SaaS Security & SSPM

The third leg of the *PM stool. CSPM covers IaaS, KSPM covers Kubernetes, and SSPM covers SaaS - the place most of an enterprise's actual data already lives. A vendor-neutral practitioner's guide to the SaaS security problem, the four pillars (identity, configuration, data, threat detection), the OAuth app risk, shadow IT discovery, SSPM vs CASB, ITDR, and the specific work of securing M365, Google Workspace, Salesforce, Slack, GitHub, and the long tail.

Developer monitors showing multiple SaaS app interfaces side by side
Photo by Pixabay on Pexels

· · Vendor-neutral · View source on GitHub

The 30-second version: The average enterprise runs 200+ SaaS apps, and IT knows about roughly 40% of them. The rest is shadow IT. Each app holds identities, data, and OAuth grants - and most of them are configured to the vendor's defaults, which are written for adoption, not security. SSPM (SaaS Security Posture Management) is the configuration-posture management layer for SaaS - the third leg of the *PM stool alongside CSPM for IaaS and KSPM for Kubernetes.

A modern SaaS security program runs SSPM for posture, CASB for inline DLP and shadow-IT discovery, ITDR for identity-layer detection, and a recurring OAuth app review process that no tool does for you. The work tiers naturally: Microsoft 365, Google Workspace, the IdP, GitHub, and Salesforce are the Tier 0 systems whose compromise is an extinction event; everything else gets baselined as the program matures.

On this page

  1. The SaaS security problem
  2. The SaaS security model
  3. What SSPM is (and isn't)
  4. The four pillars of SaaS security
  5. The OAuth app problem
  6. Shadow IT discovery
  7. SSPM vs CASB
  8. SSPM platform landscape
  9. CASB platform landscape
  10. SaaS apps to prioritize
  11. M365 security
  12. Google Workspace security
  13. Salesforce security
  14. GitHub / GitLab security
  15. Slack & Teams security
  16. ITDR (Identity Threat Detection & Response)
  17. Compliance for SaaS
  18. Building a SaaS security program
  19. AWS / Azure / GCP comparison
  20. Maturity stages
  21. Common pitfalls
  22. Further reading
  23. FAQ

The SaaS security problem

Two numbers frame the entire discipline. The first: the average enterprise runs 200+ SaaS applications - somewhere between 130 and 400 depending on the study and the company size, and the trend is monotonically up. The second: IT inventories typically capture around 40% of them. The remainder is what the industry calls shadow IT - apps bought on a corporate card, signed up for with a work email, or onboarded through a free-tier link in someone's Slack DM.

That gap is not a hygiene problem; it is the structural reality of modern work. SaaS is too easy to adopt. Any employee with a credit card and 60 seconds can stand up a workspace, invite teammates, and pipe sensitive data through it before anyone in security knows it exists. The vendor's incentive is frictionless onboarding; the customer's discovery problem is the externality.

The data inside those apps is not a side concern. The customer list lives in Salesforce; the source code lives in GitHub; the payroll and PII live in Workday; the strategy decks live in Google Drive and SharePoint; the production secrets live in 1Password or Vault; the customer support tickets live in Zendesk; the deal flow lives in HubSpot. The corporate file server moved into SaaS years ago. Most enterprises have more sensitive data in SaaS than in their cloud IaaS estate, and yet the cloud security program is often heavily IaaS-weighted because that is where the discipline grew up.

The other complication: SaaS apps each have their own admin console, their own permission model, their own audit log shape, their own concept of "external user," and their own definition of "public link." A security engineer who is fluent in S3 bucket policies is still in week-one territory when they sit down in Salesforce's sharing model or Slack's Enterprise Grid org-vs-workspace controls. SaaS security is breadth work - many systems, shallow at first, deepening on the Tier 0 ones - where IaaS security is depth work in three near-identical cloud APIs.

