State of SaaSOps 2024: Is securing data in SaaS still a top IT challenge today?

Is securing data in SaaS is a perennial IT priority in the industry leading BetterCloud State of SaaS report series? Looking back at the 2024 BetterCloud State of SaaSOps Report, IT leaders ranked securing data in SaaS as their top challenge — ahead of cost control, app consolidation, and workflow automation. Months later, as we approach another year of our annual research, we’re wondering how much these findings still hold true. 

What might have changed in the years since the BetterCloud State of SaaSOps report evolved into the BetterCloud State of SaaS report?

While cost-cutting might have been be a top priority from finance (25%), the State of SaaSOps report from 2024 showed that that security was the biggest concern for IT professionals (31%).

This wasn’t surprising, considering:

• 76% of respondents were responsible for safeguarding sensitive data within SaaS applications.
• 45% of respondents struggled to secure user activity within those same apps.

While convenient for the business function team members, each application in your tech stack introduced a new set of data protection challenges for IT to address. Not only were IT teams responsible for securing the organization’s data within each app, IT also had to, and still has to, manage user access and permissions to ensure only authorized personnel can access sensitive information.

Even in the face of consolidating tech stacks, you’ll probably agree that SaaS environments are more complex. This brings to the conclusion that the relevant question regarding the top concern is no longer whether securing data in SaaS is difficult. Instead, we should be asking if – and how well – IT has operationalized securing data in SaaS.

Before we get into how IT can improve securing SaaS data, let’s take a deeper dive into the 2024 State of SaaSOps insights

More revealing 2024 State of SaaSOps security insights 

The 2024 data painted a clear picture: SaaS security risk is structural. Across organizations of all sizes, IT teams reported:

• Still large, but consolidating SaaS portfolios: Average number of apps declined 14% from 2022 peak
• Limited visibility into OAuth-connected apps: Maintaining compliance and security requires constant vigilance over the entire SaaS environment. Connecting your SaaS applications to external tools creates a complex web of interactions. Each integration point is a potential security hole that needs to be carefully monitored and secured
• Widespread misconfigurations and overprovisioned access: Improper configurations of your SaaS tools and inadequate access controls can be like leaving the front door wide open. Hackers can easily exploit these weaknesses to gain access to sensitive data.
• Sensitive data leakage and manual remediation workflows: With both external attacks and insider threats to contend with, 60% of IT teams are trapped in manual tasks with no automated remediation.
• Persistent shadow IT: Unsanctioned applications, those used outside of IT’s approval, lurk in the shadows. About 65% of apps remain unmanaged by IT, meaning, these tools can introduce unknown vulnerabilities and compliance risks.
• Overworked IT: Shrinking ratio of IT professionals to users (1:95)

These State of SaaSOps security insights showed that while SaaS adoption accelerates productivity, it simultaneously increases risk exposure.

Four reasons why securing data in SaaS is still so complex 

Despite stronger awareness and better tooling, securing data in SaaS remains a top IT challenge for several structural reasons that keep SaaS security risks elevated.

1. AI and OAuth expand the attack surface

Modern SaaS ecosystems are deeply interconnected. CRM systems sync with marketing automation tools, HR platforms integrate with identity providers, and collaboration apps connect across departments. Additionally, AI-powered SaaS tools now integrate directly into core systems like Microsoft 365, Google Workspace, Salesforce, and Slack. Many of these apps request broad API scopes, including read/write permissions to sensitive files and datasets.

OAuth-based integrations introduce risks that traditional endpoint or network controls cannot mitigate. If improperly governed, these integrations create invisible pathways to sensitive data.

This evolution reinforces one of the most important SaaS security insights from the 2024 report: visibility alone isn’t enough, and control must be continuous. This is impossible without automation.

2. Inadequate identity governance

SaaS environments are identity-driven, so a compromised account with excessive privileges can expose far more data than a misconfigured firewall ever could. Even though most IT teams should know this by now, overprivileged users remain all too common across organizations. 

The culprit? Role changes, internal transfers, and most of all, project-based access. What is supposed to be a temporary boost in permissions ends up as privilege creep that can stick around longer than the user who has them.

Securing data in SaaS, therefore, depends heavily on an organization’s identity governance. It relies on:

• Least privilege enforcement
• Automated role adjustments
• Continuous access reviews
• Rapid deprovisioning during offboarding

Security failures increasingly are rooted in identity mismanagement of these critical aspects of governance.

3. Expanding compliance requirements

Regulations such as GDPR, SOC 2, HIPAA, CCPA, and emerging global privacy frameworks require stricter oversight of SaaS-stored data. Organizations must demonstrate:

• Access controls
• Data retention policies
• Audit logging
• Incident response processes
• Vendor risk assessments

Compliance has now become a continual process, as opposed to a one-time event. This dramatically raises the bar for securing data in SaaS environments.

4. Manual processes cannot scale to secure data in SaaS

These BetterCloud 2024 State of SaaSOps security insights made one reality clear: since 50% of IT departments take more than 24 hours to offboard departing employees, manual remediation slows response time and increases risk. 

