Navigating the security risks of financial service SaaS apps

In mid-2024, Santander Bank experienced a breach exploiting vulnerabilities in multi-factor authentication (MFA) enforcement within its Snowflake tenant, a cloud-based data storage application. Hackers accessed sensitive employee data, including Social Security numbers and payroll information, affecting over 12,000 employees. This is just one incident, but it highlights a stark reality for the financial services sector: minor misconfigurations can lead to major consequences.

As financial institutions increasingly rely on Software-as-a-Service (SaaS) applications, security risks multiply. Tools like Microsoft 365, Salesforce, Snowflake, GitHub and Workday, just to name a few examples, streamline operations. They also potentially expose sensitive data to potential breaches. Strict regulatory frameworks like GDPR, SOX and PCI DSS aim to protect data and privacy, yet issues like misconfigurations and configuration drift, identity sprawl and decentralized management of SaaS applications often undermine compliance efforts. The Santander breach, and certainly this institution is not alone, underscores the urgent need for a more robust approach to SaaS security in a sector where breaches can result in financial losses, reputational damage and regulatory penalties.

The current threat landscape in financial services

The adoption of SaaS applications in the financial sector is widespread, such as for customer relationship management (CRM) platforms, software development, enterprise resource planning (ERP) and data analytics, and collaboration.  While these platforms enhance operational efficiency, they also introduce new layers of risk. These platforms often handle sensitive employee, customer and financial data but can become vulnerable due to inconsistent application of security policies.

Financial institutions face several security challenges in managing these tools, including:

Identity sprawl: Each SaaS platform represents a unique identity environment, requiring robust security policies. Identity sprawl, unmanaged accounts, and the absence of strong authentication controls like multi-factor authentication (MFA) and single sign-on (SSO) leave SaaS applications exploitable to attackers. Additionally, Incomplete employee offboarding processes from all SaaS and the proliferation of unmanaged accounts also increase the likelihood of breaches. Given the fast-paced nature of employee productivity that leverages SaaS applications, effective monitoring of identities is difficult.

Configuration management: SaaS configurations are complex, with 43% of security executives citing it as a top SaaS security challenge. Each platform has unique settings and identity structures, and changes made by SaaS administrators often result in configuration drift, where security settings deviate from established baselines.

Data exposure: The risk of sensitive data exposure is particularly high in collaboration platforms where files and communications are shared with external parties. Misconfigured sharing settings and outdated file shares exacerbate this risk. File sharing can lead to uncontrolled data exposure, especially when links are shared with external parties or permissions are not regularly reviewed or revoked once their usage has ended.

SaaS-to-SaaS integrations and non-human identities: Non-human identities, such as OAuth tokens, API keys and service accounts, are often inadequately secured and cannot be protected by MFA. These identities, which power a wide web of interconnected third-party SaaS applications, outnumber human users by a wide margin (almost 10:1) and pose significant security risks if not properly managed. Unmonitored third-party integrations can amplify the risk of sensitive data being exposed or accessed by unauthorized parties.

The complexity of decentralized SaaS management

In many financial institutions, SaaS platforms are managed by individual business units to meet specific needs. For example, sales teams may manage Salesforce, engineering teams handle GitHub, while finance or HR teams manage NetSuite or Workday. This decentralized management allows departments to select tools that align closely with their unique workflows. This flexibility fosters innovation by empowering teams to adopt solutions quickly, driving business agility and productivity.

However, decentralization also presents significant challenges in terms of security and oversight. Outside of their purview, IT and security teams often lack visibility into the SaaS applications used across organizations, making it difficult to monitor and manage potential risks. This lack of oversight can also result in shadow IT, where unauthorized or untracked applications operate outside established security protocols. Additionally, non-security administrators managing these tools may inadvertently misconfigure them, introducing risks that expose sensitive data and increase breach risks.

To address these challenges, financial institutions must foster collaboration between IT, security, and business units. Security teams should adopt a shared responsibility approach to ensure that tools like Salesforce, GitHub and NetSuite are both effective and secure.

Strategies for strengthening SaaS security

To mitigate the risks associated with SaaS applications, financial institutions must implement comprehensive security strategies. These should address finding and fixing SaaS misconfigurations, securing both human and non-human identities, and reducing data exposure:

Identity and Access Management (IAM): Organizations must enforce MFA consistently across all applications, including identifying and securing local SaaS accounts that may bypass centralized identity systems. Regularly reviewing user access and applying the Principle of Least Privilege (PoLP) ensures that both human and non-human identities are granted only the minimum access required for their roles. This reduces the attack surface by limiting the potential impact of compromised credentials or account takeover.

Secure SaaS-to-SaaS integrations: Identify overprivileged or tenant-wide integrations that expose unnecessary risk, while also conducting regular audits to revoke unused API keys and OAuth tokens. Monitoring systems should be in place to detect and address anomalous activity across integrations, ensuring that all connections remain secure and aligned with organizational policies.

Data protection: Protecting sensitive data requires ongoing vigilance to prevent exposure through misconfigured sharing settings. Regular audits of external file shares help identify and eliminate inactive or unnecessary links, while addressing broad permissions—such as “anyone with the link”—reduces the risk of uncontrolled data access. By correcting overprivileged access permissions and enforcing stricter controls, organizations can minimize the likelihood of data leaks.

Proactive monitoring and configuration management: Keeping an updated inventory of all SaaS applications allows IT and security teams to identify potential risks. In addition, leveraging third-party security tools enables continuous monitoring for misconfigurations and configuration drift, ensuring that deviations from established baselines are swiftly addressed before they result in potential breaches.

Final thoughts

The financial services industry stands at the intersection of innovation and risk. While the benefits of SaaS applications are clear, they also bring significant security challenges that cannot be ignored. By fostering collaboration across business units and adopting comprehensive security frameworks, organizations can leverage the full potential of SaaS while minimizing the risk of costly breaches.

Yoni Shohet is Co-Founder and CEO of Valence Security.