The SaaS security model - what shifts vs IaaS

The shared responsibility model tilts dramatically as you move from IaaS to PaaS to SaaS. In IaaS you are responsible for the operating system, the network, the runtime, the application, the identities, the data, and the configuration. In SaaS, the vendor owns the operating system, the runtime, the application, the network, and the physical infrastructure. What is left to you is narrower but no less important:

Layer IaaS (yours) SaaS (yours)
Physical / network Provider Provider
OS / runtime / app You Provider
Identity & access You (IAM) You (SSO, MFA, SCIM, OAuth grants)
Tenant configuration You (resource configs) You (admin settings, sharing, retention)
Data classification & DLP You You
Logging & monitoring You (CloudTrail, Activity Log, Audit Logs) You - but log access varies wildly by app and license tier
Third-party app integrations N/A directly You (OAuth grants, marketplace apps)
Incident response Full forensic access Limited - depends on vendor cooperation and log retention

Two consequences follow. First, every column where the answer is "you" needs a process, an owner, and a control - and there is no IaaS-style API-uniformity to ride on. Second, the columns where the answer is "vendor" are not free. Your vendor's incident is now your incident. A breach at Okta, Snowflake, GitHub, Twilio, MOVEit, Cloudflare, Microsoft, or any major SaaS becomes a same-day investigation for every customer. The third-party risk management discipline that used to be a once-a-year questionnaire is now a continuous monitoring problem.

The other shift worth naming: log access is licensed. Microsoft 365 audit logs at the Purview Advanced tier vs the entry-level tier differ by months of retention and depth of fields. Salesforce Event Monitoring requires Shield. Slack Audit Logs require Enterprise Grid. The security team often finds out about these license gates during an incident, which is the worst time to discover them. Inventory the per-app log entitlements during program design, not during an investigation.

What SSPM is (and isn't)

SSPM - SaaS Security Posture Management - is the discipline of continuously assessing the security configuration of SaaS applications through their administrative APIs and emitting findings against a baseline. The model is direct lift-and-shift from CSPM: connect to the SaaS admin API, enumerate the tenant, evaluate against rules, surface drift.

What an SSPM tool reads and evaluates per connected app:

What SSPM is not:

The category overlaps with CSPM/CNAPP at the conceptual level (configuration posture, rule libraries, drift detection, framework mappings) but the underlying APIs are entirely different and the rules cannot be transferred. A CSPM that "also does SaaS" is, in practice, almost always thinner on the SaaS side than a dedicated SSPM - particularly for Salesforce permission-set rationalization, Slack workspace fragmentation, and the per-app deep checks that drive most of the value.

The four pillars of SaaS security

Every SaaS security program reduces to four interlocking pillars. They are not optional, and weakness in any one of them undermines the others.

Identity & access

SSO coverage of every SaaS app (not just the integrated ones - the long tail too), SCIM provisioning so leavers actually lose access, MFA enforced including for break-glass paths, dormant accounts pruned on a cadence, admin roles tiered with Privileged Access Management, OAuth grants reviewed regularly. The bedrock pillar - most SaaS breaches are identity breaches first and configuration breaches second.

Configuration posture

Admin role sprawl audited, public sharing limited and tracked, external collaboration policies enforced, weak password policies eliminated where local auth exists, risky vendor defaults overridden. Concrete examples: M365 anonymous SharePoint link sharing turned off, Salesforce guest-user object permissions audited, Slack workspace-app install restricted to admins, GitHub org default repo visibility set to private. The CSPM-shaped work of SSPM.

Data security

DLP applied to the SaaS that hold sensitive data (CRM, file storage, chat, email, code repos), public files surfaced and reviewed, sensitive data in chat / wiki / CRM identified and labelled, retention policies set per regulatory requirement, e-discovery and legal hold functional. The pillar where compliance and security overlap most directly.

Threat detection

Anomalous login detection (impossible travel, unusual geo, residential-proxy fingerprints), malicious OAuth app installation alerted, mass-download / mass-export events triggered, exfil via API surfaced. Lives in the ITDR / SIEM layer over the SaaS audit logs. The pillar most often discovered missing during an incident.

The pillars compound. Strong identity makes posture drift less catastrophic. Strong posture reduces the blast radius of identity compromise. Strong data controls reduce the consequence of either failing. Strong detection catches everything that the first three missed. Programs that skip one pillar pay for it in the others.

The OAuth app problem

Of all the structural risks unique to SaaS, OAuth app authorization is the one most under-managed by security teams in 2026. The mechanism: a user clicks a "Sign in with Google / Microsoft" button on a third-party app, the SaaS shows a consent screen requesting scopes ("read your email", "manage your repositories", "send email as you"), the user clicks "Allow", and the third-party app gets a refresh token that - depending on the platform - may never expire and may bypass conditional-access policies on subsequent uses.

