CISO Panel on SaaS Data Security

Quick shout out to my fellow panelists Alexander Schuchman of 高露洁 , Daniel J. of Datadog and MC'ed by John Veltri of SADA, An Insight company on the DoControl SaaS Data Security panel session. Also thank you to Omri Weinberg and Matt Dubreuil for the invite.

The session was focused on Google Workspace and the recent announcements around Google Gemini and how DoControl can integrate and leverage the tools and data to enhance data security through workflows and automation.

In preparing for the panel, I need to think through some of the topics we were to discuss and here are some edited thoughts.

What are the most significant enhancements to SaaS security over recent years?

For me, some of the areas include:

• Better documentation and configuration best practices

In general, a lot of SaaS tools are configured by default to make it easy for the first time user or administrator to get onboarded and up and running. However this frequently means that many options are overly open or the user is given too much freedom to share data outside of boundaries of the company. It's a fine balance between enabling the users to gain the best use of the tools and the need to have checks and balance around over sharing.

So I welcome the creation of better best practices documentation and tooling to check the settings against general security best practices and shed light into the darker corners of the settings. This also applies over time as new features are added to SaaS services and the vendor, for obvious commercial reasons, makes it openly available

• Better tooling and API access to feature and data security

As someone who came from organizations with large on-prem environments, it has always been great to be able to query SaaS APIs to get programmatic view into data security and permissions. Digital Asset collaborates with many customer and partners on projects and it is vitally important that we understand who has access to the shared data to meet confidentiality and compliance requirements.

Solutions like DoControl allow the creation of workflows to automate collaboration and sharing policies. I no longer need to rely solely on users but implement timed revocation of access, policies based on types of data, etc.

• Supply Chain Security

Cybersecurity has always been concerned with where we get application from, who wrote them and what do they access or do. It is good to see that SaaS vendors are making to easy to under the security around their marketplace, extension / add-in ecosystems and other forms of integration. These add-on marketplaces can significantly enhanced the usability and value of the data held within a core SaaS application but continue to be a concern of of third party unauthorised access. Many of the recent attacks have come from overly broad access from third party systems. A related topic is....

• Non-Human Identity

While the term NHI is going through a hype cycle, it really reflects a long term concern of access via automation, service or batch accounts. A significant number of recent cyber attacks were executed using compromised or stolen credentials or session tokens, resulting in data loss, ransomware and similar attacks. Gaining greater visibility into applications that access data and the identities/credentials being used is an important topic.

SaaS security continues to improve but there are still some areas where more could be done, including:

• Offer alternative options to "Share with account/domain". Many organizations have mixed populations of staff, some full time, some for specific projects, and the danger comes from accidentally over sharing sensitive information.
• Better restrictions on "Shadow IT". Somewhat by design, SaaS vendor make it easy for users to sign up and start adding data. However this signficantly increases the challenges for vendor managemment, IT cost management and the risk from supply chain compromise. I have seen a vendor with whom we have an enterprise license still allow users to purchase outside of the agreement, requiring periodic manual reconciliation.
• Many SaaS vendors still treat some basic security functions, like SSO, as "Enterprise features", where this should be more for signficant "value-add" capabilities.

How has the rise of AI and machine learning impacted SaaS security? New opportunities or risks do vendors need to address?

I suspect that I am not alone in having this as an significant area to learn more about in 2025. Many aspects of data security, privacy, use in model training, hallucinations or poor data, trustworthiness as the industry moves to automation and agenic AI.

In the context of Google Workspace, we discussed topics including:

• Significant potential for better data classification

As a self-acknowledged skeptic of DLP technology, which impolitely, often feels like a thousand regexes flying in formation, I have high hopes that AI technology will allow for better classification of data and tagging. Data classification, and the frequent false positives from regex based solutions, is an important pre-requisite to provide enforcement of data access policies and oversight. This applies whether we are looking at inbound emails for phish / fraud / impersonation detection, through data stores in Shared Drives that is exposed internally and externally.

• Better behavioural analytics

The potential to move away from overseeing individual access in isolation to a broader pattern of access offer better options to understand external and internal actions. This also applies for non-human access and detecting changes in behaviour of application access to data.

The jury is still out on the negatives potential from AI but a few includes:

• Use of AI by the "attackers" from better quality phishing, deepfakes, through use of AI by red team groups
• Significantly greater challenges around understanding data flows and access in AI systems, and the challenges of Shadow IT and AI features in ever SaaS product.
• "Intelligent Searching" - AI queries have a much better chance of answering questions like "what are the salaries of senior individuals" (see share-to-account concerns above)
• Privacy concerns, GDPR and other international or national privacy laws

Many of the above topics would require lengthy blogs in their own right but I thank my fellow panelists for a lively discussion.