5
min read
May 1, 2025

SaaS Security: Why The Time to Act is Now

By now, many of you have likely read the recent letter from J.P. Morgan’s CISO, Patrick Opet. His message is clear and urgent: SaaS security is a challenge that must be addressed immediately - not next week, not next quarter. In his letter, Opet highlights several critical concerns, including the shared responsibility between SaaS vendors and organizations, the rise of OAuth-based integrations, and the broader implications of how SaaS models are reshaping security boundaries.

While Opet’s perspective is spot-on, there’s an essential point that needs to be emphasized: SaaS vendors alone cannot solve this problem. Organizations need to own their SaaS security strategy - leveraging the right tools, processes, and partners to protect their data and users.

SaaS applications are fundamentally designed to maximize collaboration and productivity - not enforce security. That’s not a flaw, it’s a business reality. Vendors focus on usability because that’s what drives adoption and revenue. This is why the SaaS security ecosystem exists - just as cloud security tools emerged to secure IaaS platforms.

This blog unpacks key insights from Patrick Opet’s letter and offers guidance on how security teams should approach SaaS security in 2025 - especially as threats evolve and traditional security perimeters become increasingly irrelevant.

Legacy Security Models Are No Longer Enough

As Opet states:

"Most critically, SaaS models are fundamentally reshaping how companies integrate services and data - a subtle yet profound shift eroding decades of carefully architected security boundaries. In the traditional model, security practices enforced strict segmentation between a firm’s trusted internal resources and untrusted external interactions using protocol termination, tiered access, and logical isolation."

Traditionally, segmentation between trusted internal networks and untrusted external parties was enforced through strict controls like protocol termination, tiered access, and logical isolation. But that segmentation breaks down in the SaaS world.

Example: Google Workspace. Sharing with external collaborators is essential for growth, but so is limiting risky behavior - like an offboarding employee sharing sensitive files to a personal email. Google can’t solve this on its own - it lacks access to contextual data from HRIS and IdP systems, such as Okta, that would identify these high-risk scenarios.

To properly manage this risk, you need a solution that combines user identity, file content, sharing permissions, and behavioral signals to detect and remediate threats in real time - while also engaging users through the tools they already use (e.g., Slack, Google Chat, Microsoft Teams).

OAuth Applications: The Hidden Risk Lurking in Plain Sight

Opet also highlights a growing risk:

"Modern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (e.g., OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources. As a generic example, an AI-driven calendar optimization service integrating directly into corporate email systems through "read only roles" and "authentication tokens" can no doubt boost productivity when functioning correctly. Yet, if compromised, this direct integration grants attackers unprecedented access to confidential data and critical internal communications"

OAuth has revolutionized SaaS integration, enabling productivity-boosting tools like calendar schedulers or AI-based assistants. But it also created a massive attack surface. A compromised app with ‘write’ access to your environment can lead to data exfiltration, malware injection, or full account takeover. We've seen this play out recently with major breaches, like the one affecting Disney.

And again - SaaS vendors aren’t positioned to fully address this. For example, while Google can show you which apps are connected to Gmail, it doesn’t tell you:

  • Who installed the app
  • What permissions it has
  • How frequently it’s used
  • Whether it's spreading across other apps (e.g., Slack, Salesforce)
  • Or whether it can be remediated automatically

To manage OAuth risk effectively, organizations need a centralized solution that provides full context, actionable insights, and automation capabilities - all in a single, integrated view.

{{cta-1}}

SaaS Vendors Won’t Solve This for You

SaaS providers will always prioritize features that enhance user experience and revenue. Security is important - but it’s not their core business. And even if they do invest in it, they lack the cross-application visibility, contextual intelligence, and automation that dedicated SaaS security platforms provide.

DoControl: Enabling Secure SaaS Usage at Scale

At DoControl, our mission is to empower organizations to use SaaS freely - without compromising on security. We provide a unified platform that enables you to control every layer of your SaaS environment:

Start Small, Act Fast

Securing your SaaS ecosystem may seem like a major lift - but you don’t have to boil the ocean. Start with a free SaaS Risk Assessment to identify the biggest gaps in your environment. From there, we’ll help you create a tailored strategy to reduce exposure and proactively defend against SaaS-specific threats.

It only takes a few minutes to get started - but the impact can protect your organization for years to come.

Want to Learn More?‍

See a demo - click here

Get a FREE Google Workspace Risk Assessment - click here

See our product in action - click here

Matt leads DoControl's revenue functions, overseeing Marketing, Sales, and Partnerships. His role is highly cross-functional, and he takes pride in ensuring that GTM teams have the infrastructure needed to effectively serve customers, prospects, and partners. A product expert at his core, Matt focuses on guiding his team to create a go-to-market strategy that aligns with market needs.

His strengths lie in building and executing GTM plans that drive revenue growth while, most importantly, addressing critical security challenges for DoControl's customers.

Get Control of Your SaaS Exposure

Quantify your SaaS risk landscape in minutes.

Get updates to your inbox

Our latest tips, insights, and news