The properties of that token:

The result is that OAuth consent has functionally replaced credential phishing as the higher-value attack path in many recent campaigns. The attacker does not need the user's password or MFA token - they need the user to click "Allow" on a convincing-looking consent screen. The 2022-2024 wave of OAuth-grant phishing campaigns (Storm-0558 keys, GitHub OAuth-token incidents from CircleCI and Heroku integrations, the Okta cross-tenant attacks, repeated abuse of compromised Mailchimp and HubSpot integrations) is the canonical example. Each demonstrates that a single compromised vendor with broad OAuth scopes can pivot into hundreds of customer tenants simultaneously.

The defensive posture every SaaS security program needs:

The vendors most active in this space - Push Security, Valence Security, Reco, Obsidian, AppOmni, Adaptive Shield, Spin.AI - all centre OAuth-app inventory and risk-scoring as a primary feature, not an afterthought. If you are evaluating SSPM and OAuth is a third-class feature, evaluate something else.

Shadow IT discovery

You cannot secure what you cannot enumerate. Shadow IT discovery in 2026 is a multi-source reconciliation problem; no single signal catches everything, and the best programs fuse four:

The reconciliation produces a single SaaS inventory keyed by app, with a per-app evidence trail of how the app was discovered, how many users use it, what the org spends on it, and whether it has SSO integration. The typical first-pass finding when an org runs this exercise: they have 2-3x more SaaS apps in use than the official catalogue claims, and at least a handful of Tier-0-data apps (typically a file-sync tool, a survey tool, or a marketing-automation tool) are running outside IT's awareness.

Discovery is the easy half. The hard half is what you do with the list: onboarding apps to SSO and SCIM, negotiating enterprise tenancy with vendors that started as employee sign-ups, deciding what to retire, what to consolidate, what to leave alone. That work is operational, not technical, and it is the difference between a SaaS inventory that gets used and one that sits in a dashboard.

SSPM vs CASB

The two categories are confused frequently. The simplest distinction: CASB sits in the data path; SSPM sits outside it. The longer version:

Dimension CASB SSPM
Deployment mode Inline proxy (forward / reverse) and / or API-based API-only (out-of-band)
Primary function Inline DLP, access control, shadow-IT block / coach, threat protection on file uploads Continuous configuration assessment, OAuth inventory, admin role audit, drift detection
Sees Traffic between users and SaaS, file content in flight Tenant configuration, settings, app integrations, user inventory
Misses Internal-to-SaaS reconfiguration drift, admin-only changes User behaviour in session, data flowing in / out
Best for Real-time DLP and access policy enforcement Posture management and configuration governance
Historical roots 2012-era category; matured into part of SSE / SASE 2019-era category; matured into a distinct discipline
Vendors Netskope, Zscaler ZIA, Microsoft Defender for Cloud Apps, Cisco Cloudlock, Skyhigh, Palo Alto Prisma SaaS Adaptive Shield, AppOmni, Obsidian, Wing, Reco, Valence, Grip, Suridata, Spin.AI

The categories overlap on API-mode posture features - most CASBs have an "API mode" that reads tenant configuration, and some SSPMs are starting to add lightweight DLP via the SaaS's native APIs. But the primary value propositions remain distinct. CASB is the inline-control layer; SSPM is the posture-management layer. Mature programs run both, and increasingly they run them from different vendors specifically because the depth of SSPM coverage in a CASB rarely matches a focused SSPM, and vice versa.

One emerging consolidation pattern: SSE platforms with bolted-on SSPM. Netskope, Zscaler, and Microsoft Defender for Cloud Apps each have SSPM-shaped features, and they are getting deeper. The trade-off is the same as any "platform with everything" play - a 70%-good integrated suite versus an 95%-good best-of-breed pair. Pick the trade-off knowingly.

SSPM platform landscape

The category has consolidated significantly in 2024-2025. The major dedicated vendors:

Native and platform-vendor offerings:

How to evaluate

CASB platform landscape

For completeness - the CASB category is mature and largely consolidated into the SSE platforms:

If you are starting from zero in 2026, the practical recommendation is: pick the SSE / SASE that your network team has already chosen, take its CASB module, and add a dedicated SSPM if the diversified-SaaS depth matters. Standalone CASB without an SSE wrapper has largely stopped being a viable category.

