In a new study on software-as-a-service (SaaS) adoption, Forrester Research reported the majority of IT decision-makers have a false sense of comfort with existing controls for SaaS security. The study also revealed many organizations view "shadow IT" practices, IT solutions deployed without the approval or involvement of an organization's IT department, as problems that are "here to stay and cannot be ignored."

Forrester noted 43 percent of respondents said they believed shadow IT practices were major threats to their respective organizations. In addition, 46 percent of respondents said they believed SaaS providers make unrealistic or overstated claims.

"To securely implement SaaS products and take full advantage of the benefits they afford, it's not enough to know what threats and vulnerabilities this delivery and consumption model presents. It's also critical to hold a firm understanding of which party is responsible in the event of a breach," Forrester said. "The combination of this new technology and its unique vendor-customer relationship, however, makes this easier said than done."

Other study findings included:

  • 79 percent of IT professionals said their organizations use SaaS, and 92 percent of respondents said they believed their existing security controls were either effective or very effective in protecting their digital assets in SaaS applications.
  • 79 percent of respondents erroneously considered end users as the top group responsible for cloud services provider (CSP) security.
  • 71 percent of respondents claimed to completely or mostly understand the division of security control responsibility as stipulated by their SaaS provider contracts.
  • Researchers said the majority of respondents put faith in their legacy controls, but many of these controls were "outdated perimeter protections" such as firewalls and virtual private networks (VPNs).

So what are the best ways for organizations to protect their digital assets? Forrester offered the following recommendations:

  • Evaluate protection gaps - By reviewing SaaS provider contracts and security capabilities, an organization can make better decisions about its SaaS security investments.
  • Find SaaS-focused solutions - An organization should look beyond its current security portfolio, Forrester said, for SaaS-focused security solutions that are designed to address security gaps.
  • Manage SaaS adoption - According to Forrester, forward-thinking policies and technologies are crucial for an organization that wants to address new and evolving security risks.

In January 2014, SaaS-based security company Adallom commissioned Forrester to conduct the study by evaluating IT decision-maker attitudes toward security in the context of bring-your-own-device (BYOD) policies, SaaS and shadow IT. The study, "SaaS Adoption Requires a New Approach to Information Security," included responses from 150 IT professionals responsible for information security.