Cloud Security Alliance releases latest State of SaaS Security Report
The Cloud Security Alliance (CSA) today released the State of SaaS Security Report: Trends and Insights for 2025-2026, which examines the current state of SaaS security to uncover key challenges and explore how organizations are securing and managing their SaaS environments. The findings underscore the urgency for organizations to shift their SaaS security to a more unified, purpose-built approach. Current approaches to SaaS security are not enough.
Commissioned by Valence Security, the survey set out to determine the current state of SaaS security, uncover key challenges, and explore how organizations are securing and managing their SaaS environments.
SaaS security strategies cannot keep pace with the growing complexity of the SaaS landscape, remaining fragmented, reactive, and incomplete. Despite heightened awareness of the critical need for strong SaaS security, organizations must move beyond ad hoc, app-by-app controls to close the gap between rising investments and actual capabilities—adopting a more unified approach that addresses core challenges like discovery, posture management, threat detection, and risk remediation.
"SaaS has become a core part of modern business operations, but securing it remains a moving target. Despite growing investment in and prioritization of SaaS security, there remains an overconfidence in current SaaS security strategies. The reality is that distributed adoption, inconsistent tools, and fragmented processes leave critical gaps in visibility, identity management, and third-party access," said Hillary Baron, lead author and AVP for Research, Cloud Security Alliance.
The report’s key findings include:
-
SaaS security is a top priority for 86% of organizations, with 76% of respondents saying they are increasing their budgets this year.
-
Despite organizations committing more resources to SaaS security, data oversharing (63%) and poor access control (56%) continue to expose them to risk, suggesting that many are still unable to establish the fundamental protections needed to secure sensitive data across their environments.
-
79% of organizations expressed confidence in their programs. This high confidence level may be masking critical capability gaps, with 55% of respondents sharing that employees are adopting SaaS tools without security's involvement and 57% reporting they are grappling with fragmented SaaS security administration.
-
IAM remains a challenge. 58% of respondents said enforcing proper privilege levels was difficult, and 54% lacked automation for lifecycle management—gaps that directly contribute to breaches, complicate incident response, and leave organizations exposed.
-
SaaS-to-SaaS integrations and GenAI tools are expanding the attack surface, leaving nearly half of organizations (46%) struggling to monitor non-human identities (NHIs) and 56% concerned with over-privileged API access.
-
Too many organizations are relying on fragmented strategies, such as vendor-native tools (69%), general-purpose solutions like Cloud Access Security Brokers (CASBs) (43%), and manual audits (46%), resulting in critical gaps across the SaaS environment that will only widen as these systems become more complex.
"The report’s findings reveal a clear shift: SaaS security is no longer an afterthought. Organizations are not just recognizing its importance—they’re taking action to improve shadow SaaS discovery, posture management, and threat detection. As SaaS adoption accelerates, it’s critical to ensure security strategies evolve in step with increasingly complex and interconnected SaaS ecosystems," said Yoni Shohet, CEO and co-founder of Valence Security.
The survey was conducted online by CSA in January 2025 and received 420 responses from IT and security professionals representing large organizations in various industries and locations. CSA’s research analysts performed the data analysis and interpretation for this report. Sponsors are CSA Corporate Members who support the research project’s findings but have no added influence on the content development or editing rights of CSA research.
Review the full State of SaaS Security Report: Trends and Insights for 2025-2026.