SaaS apps to prioritize

Not every SaaS deserves the same investment. A useful tiering applied to most enterprises:

Coverage flows top-down. A program that has not baselined Tier 0 has no business spending time on Tier 3. The Tier 0 systems also share a property: their compromise or their vendor's compromise is a same-day, all-hands event, which is why their per-app deep work - Salesforce permission sets, GitHub branch protection, M365 Conditional Access - pays off disproportionately.

Multiple monitors showing dashboards and security alerts in a SOC
Photo by panumas nikhomkhai on Pexels

Microsoft 365 security

M365 is, for most enterprises, the highest-stakes SaaS tenant in the estate. The control surface is broad; the licensing structure determines which controls you actually have access to. The work breaks down across several products:

Baseline references worth following: the CIS Microsoft 365 Foundations Benchmark and the CISA SCuBA (Secure Cloud Business Applications) baselines. SCuBA in particular ships open-source assessment scripts (ScubaGear) that produce evidence the auditors will accept.

Google Workspace security

Workspace's security model is more uniform than M365's - fewer products, more consolidated under the admin console - but the discipline is similar:

Reference baselines: CIS Google Workspace Foundations Benchmark and the CISA SCuBA Workspace baseline, which ships ScubaGoggles for assessment.

Salesforce security

Salesforce is the SaaS whose security model rewards specialization. The sharing model - org-wide defaults, role hierarchies, sharing rules, manual shares, account teams, opportunity teams, public groups, queues - is sufficiently nuanced that a generalist SSPM check is rarely sufficient. The Tier 0 work:

The Salesforce-focused security community is small but vocal; Salesforce Ben, Trailhead's security trails, and the annual Salesforce TrailblazerDX security tracks are reasonable starting points for the depth this app needs.

GitHub & GitLab security

The source-code system is the SaaS whose compromise is closest to "extinction event" for engineering organizations - your code, your CI / CD secrets, your deployment keys, often a path to your production cloud accounts via OIDC. The non-negotiables:

The same principles apply to GitLab (organization-level SSO, branch protection rules, dependency scanning, secret detection, push rules, audit events) and to Bitbucket. The brand names differ; the discipline is the same.

Slack & Teams security

Chat platforms are the corpus where the most sensitive ad-hoc conversations happen - incident bridges, deal negotiations, salary discussions, customer escalations. Their security controls are often underconfigured relative to the data they hold.

ITDR - Identity Threat Detection & Response

ITDR is the detection-and-response layer over the identity provider and the SaaS audit logs - the SOC-side counterpart to SSPM's preventive posture. Where SSPM tells you the configuration is wrong, ITDR tells you an identity is being abused.

The detections that matter

The data sources

The vendor landscape

The model that works in practice: SSPM for the preventive baseline, ITDR for the live detection, both feeding a SIEM that the Cloud SOC watches with IR playbooks per Tier 0 app.

Compliance for SaaS

SaaS-specific compliance work splits into two halves: what you owe your customers about your SaaS estate, and what you ensure your vendors deliver to you.

See the GRC page for the broader framework landscape and the Compliance Frameworks page for per-framework specifics.

Building a SaaS security program

The work, sequenced:

  1. Discovery. Reconcile SSO + finance + DNS / SSE + email parsing into a single SaaS inventory. Expect to find 2-3x more apps than IT believed it ran.
  2. Inventory enrichment. Per app - owner, data classification, user count, SSO status, SCIM status, MFA status, last access, BAA / SOC 2 status, spend.
  3. Tiering. Apply Tier 0 / 1 / 2 / 3 by data sensitivity and blast radius. Tier 0 gets per-app deep work; lower tiers get baselined.
  4. Baseline. Run an SSPM (or the equivalent native tooling per Tier 0 app) against CIS / SCuBA / framework-aligned baselines. Generate a backlog of findings.
  5. Remediation. Top of backlog: public-share remediation, dormant account removal, MFA enforcement, admin role rationalization, OAuth app review. Some of these are operational, not one-shot.
  6. OAuth app governance. Set admin-consent policies; build the review cadence; document the revocation playbook.
  7. Continuous monitoring. Wire SSPM findings to ticketing and to the security backlog. Drift becomes an alert, not a quarterly discovery.
  8. ITDR detection. Forward Tier 0 audit logs to the SIEM. Build / buy detections for the IdP, M365 / Workspace, Salesforce, GitHub, Slack.
  9. IR playbooks per Tier 0 app. What does "compromised M365 tenant" look like; who do you call; what evidence do you collect; how do you revoke tokens; how do you communicate. See the IR page.
  10. Lifecycle. Onboarding workflow for new SaaS (SSO required, SCIM required, security review required, OAuth scopes reviewed). Offboarding workflow when an app retires (SCIM deprovisioning, tenant data export, account closure).

