This article was originally published on the Forbes Technology Council.
‍
While 2024 will undoubtedly throw some curveballs, one sure bet is that modern work will continue to happen across cloud and SaaS applications. As CIOs, CISOs and other IT security leaders set their priorities for the coming year, it’s important to consider the challenges and opportunities in the realm of SaaS security and governance. Here are some key trends to watch for.
‍
AI dominated 2023, yet relatively few organizations are rolling their own large language models. In fact, 78% of organizations now rely on third-party AI tools like OpenAI and Glide, with over half of organizations solely using third-party AI providers.
‍
Introducing any software or service provider into an organization carries concerns of third-party risk and data privacy. However, with AI, these concerns are amplified due to the emerging vulnerabilities and AI threats that are yet to be fully understood. Without proper guardrails, sensitive data is at risk of being used to train public AI algorithms, regardless of whether the data is shared directly with an AI provider or with another SaaS provider that utilizes third-party AI services in their offerings.
‍
Looking ahead to 2024, securing the AI supply chain will become an integral part of organizations’ third-party risk management and security programs. To get there, they’ll first need to overcome the current “shadow AI” problem, as many are still struggling to get a handle on the unsanctioned AI being adopted across the organization.
‍
Eighty percent of all breaches use compromised identities. As organizations harden their network and endpoint attack surfaces, adversaries are increasingly resorting to social engineering tactics and stolen credentials, often exploiting the human element, as was observed in a recent Okta breach affecting 134 customers.
‍
AI-powered deepfake videos are approaching complete realism, making it alarmingly simple for attackers to deceive victims into falling for exploits and making defense significantly more difficult.
‍
Organizations will require next-generation identity security solutions to combat these threats, as well as robust identity governance and administration (IGA) capabilities to ensure identity and access best practices, such as broadly enforcing SSO and multifactor authentication across all cloud and SaaS logins.
‍
SaaS governance extends beyond monitoring employees’ cloud and SaaS logins. IT security leaders are grappling with an intricate mesh of SaaS applications, all interconnected by no-code/low-code integrations—most commonly, OAuth grants.
‍
OAuth simplifies the process for employees to grant third-party access to SaaS data, making work more seamless while paving the way for potential security risks. The reality is that most organizations not only lack insight into the actual SaaS technology their workforce is using, but they also lack visibility into the data being shared across these apps via OAuth grants. However, with the increase in OAuth-related exploits, security organizations will need to prioritize OAuth visibility, governance and risk management.
‍
In 2023, many CISOs faced severe budget constraints—a trend that's expected to persist into 2024 due to prevailing macroeconomic factors that heighten the call for capital efficiency. IT and security organizations will be increasingly expected to validate their investments, not only by demonstrating risk reduction and business continuity but also by illustrating cost savings.
‍
Reining in SaaS sprawl is one such strategy that can satisfy both requirements: It enables security organizations to consistently minimize their SaaS attack surface while simultaneously returning unnecessary SaaS expenditure back to the business.
‍
However 2024 shakes out, organizations must remain vigilant and adaptive in the face of the evolving SaaS security landscape. By addressing AI supply chain risks, enforcing identity security and governance, untangling the SaaS application mesh and working to contain SaaS sprawl continuously, CISOs and other IT security leaders can ensure they are best equipped to safeguard their critical SaaS assets and data, thereby bolstering both their security posture and business growth.