to the breach.
  • There’s a myriad of regulations & governments are increasingly enforcing them. Enforcement of new regulations like Europe’s GDPR, California’s CCPA, and Brazil’s LGPD is growing. All of these regulations are around a principle of data minimisation - “only collect and retain that personal data which is necessary.”
  • Customers have elevated expectations and awareness of data privacy issues. 83% of consumers in the US claim they will stop spending at a business for several months immediately after a security breach.

“Your data matters” is the ultimate promise that every company is having to make.

The promise is getting harder to fulfil

The type, volume and cadence of sensitive data generated by companies are growing exponentially. The ever-increasing adoption of SaaS tools means that sensitive data is now distributed across hundreds of platforms, all of which have their own data schema, APIs, and native security controls. What makes this extremely challenging is:

  1. Each company’s definition of ‘sensitive’ is unique. For some it’s their intellectual property, for others it’s PCI data, for others it’s any customer health records, and for others, it’s simply customer data.
  2. Each company’s environment is unique. They use different apps and they use them in different ways. Some store all their files in Google Drive, while others put some types of files in Box.
  3. Each company’s risk profile is unique. Their location, industry, size, stage, and other factors change what level of risk they’re willing to endure. For some, PHI data in Google Drive is a total no-go whereas, for others, Google Drive is essentially their customer database.

Out-of-the-box risk detections don’t work. The one-size-fits-all approach has its limitations in modern security. Antivirus, EDR, and similar black-box products are only exposing the top layer — “I blocked X, now you are safe”. While it’s a good start, it’s no longer sufficient and it often gets in the way. To operate effectively, mature security professionals need visibility into the deeper layers of not just technology, but the data itself.

The only way to solve the problem is at the data layer

IAM tools like Okta are going to help you control who can get into SaaS apps. SSPM tools like AppOmni are going to help you manage the next layer of surface security (if there are misconfigurations, if one of your vendors has had a data breach, how many third-party bots you have integrated, etc).

They can alert you to a binary incident / failed test, but who gives you continuous visibility and control over how employees are using sensitive data inside these apps? People can still upload, view, copy, share, and download sensitive data to any extent they wish. It’s a complete wild-west of sensitive data activity inside SaaS applications; companies have no visibility or control, and the world is starting to wake up to this new dimension of risk.

That’s why we built Metomic. We saw the opportunity to disrupt SSPM to bring the power of semantic data risks insight to the SaaS/infrastructure layer. This is a fundamentally missing concept from almost all security management tooling. Put simply: there is limited value in controlling access and surface-level configuration to SaaS apps when you have no visibility or control over what data is sitting where and who it’s accessible to.

Offering companies this deep visibility and granular control, Metomic gives them the knowledge they need to ensure their sensitive data is protected. 

Key points:

  • The increasing use of SaaS applications has led to a distributed data environment, making it challenging to secure sensitive information.
  • Data breaches, regulatory compliance, and customer expectations have heightened the importance of data protection in SaaS.
  • Traditional security measures are insufficient to address the unique challenges of SaaS security. A solution focused on deep visibility and granular control over data is essential.

SaaS has revolutionised the workspace, and it shows no signs of slowing down. Only 10 years ago, I would have been writing this in a Word document that was saved locally on a network computer, before uploading it to the internet.

Today, I am writing the draft of this article on a Notion workspace, hosted entirely in the cloud. I can embed a Google Sheets document onto this page, which is synced with Hubspot and Airtable. I can then add automatic Slack notifications which will be delivered by Zapier to tell me when someone has opened the page. Data sprawled everywhere… all with a simple /command.

The world is so different. The way data flows between apps, people, and physical locations has never looked like this. Just think, I’m only one click away from sharing my entire CRM with anyone on the internet. In fact, anyone in my company can do this.

And I’m five clicks away from giving another company access to my entire Slack workspace, where you can find all my employees' phone numbers, every lead that’s signed up on our website, every customer action that’s been taken in our dashboard, and so much more.

But it isn't just me that is a matter of clicks away from giving away my sensitive information. I have a team creating Google docs, Airtables, Notion pages, Jira tickets, Slack Connect channels, and probably a bunch of other tools I don’t even know about, every hour of every day.

