Software-as-a-Service adoption is exploding, but security teams are struggling to keep up. The Cloud Security Alliance’s 2025 SaaS Security Survey has revealed that while investment in and attention to SaaS security are on the rise, genuine control remains elusive, especially when it comes to configuration management, identity governance, and visibility.
According to the report, most SaaS security strategies are still fragmented and reactive, leaving organizations vulnerable to risks like misconfigurations, excessive privileges, and a lack of oversight over both human and non-human access. Let’s explore that deeper.
Misconfigurations: Still the Leading Cause of SaaS Breaches
Misconfigurations were the top cause of SaaS-related breaches in 2025, with 43% of organizations citing misconfigured settings as the root cause of at least one breach in the past 12-18 months.
These findings drive home an uncomfortable truth: many teams lack the tools or processes to continuously track configuration drift across SaaS environments. It’s not enough to just configure apps securely at onboarding - without automated change detection, those “known-good” settings can erode over time.
Fortra Secure Configuration management grants teams real-time visibility into security settings across SaaS applications and immediately alerts them to unauthorized or risky changes. What’s more, continuous configuration assessments help enforce best practices, prevent drift, and reduce the window of exposure from misconfigurations.
Identity Sprawl and Least Privilege Challenges
IAM remains a key SaaS security challenge, with:
- 58% of organizations are unable to enforce least privilege consistently
- 54% lacking automation for provisioning and deprovisioning
- 41% of breaches are caused by overprivileged accounts
When identity lifecycles are inconsistent, orphaned accounts and unnecessary access accumulate quickly, often without audit trails. Fortra can help you enforce least privilege through integrity-driven identity governance. Fortra SCM integrates seamlessly with IAM platforms to monitor role assignments, track admin privilege escalation, and surface deviations from approved access policies, especially across multi-app SaaS environments.
Poor Visibility Undermines Compliance and Security
Sprawling SaaS infrastructure inherently makes visibility difficult:
- 42% of organizations lack centralized visibility into sensitive data flows
- 55% report unsanctioned SaaS usage by employees
- 42% struggle to monitor non-human identities like API tokens and integrations
- 38% lack visibility into configurations and user activity
The result? Weakened security programs and undermined compliance initiatives.
Fortra can help overcome these blind spots. Our Integrity and Compliance monitoring solution enables organizations to track sensitive data exposure, policy violations, and ungoverned third-party integration. Coupled with Forta Extended Detection and Response (XDR), teams can correlate SaaS telemetry with broader threat indicators, giving them a contextual, actionable view of risks across the environment.
Overreliance on Native Control Masks Gaps
According to the CSA report, 69% of organizations depend primarily on vendor-provided security controls within SaaS applications. While these native controls are important, they often offer inconsistent coverage across applications that focus primarily on that vendor’s environment, not the broader SaaS ecosystem. This can lead to the false assumption that SaaS providers are fully responsible for security.
However, the shared responsibility model requires customers to configure settings securely, manage identities, and audit access—tasks that native tools weren’t built to perform comprehensively across platforms.
The CSA gives the Snowflake customer breach as an example. Attackers exploited poorly secured customer environments, including unmonitored accounts and weak authentication, not flaws in Snowflake’s infrastructure. This breach demonstrated how organizations that rely solely on built-in security tools or assume cloud providers will “handle it all” leave themselves exposed to preventable risks.
Worse still, 46% of organizations still rely on manual audits to spot these issues; a process too slow, too reactive, and too resource-intensive to keep up with today’s SaaS velocity.
Fortra helps organizations regain control. Our integrity and compliance monitoring solutions allow teams to independently validate SaaS configurations, track privilege drift, monitor high-risk changes, and verify the enforcement of internal policies - regardless of what native controls are or aren’t in place.
What’s more, with Fortra Secure Configuration Management, you can ensure consistent baselining across your SaaS ecosystem, reducing the chance that silent misconfigurations, outdated permissions, or unmonitored third-party integrations turn into a significant breach.
Remember: while vendors are responsible for their infrastructure, you are responsible for securing your usage of it. And that starts with visibility, integrity, and control.
Why Fortra: Closing the SaaS Security Gap
The 2025 State of SaaS Security report makes one thing abundantly clear: while investment in SaaS security is accelerating, most organizations are still playing catch-up. Confidence in existing systems is high, but, contradictorily, so is reliance on manual audits and fragmented, vendor-native tools that offer only partial coverage.
At Fortra, we help organizations move beyond this patchwork approach to SaaS security. Our integrity-first approach to SaaS security delivers the visibility, consistency, and control needed to address today’s most pressing risks, from misconfigurations and overprivileged accounts to unmanaged third-party integrations.
Whether you’re looking to reinforce zero trust, simplify compliance, or reduce the risk of configuration-related breaches, Fortra provides the automation, accuracy, and insight you need to secure your SaaS ecosystem.
If your SaaS security strategy needs to catch up to your SaaS reality, we’re here to help. Request a demo today.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
