Skip to main content

SaaS solutions: Convenient to use but with the right security tools

It's no surprise that enterprises like SaaS solutions; the average enterprise uses anywhere from a few dozen to over a hundred different SaaS solutions.

Enterprises have come to prefer SaaS solutions since they can offer best-of-breed niche solutions without the overhead of managing technology and being readily available to use.

While SaaS solutions offer a lot of convenience, enterprises also end up providing a lot of sensitive data to the SaaS solutions. After more than a couple decades of using SaaS solutions, companies are running into certain challenges with SaaS, particularly from a security perspective. Examples of those challenges include:

  1. A false sense of security from Third-Party Risk Management (TPRM) programs since those are focused at the initial SaaS vendor relationships rather than ongoing assurance or technical security configurations
  2. No golden SaaS configuration leading to insecure configurations being determined on-the-fly
  3. API connections with authentication tokens vulnerable to theft and reuse leading to SaaS becoming a backdoor for enterprise systems
  4. Integration of security logs at the SaaS provider with enterprise Security Information and Event Management (SIEM) tool.
  5. A pattern of attacks across SaaS solution users - Threat actors exploit certain known gaps in configuration to go after a) all potential users of popular SaaS solutions such as Salesforce and Snowflake across enterprises, and b) security weakness in one SaaS utilized to compromise another SaaS solution at the same enterprise.

It's important that companies invest in building an enterprise SaaS security framework. This framework should help identify the enterprise stakeholders involved from SaaS evaluation to offboarding. It should also help facilitate consistent measurement of standardized security controls and further demonstrate regulatory compliance. Enterprises have been using Cloud Access Security Broker (CASB) solutions that secure the connections and enforce policies, but such solutions do not provide continuous posture monitoring, drift monitoring and Shadow SaaS detection. To make the process automated and efficient, enter the world of SaaS Security Posture Management (SSPM) tools. SSPM is currently one of the most practical tools available for enterprises to operate controls around SaaS — particularly around identities, configuration management, and third-party integration visibility. Some of the potential benefits of leveraging SSPM tools include:

  1. Discovers shadow SaaS solutions in use by the enterprise by monitoring network traffic, identity providers, and application logs.
  2. Enforces zero trust and least privileged access, which restricts risky and unauthorized users.
  3. Automates configuration checks to provide continuous real-time monitoring of SaaS applications’ security settings and analyzes security gaps by comparing configurations against benchmarks.
  4. Identifies privileged accounts without proper controls and revokes dormant access.
  5. Integration risks — flags unapproved, new, or inactive integrations and assigns risk scores.

KPMG can help you build a SaaS security framework that is efficient and tailored to your risk profile. Further, we have alliances with several third-party SSPM solution providers and could also help implement, tune and operate such solutions under a managed services model.

Meet the team

Image of Sai Gadia
Sai Gadia
Partner, Cyber Security Services, KPMG LLP
Read bio
Image of Sai Gadia
Sai Gadia
Partner, Cyber Security Services, KPMG LLP
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline