Top 5 Data Sharing Risks in SaaS Compliance

Data sharing in SaaS platforms introduces risks that can lead to security breaches, compliance failures, and financial losses. Here's what you need to know:

• Public Sharing Risks: Open links and external sharing bypass security controls, exposing sensitive data.
• OAuth and Third-Party Apps: Over-permissioned integrations and stale tokens create vulnerabilities.
• Non-Human Identities: API keys and service accounts often have excessive, unmanaged permissions.
• Insider Threats: Employees with access can exfiltrate data, especially before leaving a company.
• Misconfigurations: Poor settings and configuration drift are common causes of SaaS security incidents.

Both SOC 2 and ISO 27001 frameworks can help mitigate these risks through access controls, regular audits, and automated monitoring. The key is to implement continuous compliance practices, ensuring that your controls work effectively over time.

Fact: 99% of cloud breaches result from misconfigurations or weak access controls, not provider flaws.

To protect your SaaS environment, focus on monitoring permissions, securing integrations, managing non-human identities, and addressing insider threats proactively.

6 Alarming SaaS Security Risks and Ways To Mitigate Them

sbb-itb-5f36581

1. Public Sharing and External Exposure

When employees enable document permissions to "anyone with a link," they unintentionally create an unmanaged entry point that can be discovered by web crawlers or shared publicly. These links bypass authentication entirely, often remaining active long after the collaboration ends. Research shows that 94% of external shares become inactive over time, with 46% being sent to personal email accounts, bypassing enterprise security measures.

The issue goes beyond forgotten links. Employees may bypass access restrictions by sharing corporate data with personal Gmail or Yahoo accounts, stripping away the enterprise-grade security measures. This creates blind spots in data governance. Additionally, third-party collaborators might share access with their own vendors - introducing fourth parties who likely haven't undergone your organization's security risk assessments.

"Files stored in SaaS applications retain their sharing permissions indefinitely... This is not only bad business practice – it significantly increases the amount of sensitive data vulnerable to exfiltration by malicious actors."

• Corey O'Connor, Director of Product Marketing, DoControl

The numbers highlight the urgency: 58% of organizations reported at least one SaaS-related security incident in the past year.

Impact on Compliance (SOC 2 and ISO 27001)

This kind of exposure directly undermines critical compliance standards like SOC 2 and ISO 27001. For instance, public sharing threatens SOC 2's Confidentiality and Privacy criteria, which require evidence that customer data is protected from unauthorized access. SOC 2 demands more than just written policies - it requires proof that safeguards are continuously validated and functioning as intended.

ISO 27001, along with ISO 27018 (specific to cloud privacy), adds about 25 extra controls aimed at protecting personally identifiable information (PII) in cloud environments. These include ensuring technical isolation of customer data and preventing accidental leaks into external systems like marketing or analytics tools. ISO 27018 also requires organizations to disclose data processing locations and provide advance notice of any changes to data residency. This is especially important when data is replicated across multiple regions within short timeframes, such as 24 hours.

Likelihood of Occurrence

This risk is widespread. 60% of IT managers cite governance and compliance as a major challenge when dealing with SaaS platforms. The "anyone with a link" setting is often the default or the easiest option for busy teams, making it a common choice. Without automated monitoring, these vulnerabilities can quietly proliferate across your SaaS environment.

The good news? Mitigation strategies aligned with SOC 2 and ISO 27001 can help address these risks effectively.

Mitigation Strategies Under SOC 2

SOC 2 emphasizes continuous monitoring over manual checks. Automated alerts can notify security teams when controls deviate from their expected state, turning permission changes into actionable compliance signals. This approach ensures that evidence mapping reinforces real-time compliance.

To reduce risk:

• Use automated tools to revoke sharing links after a set period of inactivity.
• Perform regular permission audits to identify and address overexposed PII in public areas like Slack channels or shared folders.
• Link every access control to specific audit windows, providing proof that safeguards are functioning as intended.

Mitigation Strategies Under ISO 27001

Strengthen access controls with features like role-based permissions, multi-factor authentication (MFA), and privileged access management (PAM). Configure monitoring tools to mask sensitive PII in logs.

Additionally:

• Enforce data residency controls to track data movement between regions, ensuring compliance with geographic restrictions.
• Integrate privacy impact assessments (PIAs) into the development lifecycle of new SaaS features to evaluate potential exposure risks before launch.
• Leverage cloud-native tools like "S3 Block Public Access" and automate remediation to ensure these settings are re-enabled if disabled.

2. OAuth and Third-Party App Integrations

When employees grant access to third-party apps, they create long-lasting credentials that can bypass standard security measures. OAuth tokens, which act as bearer credentials, skip multi-factor authentication (MFA) and single sign-on (SSO) after the initial setup. These tokens often remain active for extended periods without additional checks.

The scale of the issue is staggering. On average, organizations manage 847 OAuth tokens, with 23 integrations having excessive permissions and 3 stale admin tokens per deployment. Over half of these connected apps are installed by end users, not IT departments, resulting in unauthorized integrations that sidestep centralized control.

"The modern SaaS ecosystem creates inherent risks, as it allows for third-party providers to gain access to a business through a maze of SaaS-to-SaaS integrations."

• Patrick Opet, CIO, JPMorgan Chase

A real-world example of this risk is the Salesloft–Drift incident. Attackers exploited OAuth tokens tied to this integration, gaining access to Salesforce environments of over 700 customer organizations. They exfiltrated sensitive contact data and AWS keys. This highlights how a breach at one vendor can cascade into widespread damage.

Impact on Compliance (SOC 2 and ISO 27001)

OAuth misconfigurations amplify data-sharing risks within SaaS platforms, complicating compliance with frameworks like SOC 2 and ISO 27001. For instance, SOC 2's Access Control criteria require access to be revoked when employment ends. However, OAuth tokens often remain active even after users are deprovisioned. Similarly, the Confidentiality criteria demand protection against unauthorized access, yet 85% of SaaS environments include over-privileged identities.

ISO 27001's Supplier Relationships controls mandate ongoing vendor risk assessments, but traditional evaluations may fail to detect when trusted integrations start behaving suspiciously. Additionally, OAuth activity often occurs at the API level, where many security tools struggle to provide visibility.

Likelihood of Occurrence

For organizations using modern SaaS tools, this risk is almost unavoidable. Misconfigurations and excessive permissions contribute to over half of all SaaS security breaches. OAuth's ease of use often leads employees to approve integrations without fully understanding the permissions they grant. Developers may also request broad access scopes (e.g., "read and write all data") to avoid errors, violating the principle of least privilege required by SOC 2 and ISO 27001. These vulnerabilities underscore the need for strong preventative measures.

Mitigation Strategies Under SOC 2

• Maintain a real-time inventory of OAuth tokens, including details on their scopes, users, and last-used dates. Automate the revocation of tokens during employee offboarding to prevent lingering "zombie" tokens.
• Use behavioral monitoring to spot unusual token activity, such as unexpected spikes in API calls, which could signal compromised integrations.

Mitigation Strategies Under ISO 27001

• Require a security review for new integrations through an approval workflow, reducing risks associated with Shadow IT.
• Conduct quarterly access reviews to identify and revoke outdated connections, and routinely audit integrations to minimize overly broad permissions.
• Implement refresh token rotation and enforce strict matching for redirect URIs to protect against authorization code interception, aligning with the RFC 9700 guidelines set for January 2025.
• Verify that integration partners hold current SOC 2 Type II or ISO 27001 certifications and continuously monitor their security practices.

3. Non-Human Identities and Excessive Permissions

Non-human identities (NHIs) - like API keys, service accounts, OAuth tokens, and container credentials - outnumber human users by a staggering ratio of 45:1 to 80:1. These machine identities are essential for automating workflows, running microservices, and enabling AI agents. However, they often operate under the radar of security teams. Unlike human accounts, which are tied to HR systems and monitored more closely, NHIs usually lack multi-factor authentication and can remain active indefinitely, creating potential vulnerabilities for data breaches.

The scale of the issue is hard to ignore: 95% of cloud principals have more permissions than they actually need, and 89% of organizations face challenges in managing secrets like API keys at scale. This over-permissioning can lead to "Shadow Admin" privileges - temporary elevated access that becomes permanent and untracked, granting attackers a way to exploit sensitive systems. Such unchecked permissions also pose serious hurdles for compliance efforts.

Real-World Examples of NHI Breaches

In January 2024, Microsoft faced a breach caused by compromised non-human credentials. The Russian hacking group Midnight Blizzard infiltrated Microsoft’s network by targeting a test email server. From there, they exploited OAuth permissions tied to an outdated non-human application, gaining access to sensitive email inboxes of top executives and security personnel. Similarly, following a 2023 Okta-related breach, Cloudflare rotated over 5,000 API keys but missed some non-human credentials, allowing attackers to access internal documentation and source code.

Compliance Challenges (SOC 2 and ISO 27001)

Excessive permissions complicate compliance with standards like SOC 2 and ISO 27001. SOC 2's Common Criteria CC6.1 emphasizes enforcing least privilege for all identities, including non-human ones. But when service accounts have broad permissions across systems, proving separation of duties becomes difficult. ISO 27001's Control A.5.16 requires formal lifecycle management for both human and non-human identities, yet traditional identity and access management (IAM) systems struggle to handle the transient nature of container credentials or AI tokens.

"SaaS moves enforcement points outside your perimeter, so the practical scope shifts to identities, entitlements, and proof that controls work in production."

• Chris Shuptrine, Torii

PCI DSS v4.0 Requirement 8.2.2 explicitly bans hard-coded credentials and demands unique IDs for all non-human entities. Auditors often flag findings like hard-coded API keys or service accounts with excessive permissions, leading to exceptions in SOC 2 reports or non-conformities in ISO 27001 audits.

Likelihood of Occurrence

The risk of compromised NHIs is widespread. One in five organizations has experienced a security incident stemming from compromised machine identities, and only 44% of developers follow best practices for securing NHIs. The ease of creating API keys, combined with the complexity of managing permissions in multi-tenant SaaS environments, leads to unchecked accumulation of access rights over time.

Mitigation Strategies Under SOC 2

To reduce these risks, implement automated lifecycle management for NHIs. This includes:

• Enforcing strict rotation schedules for credentials.
• Aligning permissions with actual usage patterns.
• Conducting quarterly entitlement reviews to maintain accurate audit trails, as required by SOC 2's CC6.2 and CC6.3.

Use Privileged Access Management (PAM) to grant just-in-time privileges, ensuring minimal exposure. Additionally, log all API calls and NHI actions into a SIEM system to make access decisions auditable and transparent.

Mitigation Strategies Under ISO 27001

Building on SOC 2 measures, ISO 27001 compliance can benefit from:

• Centralized discovery tools to maintain an up-to-date inventory of NHIs across multi-cloud and SaaS environments. This approach aligns with Annex A.9.2.1 (User Registration and De-registration) by eliminating orphaned or unmanaged identities.
• Adopting Policy-as-Code to define and enforce consistent access policies for NHIs. This enables version control and automated testing.
• Replacing static, long-lived credentials with short-lived, ephemeral ones to minimize the impact of a breach.
• Establishing baseline behavior for NHIs and setting up automated alerts for anomalies, such as unexpected access patterns or activity during unusual hours. This aligns with Annex A.9.2.3 (Management of Privileged Access Rights).

4. Insider Threats and Data Exfiltration

Insider threats take advantage of loose controls. Unlike external attackers, insiders already have legitimate access to systems and data, making their actions harder to detect. Often, data exfiltration looks like routine work - downloading files, sharing links, or transferring information to personal accounts. Common scenarios include employees taking data before leaving a company, accidental sharing via personal email or public links, and users with excessive permissions.

"Data rarely leaks where it's stored, it leaks when it's shared."

• Melissa Garcia, Senior Marketing Manager, DoControl

In most cases, employees who plan to leave begin exfiltrating data weeks before their departure. This means revoking access after they've left is often too late. In 2026, insider threats are increasingly tied to collaboration tools - like sharing Google Drive links or pasting sensitive information into Slack - rather than traditional attack methods. The emergence of generative AI tools such as Gemini or Copilot further complicates this, as they can expose sensitive data to employees with inherited permissions they shouldn't have.

Impact on Compliance (SOC 2 and ISO 27001)

Insider threats are a key focus of compliance frameworks like SOC 2 and ISO 27001. SOC 2's Security Trust Services Criteria mandate controls to prevent unauthorized data access and disclosure. Similarly, ISO 27001 addresses insider threats through controls such as A.5.16 (Identity Management), A.7 (Human Resource Security), and a new addition, Control 8.12 (Data Leakage Prevention), introduced in the 2022 update. Both frameworks emphasize identity controls, requiring clear attribution of actions to specific users. Auditors typically look for evidence like access logs, deprovisioning processes, and anomalies such as bulk downloads or transfers to unauthorized domains.

Likelihood of Occurrence

Human error plays a major role in data leaks, often involving misdirected emails or incorrect sharing settings. Studies show that half of cloud environments are misconfigured, increasing the chance of breaches. This risk grows with "accumulated risk" - a combination of excessive permissions, broad sharing defaults, and orphaned accounts left active after employees leave. Additionally, physical devices like USB drives and smartphones continue to be common tools for data exfiltration.

Mitigation Strategies Under SOC 2

To counter insider threats, proactive measures are critical. Effective detection requires understanding the context of actions rather than focusing on isolated events. For example, a bulk download might be normal for some roles but becomes a red flag if done by an employee nearing their departure. Automating offboarding processes can ensure immediate access reviews and reduce sensitive data permissions. Role‑based access control (RBAC) helps enforce the principle of least privilege, with regular reviews to adjust permissions as needed. Monitoring bulk activities is also key - treat mass actions as high-risk, even if they fall within a user's normal authorization level. Tools like Cloud Access Security Brokers (CASB) can provide real-time visibility into shadow IT and block unauthorized file downloads.

Mitigation Strategies Under ISO 27001

ISO 27001 compliance builds on SOC 2 measures, emphasizing automated workflows and strong monitoring. Data classification is crucial under ISO 27001 to identify which information requires encryption and tracking. Control 8.10 mandates secure data deletion when it's no longer needed, minimizing the potential impact of a breach. ISO 27002:2022 also requires separating development, testing, and production environments to prevent sensitive production data from leaking into less secure areas. Managing link-based sharing is another priority - enforce expiration dates and treat public links as potential security risks. Automate remediation processes to revoke public links, remove external collaborators, or downgrade permissions when risky behavior is detected. Finally, use Multi-Factor Authentication (MFA) combined with risk-based conditional access to block logins from unauthorized locations or suspicious IP addresses.

5. Misconfigurations and Configuration Drift

Misconfigurations rank as the leading security risk in SaaS environments. Issues like public sharing or OAuth missteps compromise both security and compliance. These vulnerabilities often arise from human error - whether it's administrators assuming default vendor settings are secure, teams treating setup as a one-and-done task, or departments managing tools without proper security checks in place. Over time, the problem grows due to configuration drift, where unplanned changes, new integrations, or updates shift the SaaS environment away from its security baseline.

In 2024, more than 70% of SaaS security incidents were tied to misconfigurations. Around 50% of cloud environments are misconfigured in ways that heighten breach risks. The danger often goes unnoticed for weeks or months, as these issues stem from open access or insecure defaults rather than explicit technical exploits. For example, files may inherit permissions from shared folders, or deactivation of accounts may be overlooked.

Impact on Compliance (SOC 2 and ISO 27001)

Both SOC 2 and ISO 27001 treat misconfigurations as violations of essential security requirements. Not only do misconfigurations increase the risk of breaches, but they also complicate audits. SOC 2's Trust Services Criteria demand that controls function effectively over time, requiring features like system monitoring and anomaly detection to flag configuration changes that deviate from baselines. Similarly, ISO 27001's 2022 update introduced control A.8.9, which requires organizations to maintain secure configurations for cloud resources and quickly address any drift. Failing to demonstrate proper logging and monitoring can lead to failed audits, putting certifications or attestations at risk.

Likelihood of Occurrence

Without active oversight, configuration drift is almost unavoidable. Only 43% of organizations maintain continuous or near-real-time monitoring of their SaaS configurations, while 52% still depend on periodic audits, leaving significant gaps for undetected drift. The shared responsibility model adds another layer of complexity: while cloud providers secure the infrastructure, customers are responsible for configuring IAM roles, storage buckets, and encryption settings. Despite 91% of teams showing confidence in their SaaS security, 75% reported SaaS-related incidents in the past year. Manual processes simply cannot keep up with the rapid pace of SaaS updates. This makes automated, continuous controls essential to prevent configuration drift.

Mitigation Strategies Under SOC 2

SOC 2 emphasizes the importance of continuous monitoring and automated change management to address these vulnerabilities. To comply, organizations must demonstrate that controls have been effective over a 6- to 12-month period, which often requires real-time monitoring rather than relying on periodic audits. Key strategies include:

• Enforcing CI/CD approvals and using SSPM platforms for instant alerts on policy violations.
• Establishing standardized security baselines for critical SaaS applications during onboarding, covering areas like data sharing, multi-factor authentication, and API usage.
• Automating deprovisioning processes via identity providers to ensure terminated employees lose access promptly, avoiding manual errors.

