New Research From Cloud Security Alliance Highlights Critical Need for a More Unified, Purpose-Built Approach to SaaS Security

Collaboration and accountability remain the biggest barriers to risk remediation

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the State of SaaS Security Report: Trends and Insights for 2025-2026, which examines the current state of SaaS security to uncover key challenges and explore how organizations are securing and managing their SaaS environments. The findings underscore the urgency for organizations to shift their SaaS security to a more unified, purpose-built approach. Current approaches to SaaS security are not enough.

Commissioned by Valence Security, the leader in SaaS security, the survey set out to determine the current state of SaaS security, uncover key challenges, and explore how organizations are securing and managing their SaaS environments.

SaaS security strategies cannot keep pace with the growing complexity of the SaaS landscape, remaining fragmented, reactive, and incomplete. Despite heightened awareness of the critical need for strong SaaS security, organizations must move beyond ad hoc, app-by-app controls to close the gap between rising investments and actual capabilities—adopting a more unified approach that addresses core challenges like discovery, posture management, threat detection, and risk remediation.

"SaaS has become a core part of modern business operations, but securing it remains a moving target. Despite growing investment in and prioritization of SaaS security, there remains an overconfidence in current SaaS security strategies. The reality is that distributed adoption, inconsistent tools, and fragmented processes leave critical gaps in visibility, identity management, and third-party access," said Hillary Baron, lead author and AVP for Research, Cloud Security Alliance.

The report’s key findings include:

• SaaS security is a top priority for 86% of organizations, with 76% of respondents saying they are increasing their budgets this year.
• Despite organizations committing more resources to SaaS security, data oversharing (63%) and poor access control (56%) continue to expose them to risk, suggesting that many are still unable to establish the fundamental protections needed to secure sensitive data across their environments.
• 79% of organizations expressed confidence in their programs. This high confidence level may be masking critical capability gaps with 55% of respondents sharing that employees are adopting SaaS tools without security's involvement and 57% reporting they are grappling with fragmented SaaS security administration.
• IAM remains a challenge. 58% of respondents said enforcing proper privilege levels was difficult, and 54% lacked automation for lifecycle management—gaps which directly contribute to breaches, complicate incident response, and leave organizations exposed.
• SaaS-to-SaaS integrations and GenAI tools are expanding the attack surface, leaving nearly half of organizations (46%) struggling to monitor non-human identities (NHIs) and 56% concerned with over-privileged API access.
• Too many organizations are relying on fragmented strategies, such as vendor-native tools (69%), general-purpose solutions like Cloud Access Security Brokers (CASBs) (43%), and manual audits (46%), resulting in critical gaps across the SaaS environment that will only widen as these systems become more complex.

"The report’s findings reveal a clear shift: SaaS security is no longer an afterthought. Organizations are not just recognizing its importance—they’re taking action to improve shadow SaaS discovery, posture management, and threat detection. As SaaS adoption accelerates, it’s critical to ensure security strategies evolve in step with increasingly complex and interconnected SaaS ecosystems," said Yoni Shohet, CEO and Co-Founder of Valence Security.

The survey was conducted online by CSA in January 2025 and received 420 responses from IT and security professionals representing large organizations in various industries and locations. CSA’s research analysts performed the data analysis and interpretation for this report. Sponsors are CSA Corporate Members who support the research project’s findings but have no added influence on the content development or editing rights of CSA research.

Review the full State of SaaS Security Report: Trends and Insights for 2025-2026.

About Valence Security

Valence finds and fixes SaaS risks. The Valence platform discovers, protects, and defends SaaS applications by monitoring shadow IT, misconfigurations, and identity activities through unparalleled SaaS discovery, SSPM, and ITDR capabilities. Recent high-profile breaches highlight how decentralized SaaS adoption creates significant security challenges. With Valence, security teams can control SaaS sprawl, protect their data, and detect suspicious activities from human and non-human identities. Valence goes beyond visibility by enabling security teams to remediate risks through one-click remediation, automated workflows, and business user collaboration. Trusted by leading organizations, Valence ensures secure SaaS adoption while mitigating today’s most critical SaaS security risks. Follow us on LinkedIn.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on X @cloudsa.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250422702307/en/

SaaS security strategies cannot keep pace with the growing complexity of the SaaS landscape, remaining fragmented, reactive, and incomplete.