SaaS security and identity governance: where teams are still exposed

TL;DR: SaaS environments create identity and access blind spots through orphaned subscriptions, weak transparency, and uneven control over third-party access, according to Zluri's analysis. The security model fails when teams treat SaaS as vendor-managed infrastructure instead of a governed identity surface that needs continuous oversight.

NHIMG editorial — based on content published by Zluri: Miscellaneous Let’s talk about SaaS security and why you must be proactive

By the numbers:

• By mid-2019, 4.1 billion records were left exposed, with more than 3,800 publicly disclosed breaches.
• 71% of businesses had orphaned SaaS subscriptions.
• 80% of survey respondents worldwide said biometric authentication can be effective for securing identity data, while adoption hovered around 22%.

Questions worth separating out

Q: How should security teams govern SaaS access across many business applications?

A: Security teams should govern SaaS access as a single identity surface rather than as separate app settings.

Q: Why do orphaned SaaS subscriptions create security risk?

A: Orphaned subscriptions create risk because they leave live access paths in place after the organisation has stopped using them.

Q: What do teams usually get wrong about third-party SaaS access?

A: Teams often focus on the app and ignore the identities behind the connection.

Practitioner guidance

• Inventory every SaaS application and owner Create and maintain a complete app register that includes business owner, technical owner, data type, authentication method, and offboarding path.
• Map third-party access paths to concrete identities Document every vendor integration, delegated permission, API token, and service account that can reach SaaS data.
• Enforce continuous access review across the SaaS stack Do not rely on periodic spreadsheets or one-time approval records.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• The article's full SaaS security checklist for evaluating provider controls before procurement
• The specific examples of common SaaS threats, including credential-sharing, phishing, and weak password behaviours
• The survey comparison between biometric authentication effectiveness and actual adoption rates
• The vendor's suggested framing for internal teams managing data visibility, entry points, and cross-application security

👉 Read Zluri's analysis of proactive SaaS security and identity control →

SaaS security and identity governance: where teams are still exposed?

Explore further

View Full Forum →  |  NHI Foundation Course →