Mitigation Strategies Under ISO 27001

ISO 27001 mandates a structured, risk-based Information Security Management System (ISMS) with continuous improvement as a core requirement under Clause 10. Effective strategies include:

• Implementing Policy-as-Code to enforce compliance rules and reduce detection time for configuration errors from weeks to minutes.
• Integrating automated scanning into infrastructure-as-code workflows to block deployments that could introduce compliance violations.
• Assigning clear responsibility for each control - such as DevOps for configurations and HR for onboarding - and maintaining detailed audit trails for all cloud activities under control A.8.15.
• Applying least privilege principles through regular permission reviews, ensuring users and third-party integrations have only the access they need for their roles.

How SOC 2 and ISO 27001 Address Each Risk

When it comes to tackling data-sharing risks in SaaS compliance, SOC 2 and ISO 27001 offer complementary approaches. Together, they provide a robust framework for managing and reducing risks effectively.

"SOC 2 proves controls work. ISO 27001 proves you have a systematic, continuously improving security management program." - DSALTA

One of the advantages of these frameworks is their overlap - organizations can reuse 60–70% of controls across both. SOC 2 focuses on validating the effectiveness of controls over a set period (3–12 months), while ISO 27001 emphasizes establishing an Information Security Management System (ISMS) for ongoing monitoring and improvement. The table below outlines how each framework addresses specific risks.

Conclusion

SaaS companies face serious risks when it comes to data sharing - ranging from accidental public exposure to insider threats. Frameworks like SOC 2 and ISO 27001 offer structured ways to tackle these challenges. While SOC 2 emphasizes demonstrating that your controls work consistently, ISO 27001 focuses on creating a security management system that adapts as your business grows. Together, they address the five key risks discussed: external exposure, third-party integrations, excessive permissions, insider threats, and misconfigurations.

The move toward continuous compliance means you can't afford to wait until audit season to start gathering evidence. Teams should be trained to collect logs, screenshots, and configuration changes as they happen, which can save a lot of hassle later. Automated tools like AWS Security Hub or Azure Defender can also help by tracking compliance scores in real time.

"Trust isn't built on promises - it's proven through evidence." - Sam Peters, Author

With over 70% of enterprise procurement checklists now requiring SOC 2 or similar attestations, and the global average cost of a data breach hitting $4.88 million in 2024, these frameworks are no longer optional. They're essential for safeguarding customer data and staying competitive.

If your SaaS company collects customer information through forms, tools like Reform can help ensure compliance. Features like email validation, spam prevention, and secure CRM integrations make it easier to secure data at every entry point. By embedding security into all aspects of data collection, you’ll be better positioned to meet SOC 2 and ISO 27001 requirements effectively.

FAQs

What’s the fastest way to find publicly shared files across our SaaS apps?

The fastest way to find publicly shared files in SaaS apps is by using automated tools designed to spot files with risky sharing settings, like those set to "anyone with the link." These tools help by offering visibility and auditing features, making it easier to detect and address oversharing, which can lower potential security threats.

How do we prevent “zombie” OAuth tokens after employee offboarding?

To avoid "zombie" OAuth tokens lingering after an employee leaves, it's crucial to revoke all active tokens and access permissions associated with the departing individual. This includes not just internal systems but also any third-party integrations they had access to. Keeping a centralized inventory of all systems and tools employees use can help ensure that permissions are thoroughly removed across the board.

How can we continuously detect SaaS misconfigurations between audits?

Continuous detection of SaaS misconfigurations between audits is possible with automated, real-time monitoring tools. These tools work by constantly scanning for security issues and flagging misconfigurations or compliance risks the moment they occur. By automating tasks like detection, prioritization, and remediation, organizations can stay on top of their security game, fix vulnerabilities swiftly, and maintain compliance without waiting for the next formal audit.

Related Blog Posts

• Best Practices for Third-Party Data Sharing
• How to Handle Third-Party Data Sharing Ethically
• Third-Party Data Sharing: Legal Pitfalls
• How Healthcare Data Breach Laws Impact SaaS Tools