When IT teams rely on tickets to immediately suspend identity provider access, revoke admin privileges, or audit app access, they introduce delay into the critical control mechanisms for securing data in SaaS apps.

In a SaaS ecosystem where permissions change daily, reactive security models cannot keep pace.

How can IT strengthen SaaS security?

We’ve moved beyond answering why SaaS security matters to the relevant one: how can IT strengthen SaaS security in a way that scales? 

The answer for most organizations today lies in following best practices for SaaS management, including automation, visibility, and governance alignment.

1. Move from visibility to enforcement

While discovery tools help identify unsanctioned apps and shadow IT before risk escalates. using automation for enforcement is nothing short of transformational.

IT teams must implement automated guardrails that:

• Monitor for risky settings like public file links or inactive admin accounts
• Revoke unauthorized external file sharing
• Detect and remove risky OAuth grants
• Automatically downgrade excessive admin roles
• Trigger alerts for policy violations

Automation allows IT to correct vulnerabilities to prevent exploitation, which simply isn’t possible any other way.

2. Centralize SaaS governance

The most mature organizations align IT, security, compliance, and business leaders under a shared SaaSOps governance model. This ensures SaaS adoption is both agile and secure.

Effective SaaS operations programs unify:

• Application inventory
• Identity management with multi-factor authentication
• Data sharing controls
• Lifecycle automation
• Security monitoring

Organizations implementing these measures report stronger security posture, faster audits, and improved operational efficiency.

3. Operationalize least privilege access

Least privilege access reviews cannot be a quarterly exercise. Instead, it must be continuously monitored. Organizations that operationalize access control:

• Always align permissions with job roles
• Automate access changes during internal transfers
• Conduct ongoing entitlement reviews
• Eliminate dormant accounts

This reduces security risks and prevents potentially costly data exposure.

4. Automate user lifecycle management to integrate security with IT operations

One of the defining 2024 State of SaaSOps security insights is that security cannot operate in isolation. It must work hand-in-hand with operations.

Automating user lifecycle management, including onboarding, role changes, and offboarding ensures that permissions are granted appropriately and revoked immediately when no longer needed. This significantly reduces dormant account risk and keeps data safe.

5. Add SaaS security tools and follow SaaS security best practices

Encrypt data at rest and in transit to render it unreadable even if intercepted by malicious actors. This ensures an extra layer of protection for your most sensitive information.

Adding SaaS management platforms, Cloud Access Security Brokers (CASBs) or SaaS Security Posture Managers (SSPMs) into your IT stack can also help. With these tools, you can gain deeper visibility and control over data flow across your SaaS ecosystem. Additionally, partnering with security experts specializing in SaaS environments can provide valuable insights and guidance.

6. Eliminate financial and operational impacts of SaaS security gaps

Another important SaaS security insight from the 2024 State of SaaSOps report is that security cannot operate in isolation.

Security gaps can result in:

• Regulatory fines
• Reputational damage
• Data breach response costs
• Lost customer trust
• Productivity disruptions

Even minor SaaS misconfigurations can expose thousands of records. Because SaaS apps often store customer, employee, and financial data, the stakes are high.

Beyond direct financial impact, IT teams also face burnout from manual remediation processes. Automation not only reduces risk but also improves team sustainability.

State of SaaS security insights: what the data says for the future

As we move into the last part of the decade, since 2024, we’ve seen:

• Automation adoption increase
• Executive oversight expansion
• Security budgets better reflect SaaS dependency
• Zero-trust principles applied to SaaS environments

Looking ahead, we believe regulatory scrutiny around data governance will intensify, and identity-centric security will continue to be non-negotiable. 

But as much as IT has consolidated SaaS apps, and brought more apps under IT management, AI-powered app adoption will accelerate. 

Such acceleration only means one thing: SaaS environments will remain fragmented and difficult to secure, making it harder than ever to prevent data leakage. To contain such SaaS security risks, we see a few emerging trends. 

First, artificial intelligence will emerge to identify anomalies, suspicious sharing behavior, and unusual access patterns across SaaS platforms. Second, AI will make SaaS security tools easier than ever to use for IT. Third, security reviews will eventually get embedded into procurement processes and workflows, reducing SaaS security risks before apps are even adopted.

So is securing data in SaaS still a top IT challenge in 2026?

At BetterCloud, we believe that yes, it is. However, we believe that what’s changed is the central challenge. It’s no longer simply a challenge of awareness, but one of execution.

The organizations succeeding today are not eliminating SaaS risk. Instead, they are managing it intelligently with the right people, robust policies and governance, powerful IT tools, and automated guardrails.

By leveraging the insights from the canonical BetterCloud State of SaaS report series, applying modern SaaS management frameworks and technologies, IT leaders are strengthening resilience to empower sustainable, compliant, and secure AI adoption.

Ready to learn trends that shape SaaS security and management? Check out the 2024 State of SaaSOps Report or download and dig into BetterCloud’s 2025 State of SaaS now. 

Editor’s Note: This deep dive of security challenges in the 2024 State of SaaSOps was updated to include a contemporary perspective