Every person in my company is a matter of clicks away from leaking sensitive data, simply in the natural course of doing their jobs. And our team is growing fast. How much worse will this problem become when we’re 5,000 people distributed all over the world with dozens of employees coming and going every day? Hundreds of contractors? Thousands more interconnected apps? It quickly becomes a privacy, security, and compliance nightmare.

The risks are becoming scarier by the day

Just five years ago, ‘cybersecurity’ was Googled 30% as often as it is today. Regulations like GDPR and CCPA didn’t even exist, and security breaches were 50% less frequent than they are today. Things are changing, rapidly.

  • The cost of a data breach has never been higher. Data breach costs rose to $4.35 million in 2022 - an increase of 13% since 2020. Nearly half of that cost comes from lost business due to the breach.
  • There’s a myriad of regulations & governments are increasingly enforcing them. Enforcement of new regulations like Europe’s GDPR, California’s CCPA, and Brazil’s LGPD is growing. All of these regulations are around a principle of data minimisation - “only collect and retain that personal data which is necessary.”
  • Customers have elevated expectations and awareness of data privacy issues. 83% of consumers in the US claim they will stop spending at a business for several months immediately after a security breach.

“Your data matters” is the ultimate promise that every company is having to make.

The promise is getting harder to fulfil

The type, volume and cadence of sensitive data generated by companies are growing exponentially. The ever-increasing adoption of SaaS tools means that sensitive data is now distributed across hundreds of platforms, all of which have their own data schema, APIs, and native security controls. What makes this extremely challenging is:

  1. Each company’s definition of ‘sensitive’ is unique. For some it’s their intellectual property, for others it’s PCI data, for others it’s any customer health records, and for others, it’s simply customer data.
  2. Each company’s environment is unique. They use different apps and they use them in different ways. Some store all their files in Google Drive, while others put some types of files in Box.
  3. Each company’s risk profile is unique. Their location, industry, size, stage, and other factors change what level of risk they’re willing to endure. For some, PHI data in Google Drive is a total no-go whereas, for others, Google Drive is essentially their customer database.

Out-of-the-box risk detections don’t work. The one-size-fits-all approach has its limitations in modern security. Antivirus, EDR, and similar black-box products are only exposing the top layer — “I blocked X, now you are safe”. While it’s a good start, it’s no longer sufficient and it often gets in the way. To operate effectively, mature security professionals need visibility into the deeper layers of not just technology, but the data itself.

The only way to solve the problem is at the data layer

IAM tools like Okta are going to help you control who can get into SaaS apps. SSPM tools like AppOmni are going to help you manage the next layer of surface security (if there are misconfigurations, if one of your vendors has had a data breach, how many third-party bots you have integrated, etc).

They can alert you to a binary incident / failed test, but who gives you continuous visibility and control over how employees are using sensitive data inside these apps? People can still upload, view, copy, share, and download sensitive data to any extent they wish. It’s a complete wild-west of sensitive data activity inside SaaS applications; companies have no visibility or control, and the world is starting to wake up to this new dimension of risk.

That’s why we built Metomic. We saw the opportunity to disrupt SSPM to bring the power of semantic data risks insight to the SaaS/infrastructure layer. This is a fundamentally missing concept from almost all security management tooling. Put simply: there is limited value in controlling access and surface-level configuration to SaaS apps when you have no visibility or control over what data is sitting where and who it’s accessible to.

Offering companies this deep visibility and granular control, Metomic gives them the knowledge they need to ensure their sensitive data is protected. 

Key points:

  • The increasing use of SaaS applications has led to a distributed data environment, making it challenging to secure sensitive information.
  • Data breaches, regulatory compliance, and customer expectations have heightened the importance of data protection in SaaS.
  • Traditional security measures are insufficient to address the unique challenges of SaaS security. A solution focused on deep visibility and granular control over data is essential.

SaaS has revolutionised the workspace, and it shows no signs of slowing down. Only 10 years ago, I would have been writing this in a Word document that was saved locally on a network computer, before uploading it to the internet.

Today, I am writing the draft of this article on a Notion workspace, hosted entirely in the cloud. I can embed a Google Sheets document onto this page, which is synced with Hubspot and Airtable. I can then add automatic Slack notifications which will be delivered by Zapier to tell me when someone has opened the page. Data sprawled everywhere… all with a simple /command.

