2022年SaaS安全调查报告

2022 SaaS SecuritySurvey Reportcloudsecurityalliance @ 2022 Cloud Security Alliance All Rights Reserved. You may download, store, display on yourcomputer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.orgsubject to the following: (a) the draft may be used solely for your personal, informational, non-commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not beredistributed; and (d) the trademark, copyright or other notices may not be removed. You may quoteportions of the draft as permittec by the Fair Use provisions of the United States Copyright Act,provided that you attribute the portions to the Cloud Security Alliance.@ Copyright 2022, Cloud Security Alliance. All rights reserved. AcknowledgmentsLead Authors:Hillary BaronJosh BukerSean HeideAlex KaluzaJohn YeohDesigners:Claire LehnertStephen LumpeSpecialThanks:Eliana Vuijsje and Caroline Rosenberg at Adaptive Shield@ Copyright 2022, Cloud Security Alliance. All rights reservedm Table of ContentsAcknowledgementsSurvey Creation and Methodology.Goals of thestudy.Executive Summary.Key Finding 1: SaaS misconfigurations are leading to security incidents.Key Finding 2: Theleading causes of SaaS misconfigurations are lack of visibilityandtoomanydepartmentswithaccess6Key Finding 3: Investment in business-critical SaaS applications outpacing SaaSsecurity tools and staff.Key Finding 4: Manualy detecting and remediating SaaS misconfigurations is leavingorganizations exposed.Key Finding 5: The use of an SSPM reduces the timeline to detect andAremediateSaaSmisconfigurations..9SaaS Application Use in Organizations,10SaaS Security Assessment12Misconfigurations in SaaS Security15SaaS SecurityToolsLLConclusion17Demographics18About the Spansor.20@ Copyright 2022, Cloud Security Alliance, All rights reserved. Survey Creation and MethodologyThe Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely promotebest practices for ensuring cyber security in cloud computing and IT technologies. CSA also educatesvarious stakeholders within these industries ab-out security concerns in all other forms of computingCSA's membership is a broad coalition of industry practitioners, corporations, and professionaassociations. One of CSA's primary goals is to conduct surveys that assess information securitytrends, These surveys provide information on organizations> current maturity, opinions, interests,and actions regarding information security and technology.Adaptive Shield commissioned CSA to develop a survey and report to better understand theindustry's knowledge, attitudes, and opinions regarding 5aa.S security and related misconfigurations.Adaptive Shield financed the project and co-developed the questionnaire by particip ating withCSA research analysts. The survey was conducted online by CSA from January to February 2022and received 340 responses from IT and security professionals from various organization sizes andlocations, CSA's research team performed the data analysis and interpretation for this report.GoalsofthestudyThe goal of this survey was to understand the current state of SaaS security and misccnfigurations.Key areas of interest include:Use of SaaS applications with organizationsMethods, policies, and tools for assessing SaaS app securityTimeline for detecting and remediating misconfigurations in SaaS app securityAwareness of new SaaS security related products@ Copyright 2022, Cloud Security Alliance. All rights reserved. Executive SummaryMany recent breaches and data leaks have been tied back to misconfigurations causing it to be atop concern for many organizations. Most research related to misconfigurations has focused strictlyon the laaS layers and ignores the SaaS stack entirely. Yet, SaaS security and misconfigurationsare equally crucial to the organization's overall security. For these reasons, CSA developed anddistributed a survey to better understand the use of SaaS applications, timeline and tools for Saa5security assessments, a timeframe for misconfiguration detection and remediation, and awarenessof security tools for Saa5 applications.KeyFinding1SaaSmisconfigurationsareleadingtosecurityincidentsMisconfigurations have been a top concern for organizatians since at least 20191, Unfortunately.atleast43%oforganizationsdealtwithoneormoresecurityincidentsbecauseofaSaaSmisconfiguration. This number could be as high as 63% as a notable amount were unsure if theirorganization had experienced a security incident due to a SaaS misconfiguration.This fact isparticularly striking when comparing similar dataInsureon laaSmisconfigurations; 17% oforganizationsexperienced security incidents due to amisconfiguratian?Organizationsneedtoembraceautomationand continuousscanningfor notjustlaasmisconfigurationsbutalsoSaaSmisconfigurations,to prevent such security incidents,Automationenables organizations to remediate the issue in real-time, so they aren't left vulnerable.KeyFinding