This is a 12-18-month program for a typical enterprise, and it does not finish - SaaS sprawl is monotonic; the work is permanent. The teams that do it well treat SaaS security like vulnerability management: a continuous program with rotating per-app deep dives, not a project with an end date.

AWS, Azure, and GCP side-by-side

SaaS is, definitionally, not the hyperscalers' core business - but each cloud has identity, CASB, and SaaS-management capabilities that intersect with the SaaS-security discipline. The native overlap:

Capability AWS Azure / Microsoft 365 GCP / Workspace
Identity provider IAM Identity Center (workforce); not a general IdP Entra ID - major enterprise IdP Cloud Identity / Workspace identity
Identity governance IAM Access Analyzer, IAM Identity Center groups Entra ID Governance (Access Reviews, Entitlement Mgmt, PIM) Cloud Identity governance, Access Approval, Access Transparency
CASB / SaaS app control Not a native AWS category Microsoft Defender for Cloud Apps Workspace alert center + BeyondCorp Enterprise + Chronicle
Conditional access IAM Identity Center session policies (limited) Entra Conditional Access (most mature) Context-Aware Access
ITDR-shaped detections GuardDuty for cloud; identity coverage via partners Defender for Identity, Defender XDR identity content Chronicle SecOps identity rules; Workspace alert center
Native SSPM None - partner ecosystem Defender for Cloud Apps SSPM features (M365 + selected SaaS) Limited - partner ecosystem
SaaS audit log destination Push to S3 / EventBridge / Security Lake Sentinel, Log Analytics, Defender XDR Chronicle SecOps, BigQuery

The pattern: Microsoft is by far the deepest of the three on SaaS security as a native discipline, because M365 itself is a major SaaS estate and Defender for Cloud Apps is a real CASB / SSPM hybrid. AWS is the thinnest - there is no AWS-native CASB. GCP sits between, with Workspace controls and BeyondCorp filling much of the gap. For most enterprises, native tooling is a starting point and a dedicated SSPM + CASB combination provides the depth.

Maturity stages

A useful staging model for a SaaS security program:

Stage 1 - Aware

SaaS inventory partial and SSO-driven only. Shadow IT is acknowledged but not measured. Tier 0 apps have MFA; lower tiers are inconsistent. No SSPM; native posture dashboards (Secure Score, Workspace Security Center, Salesforce Health Check) checked occasionally. OAuth apps are not inventoried. IR for a SaaS incident would be improvised.

Stage 2 - Baselined

Full SaaS inventory with finance + SSO + DNS reconciliation. SSPM deployed against Tier 0 apps; CIS / SCuBA baselines established. OAuth app inventory exists and is reviewed quarterly. SSO + SCIM enforced for Tier 0 and most Tier 1 apps. M365 / Workspace audit logs forwarded to SIEM. Dormant-account remediation runs on a cadence.

Stage 3 - Continuous

SSPM drift alerts feed the security backlog. ITDR detections live for IdP + Tier 0 apps. OAuth app governance is policy: admin-consent required, scopes reviewed at install. Per-Tier-0-app IR playbooks tested. CASB inline for major SaaS; DLP catches sensitive-data exposures. SaaS onboarding workflow gate at procurement.

Stage 4 - Strategic

SaaS security is a product-roadmap input - data-residency requirements drive vendor selection, customer-required certifications shape the build vs buy on net-new SaaS. Quarterly purple-team exercises against M365, Workspace, Salesforce, and GitHub. SaaS-supply-chain risk monitoring continuous. The SaaS security team is its own function with engineering and operations sub-roles.

Most enterprises in 2026 are Stage 1 with pockets of Stage 2. Stage 3 is the realistic target for a mature security program with a year or two of dedicated SaaS-security investment.

