SaaS security best practices: where IAM controls still fall short

TL;DR: Provider risk review, inventory, zero trust, VPN restrictions, access reviews, incident response, and automation fit together as a practical control stack, according to Zluri’s overview of seven SaaS security best practices using the Microsoft Midnight Blizzard OAuth compromise to show how they work together. The underlying lesson is that SaaS sprawl and delegated access still outrun manual governance.

NHIMG editorial — based on content published by Zluri: 7 SaaS Security Best Practices You Must Follow

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams govern OAuth-connected SaaS apps that retain broad access?

A: Treat every OAuth-connected app as a governed identity with a clear owner, approved scopes, and an expiry or review point.

Q: Why do SaaS access reviews often miss the most dangerous permissions?

A: Because access can drift between review cycles.

Q: What breaks when third-party SaaS visibility is incomplete?

A: Least privilege breaks first, because teams cannot limit what they cannot see.

Practitioner guidance

• Build a live SaaS and OAuth inventory Track each app owner, approval source, granted scopes, and last validation date in one governed register so stale delegated access can be removed before it becomes a blind spot.
• Review privileged SaaS integrations on change events Trigger review when an app owner changes, when OAuth scopes expand, when a vendor relationship changes, or when a service account is repurposed, rather than waiting for a scheduled certification cycle.
• Constrain SaaS access with conditional trust checks Combine MFA, device trust, and network controls with app-level scope limits so a verified user still cannot inherit more access than the business role requires.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step breakdown of how each of the seven SaaS security practices maps to day-to-day administration.
• Concrete examples of how Zluri's SaaS management, access management, and access review features are positioned together.
• The article's own incident-response checklist for SaaS breaches, including backup and recovery actions.
• Practical guidance on when to use vendor assessment, VPN restrictions, or access review in a SaaS programme.

👉 Read Zluri's seven SaaS security best practices and the Microsoft OAuth case →

SaaS security best practices: where IAM controls still fall short?

Explore further

View Full Forum →  |  NHI Foundation Course →