The Cloud Security Alliance (CSA) released The State of SaaS Security Report: Trends and Insights for 2025-2026. This research examines the current state of SaaS security in an attempt to uncover challenges and explore how organizations are securing and managing their SaaS environments.
The report – which was commissioned by SaaS security vendor Valence Security – underscored the urgency for organizations to shift their SaaS security to a more unified, purpose-built approach.
SaaS security strategies cannot keep pace with the growing complexity of the SaaS landscape, remaining fragmented, reactive and incomplete. Despite heightened awareness of the critical need for strong SaaS security, organizations must move beyond ad-hoc, app-by-app controls, closing the gap between rising investments and actual capabilities by adopting a more unified approach that addresses challenges such as discovery, posture management, threat detection and risk remediation.
“SaaS has become a core part of modern business operations, but securing it remains a moving target,” said Hillary Baron, the report’s lead author and AVP, research, Cloud Security Alliance. “Despite growing investment in and prioritization of SaaS security, there remains an overconfidence in current Saas security strategies. The reality is that distributed adoption, inconsistent tools, and fragmented processes leave critical gaps in visibility, identity management, and third-party access.”
Key findings include:
- SaaS security is a top priority for 86 percent of organizations, with 76 percent noting they are increasing their budgets this year.
- Data oversharing (63 percent) and poor access control (56 percent) continue to expose organizations to risk.
- 79 percent of organizations expressed confidence in their programs, with 55 percent of respondents sharing that employees are adopting SaaS tools without security’s involvement, and 57 percent reporting that they are grappling with fragmented SaaS security administration.
- IAM remains a challenge, with 58 percent of respondents revealing that enforcing proper privilege levels is difficult, and 54 percent lacking automation to police the lifecycle management gaps that contribute to breaches, complicate incident response and leave organizations exposed.
- SaaS-to-SaaS integrations and GenAI tools are expanding the attack surface, leaving 46 percent of organizations struggling to monitor non-human identities, and 56 percent concerned with over-privileged API access.
- Too many organizations are relying on fragmented strategies such as vendor-native tools (69 percent), general-purpose solutions such as CASBs (43 percent) and manual audits (46 percent), resulting in critical gaps across the SaaS environment that will only widen as these systems become more complex.
“The report’s findings reveal a clear shift: SaaS security is no longer an afterthought,” said Valence Security co-founder and CEO, Yoni Shohet. “Organizations are not just recognizing its importance—they’re taking action to improve shadow SaaS discovery, posture management and threat detection. As SaaS adoption accelerates, it’s critical to ensure security strategies evolve in step with increasingly complex and interconnected SaaS ecosystems.”
The survey was conducted online by CSA in January 2025, and received 420 responses from IT and security professionals representing large organizations in various industries and locations. CSA research analysts performed the data analysis and interpretation for this report. Sponsors are CSA corporate members who support the research project’s findings but have no added influence on the content development or editing rights of CSA research.