Common pitfalls

Further reading

Frameworks & baselines

Vendor documentation

Industry research

Related CSOH pages

FAQ

What is SSPM and how is it different from CSPM?

SSPM (SaaS Security Posture Management) is the configuration-posture management discipline applied to SaaS applications - M365, Workspace, Salesforce, Slack, GitHub, and so on - read through their admin APIs. CSPM does the same job for IaaS / PaaS - AWS, Azure, GCP. The concept is identical: connect, enumerate, evaluate, alert on drift. The APIs and the rule sets are entirely different, and a CSPM that "also does SaaS" is almost always thinner than a focused SSPM, particularly on Salesforce and the long-tail SaaS depth.

Do I need SSPM if I already have a CASB?

Most mature programs run both. CASB is inline (DLP, access control, traffic-side enforcement); SSPM is out-of-band (configuration posture, OAuth inventory, admin-role audit). They overlap at the edges - most CASBs have an API mode that does some SSPM-ish checks - but the depth on individual SaaS apps in a focused SSPM almost always exceeds the depth in a CASB's API mode. The decision tree: if you only have budget for one, pick CASB first if the dominant risk is data exfil via uploads / downloads, pick SSPM first if the dominant risk is misconfiguration and OAuth sprawl.

How urgent is the OAuth app problem really?

Very. Recent campaigns - Storm-0558, Midnight Blizzard's M365 OAuth abuse, the GitHub OAuth incidents from compromised CircleCI and Heroku integrations, the Okta cross-tenant takeovers - all centred on OAuth-grant abuse, not credential phishing. OAuth tokens bypass MFA, often do not expire, survive password resets, and are typically invisible to the user. Every SaaS security program in 2026 needs an OAuth app inventory, an admin-consent policy, a revocation playbook, and detection rules for new grants with sensitive scopes. If the program does not have these, OAuth is the most likely future incident.

Is Microsoft Defender for Cloud Apps enough on its own?

For Microsoft-first shops whose non-MS SaaS estate is limited, frequently yes. For diversified estates with Salesforce, Slack, GitHub, Workday, ServiceNow, Snowflake, and others as core systems, Defender for Cloud Apps is best paired with a dedicated SSPM that goes deeper on those apps. The depth difference shows up in Salesforce permission-set rationalization, Slack workspace fragmentation, and GitHub org configuration - all places where a focused SSPM has hundreds of checks and Defender has dozens.

How do I get started if I have nothing in place?

Start with discovery and OAuth. Run a discovery exercise that reconciles SSO + finance + DNS / SSE + email parsing into a single SaaS inventory. In parallel, pull the OAuth app list for M365 and Workspace (you can do this in the admin console without buying anything) and review the high-impact grants. Together those two exercises produce immediate findings and immediate value. From there, buy an SSPM if the budget exists; if not, start with the CISA SCuBA baselines for M365 and Workspace and the CIS Benchmarks for the rest of the Tier 0 apps.

How does this relate to the *PM family - CSPM, KSPM, DSPM?

They are all configuration-posture management disciplines applied to different surfaces. CSPM handles cloud infrastructure (AWS / Azure / GCP). KSPM handles Kubernetes. SSPM handles SaaS. DSPM (Data Security Posture Management) handles data wherever it is. The *PM acronym proliferation reflects the same insight applied to different domains: configuration drift is the dominant attack surface in modern cloud systems, and continuous-assessment-against-baseline is the dominant control. The unified tooling story (CNAPP for IaaS + workloads; emerging unified SSPM + DSPM platforms; SSE + SSPM bundles) is the industry's attempt to collapse them back together.

Where does AI-app sprawl (ChatGPT, Copilot, Claude in the enterprise) fit?

It is the newest and fastest-growing slice of the SaaS-security problem. Every enterprise is now discovering AI tools in its environment - sanctioned and unsanctioned - and each one is a SaaS with identity, data, and OAuth implications. The discovery sources are the same (SSO, finance, DNS, email). The configuration questions are slightly different (does the tool train on your data, what's the retention, what's the data-residency posture, what tenant isolation does it provide). Several SSPM vendors - Reco and Push Security in particular - have made AI-app visibility a primary feature. See also the AI/ML Security page.

Where next