GigaOm Radar for SaaS Security Posture Management (SSPM)v1.0

Table of Contents

  1. Executive Summary
  2. Market Categories and Deployment Types
  3. Decision Criteria Comparison
  4. GigaOm Radar
  5. Solution Insights
  6. Analyst’s Outlook
  7. About Paul Stringfellow

1. Executive Summary

Software as a service (SaaS) product offerings have been a major boon to productivity. Teams and businesses have gotten exactly the functionality they need without IT having to reinvent the wheel. As a result, IT has had some heavily repetitive tasks, like email account management, outsourced for a monthly fee, and the corporation is more productive due to reduced time on those repetitive tasks and business units having specialized software that does not require IT intervention day in and day out.

But this productivity comes with a price: SaaS use in an organization is often unmanaged. SaaS solutions are often adopted precisely because IT did not have the resources to solve a time-sensitive problem or because the problem was too small to justify an entire development or implementation project.

IT is often unaware of what is out there in terms of SaaS obligations—and there is a lot of it. The lowest SaaS usage research number we were able to find was an average of over 100 SaaS applications per enterprise. This sounds high, but consider that it covers everything from massive SaaS solutions to the occasional use of SaaS products for simple tasks like file conversion or copyright image detection.

And here’s the real problem: every one of those SaaS applications has information about your company. Many of them have personally identifiable information (PII) about your customers. If an organization uses third-party SaaS software to ship customer rewards or products, then customer PII is also being shipped off.

Given these concerns, organizations must identify and secure the SaaS applications they are using. The first step will have to be discovery. Most enterprises will initially want to implement SaaS security posture management (SSPM) solutions to determine what their specific SaaS footprint is, for both security purposes and accounting purposes. After that, the work of improving the security posture of those SaaS applications can begin.

SSPM helps resolve ownership and access issues and extend security policies and compliance with SaaS solutions. Some organizations track SaaS via accounting, others via spreadsheets. But if SaaS usage is a one-off billed via expenses, for example, it may not be caught in an accounting check. If a business unit does not tell IT it is using a given solution, the spreadsheet is out of date.

SSPM tools offer multiple avenues to creating inventory and then enabling direct support for securing SaaS, whether it’s mission critical or for only occasional use.

This is our first year evaluating the SSPM space in the context of our Key Criteria and Radar reports. This GigaOm Radar report examines 17 of the top SSPM solutions in the market and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the category and its underlying technology, identify leading SSPM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.