The world is so different. The way data flows between apps, people, and physical locations has never looked like this. Just think, I’m only one click away from sharing my entire CRM with anyone on the internet. In fact, anyone in my company can do this.

And I’m five clicks away from giving another company access to my entire Slack workspace, where you can find all my employees' phone numbers, every lead that’s signed up on our website, every customer action that’s been taken in our dashboard, and so much more.

But it isn't just me that is a matter of clicks away from giving away my sensitive information. I have a team creating Google docs, Airtables, Notion pages, Jira tickets, Slack Connect channels, and probably a bunch of other tools I don’t even know about, every hour of every day.

Every person in my company is a matter of clicks away from leaking sensitive data, simply in the natural course of doing their jobs. And our team is growing fast. How much worse will this problem become when we’re 5,000 people distributed all over the world with dozens of employees coming and going every day? Hundreds of contractors? Thousands more interconnected apps? It quickly becomes a privacy, security, and compliance nightmare.

The risks are becoming scarier by the day

Just five years ago, ‘cybersecurity’ was Googled 30% as often as it is today. Regulations like GDPR and CCPA didn’t even exist, and security breaches were 50% less frequent than they are today. Things are changing, rapidly.

  • The cost of a data breach has never been higher. Data breach costs rose to $4.35 million in 2022 - an increase of 13% since 2020. Nearly half of that cost comes from lost business due to the breach.
  • There’s a myriad of regulations & governments are increasingly enforcing them. Enforcement of new regulations like Europe’s GDPR, California’s CCPA, and Brazil’s LGPD is growing. All of these regulations are around a principle of data minimisation - “only collect and retain that personal data which is necessary.”
  • Customers have elevated expectations and awareness of data privacy issues. 83% of consumers in the US claim they will stop spending at a business for several months immediately after a security breach.

“Your data matters” is the ultimate promise that every company is having to make.

The promise is getting harder to fulfil

The type, volume and cadence of sensitive data generated by companies are growing exponentially. The ever-increasing adoption of SaaS tools means that sensitive data is now distributed across hundreds of platforms, all of which have their own data schema, APIs, and native security controls. What makes this extremely challenging is:

  1. Each company’s definition of ‘sensitive’ is unique. For some it’s their intellectual property, for others it’s PCI data, for others it’s any customer health records, and for others, it’s simply customer data.
  2. Each company’s environment is unique. They use different apps and they use them in different ways. Some store all their files in Google Drive, while others put some types of files in Box.
  3. Each company’s risk profile is unique. Their location, industry, size, stage, and other factors change what level of risk they’re willing to endure. For some, PHI data in Google Drive is a total no-go whereas, for others, Google Drive is essentially their customer database.

Out-of-the-box risk detections don’t work. The one-size-fits-all approach has its limitations in modern security. Antivirus, EDR, and similar black-box products are only exposing the top layer — “I blocked X, now you are safe”. While it’s a good start, it’s no longer sufficient and it often gets in the way. To operate effectively, mature security professionals need visibility into the deeper layers of not just technology, but the data itself.

The only way to solve the problem is at the data layer

IAM tools like Okta are going to help you control who can get into SaaS apps. SSPM tools like AppOmni are going to help you manage the next layer of surface security (if there are misconfigurations, if one of your vendors has had a data breach, how many third-party bots you have integrated, etc).

They can alert you to a binary incident / failed test, but who gives you continuous visibility and control over how employees are using sensitive data inside these apps? People can still upload, view, copy, share, and download sensitive data to any extent they wish. It’s a complete wild-west of sensitive data activity inside SaaS applications; companies have no visibility or control, and the world is starting to wake up to this new dimension of risk.

That’s why we built Metomic. We saw the opportunity to disrupt SSPM to bring the power of semantic data risks insight to the SaaS/infrastructure layer. This is a fundamentally missing concept from almost all security management tooling. Put simply: there is limited value in controlling access and surface-level configuration to SaaS apps when you have no visibility or control over what data is sitting where and who it’s accessible to.

Offering companies this deep visibility and granular control, Metomic gives them the knowledge they need to ensure their sensitive data is protected.