
By now, many of you have likely read the recent letter from J.P. Morgan’s CISO, Patrick Opet. His message is clear and urgent: SaaS security is a challenge that must be addressed immediately - not next week, not next quarter. In his letter, Opet highlights several critical concerns, including the shared responsibility between SaaS vendors and organizations, the rise of OAuth-based integrations, and the broader implications of how SaaS models are reshaping security boundaries.
While Opet’s perspective is spot-on, there’s an essential point that needs to be emphasized: SaaS vendors alone cannot solve this problem. Organizations need to own their SaaS security strategy - leveraging the right tools, processes, and partners to protect their data and users.
SaaS applications are fundamentally designed to maximize collaboration and productivity - not enforce security. That’s not a flaw, it’s a business reality. Vendors focus on usability because that’s what drives adoption and revenue. This is why the SaaS security ecosystem exists - just as cloud security tools emerged to secure IaaS platforms.
This blog unpacks key insights from Patrick Opet’s letter and offers guidance on how security teams should approach SaaS security in 2025 - especially as threats evolve and traditional security perimeters become increasingly irrelevant.
Legacy Security Models Are No Longer Enough
As Opet states:
"Most critically, SaaS models are fundamentally reshaping how companies integrate services and data - a subtle yet profound shift eroding decades of carefully architected security boundaries. In the traditional model, security practices enforced strict segmentation between a firm’s trusted internal resources and untrusted external interactions using protocol termination, tiered access, and logical isolation."
Traditionally, segmentation between trusted internal networks and untrusted external parties was enforced through strict controls like protocol termination, tiered access, and logical isolation. But that segmentation breaks down in the SaaS world.
Example: Google Workspace. Sharing with external collaborators is essential for growth, but so is limiting risky behavior - like an offboarding employee sharing sensitive files to a personal email. Google can’t solve this on its own - it lacks access to contextual data from HRIS and IdP systems, such as Okta, that would identify these high-risk scenarios.
To properly manage this risk, you need a solution that combines user identity, file content, sharing permissions, and behavioral signals to detect and remediate threats in real time - while also engaging users through the tools they already use (e.g., Slack, Google Chat, Microsoft Teams).
OAuth Applications: The Hidden Risk Lurking in Plain Sight
Opet also highlights a growing risk:
"Modern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (e.g., OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources. As a generic example, an AI-driven calendar optimization service integrating directly into corporate email systems through "read only roles" and "authentication tokens" can no doubt boost productivity when functioning correctly. Yet, if compromised, this direct integration grants attackers unprecedented access to confidential data and critical internal communications"
OAuth has revolutionized SaaS integration, enabling productivity-boosting tools like calendar schedulers or AI-based assistants. But it also created a massive attack surface. A compromised app with ‘write’ access to your environment can lead to data exfiltration, malware injection, or full account takeover. We've seen this play out recently with major breaches, like the one affecting Disney.
And again - SaaS vendors aren’t positioned to fully address this. For example, while Google can show you which apps are connected to Gmail, it doesn’t tell you:
- Who installed the app
- What permissions it has
- How frequently it’s used
- Whether it's spreading across other apps (e.g., Slack, Salesforce)
- Or whether it can be remediated automatically
To manage OAuth risk effectively, organizations need a centralized solution that provides full context, actionable insights, and automation capabilities - all in a single, integrated view.
{{cta-1}}
SaaS Vendors Won’t Solve This for You
SaaS providers will always prioritize features that enhance user experience and revenue. Security is important - but it’s not their core business. And even if they do invest in it, they lack the cross-application visibility, contextual intelligence, and automation that dedicated SaaS security platforms provide.
DoControl: Enabling Secure SaaS Usage at Scale
At DoControl, our mission is to empower organizations to use SaaS freely - without compromising on security. We provide a unified platform that enables you to control every layer of your SaaS environment:
- Data Access Governance: Know who has access to what.
- Data Loss Prevention: Control and prevent risky sharing behaviors.
- Shadow App Detection: Discover and remediate unauthorized SaaS tools.
- Identity Threat Detection & Response (ITDR): Monitor for abnormal or high-risk user activity.
- Misconfigurations: Ensure SaaS configurations align with compliance and security best practices.
Start Small, Act Fast
Securing your SaaS ecosystem may seem like a major lift - but you don’t have to boil the ocean. Start with a free SaaS Risk Assessment to identify the biggest gaps in your environment. From there, we’ll help you create a tailored strategy to reduce exposure and proactively defend against SaaS-specific threats.
It only takes a few minutes to get started - but the impact can protect your organization for years to come.
Want to Learn More?
See a demo - click here
Get a FREE Google Workspace Risk Assessment - click here
See our product in action - click here