Zero Trust's Weak Spot: SaaS Apps Aren't Playing By The Same Rules

Forbes

11-07-2025

Brian Soby is CTO & co-founder at AppOmni, a leader in SaaS security, with more than 20 years of security experience.
The boundaries of modern enterprise networks have dissolved, making zero trust an essential cybersecurity framework for modern organizations.
It's no surprise that many organizations are implementing zero-trust network access (ZTNA). And while it's a valuable component of zero trust as a whole, there's a pervasive and dangerous misconception that it alone equates to a complete zero-trust architecture.
But the hard truth is that ZTNA primarily secures the pathways to your applications, not the applications themselves. And this gap creates critical risks that undermine the integrity of the entire zero-trust architecture, opening businesses up to cyberattacks and breaches.
The ZTNA-Only Fallacy
ZTNA solutions secure perimeters, ensure safe user transport to applications and inspect traffic, but their security coverage predominantly ends at the application's boundary, failing to extend principles like granular control and continuous verification through applications.
ZTNA implementations typically provide binary, access-focused security controls—either access to the application is granted or denied. However, once users gain entry, their activities within the application often remain unchecked and unmonitored.
Focusing on these solutions alone can inadvertently re-create a perimeter-centric mindset, neglecting security within applications. This is particularly problematic when we consider the modern enterprise's reliance on cloud and software-as-a-service (SaaS) applications. SaaS platforms are no longer auxiliary tools; they are the backbone of operations, repositories of sensitive data and hubs of collaboration. When zero-trust strategies emphasize access controls to these applications but ignore their internal security posture, they leave a gaping hole, which undermines the entire security architecture.
The Real Threat Landscape: Data Resides In Apps, And Attackers Know It
Securing your applications themselves is critical because, based on what I've seen in the industry, most sensitive data now resides in SaaS applications. Organizations that rely solely on ZTNA or similar network-focused defenses often mistakenly believe their SaaS applications are protected. Yet, time and again, we observe these critical applications being entirely overlooked by zero-trust architectures that ignore the reality of the risk landscape.
The consequence? A significant weak point that attackers are keenly aware of and actively exploiting. I've seen incident after incident where companies, despite having secure service edge (SSE) or secure access service edge (SASE) solutions deployed, suffer breaches because attackers bypass these network-centric defenses to target applications directly—by using sideloaded accounts, entering through overly permissive access privileges or exploiting misconfigurations that make single sign-on (SSO) optional.
SaaS apps, unlike on-premise systems, are internet-accessible by default—so if settings like SSO, multifactor authentication (MFA) or IP restrictions are misconfigured, users can directly access these apps and bypass the ZTNA stack. These misconfigurations not only weaken zero-trust controls, but they also expose sensitive data, often without oversight or enforcement on corporate devices.
This effectively destroys any return on investment from zero-trust solutions. Consider building a fence around 75% of a critical facility. You don't get 75% of the security value; you get very little, because adversaries will simply walk through the 25% that's open. Similarly, if your zero-trust strategy doesn't extend into your critical applications, your expensive ZTNA solutions become a mere inconvenience for sophisticated attackers, not a barrier.
Beyond Access: The Imperative Of Securing Applications Themselves
A truly robust zero-trust architecture cannot stop at verifying a user and granting them access to an application. It must scrutinize what users—and non-human identities—can do once inside. This is especially true for SaaS environments, which involve a complex ecosystem of internal users, external collaborators, customers and third-party application integrations. ZTNA was never designed to manage the risks arising from this extended surface area, and as a consequence, many organizations are facing significant SaaS security gaps.
And while the National Institute of Standards and Technology (NIST) and other guiding bodies emphasize an end-to-end, continuous zero-trust process where authorization decisions are as granular as possible, this contrasts sharply with most implementations that make binary decisions—sanctioned or prohibited, access or no access—at the application's edge. True zero trust requires a deep dive into application-level permissions and activities, not coarse-grain decisions over simply whether access is granted or denied.
Complete Your Zero-Trust Strategy
To close this critical gap, organizations need to implement tools beyond ZTNA alone. Look for technologies that extend zero-trust principles directly into the application layer, particularly for SaaS environments. Apply the zero-trust principles of verification, least privilege and continuous monitoring directly to application-level interactions and behaviors. This will help address the inherent limitations of network-focused security.
In addition to the above, look for tools that do the following:
1. Granular Authorization And Continuous Monitoring: Move beyond simple access decisions to enable fine-grained, least-privilege policies based on specific actions and data interactions within an application. Couple this with continuous monitoring of user activities and data access, which can allow permissions to adapt dynamically based on real-time risk.
2. Deep Visibility And Threat Detection: By continuously monitoring activities within SaaS apps, organizations can detect subtle indicators of malicious behavior or accidental misconfigurations. This visibility is critical for proactively mitigating risks before they escalate into damaging security incidents.
3. External User And Third-Party Risk Management: Extend your zero-trust security controls to external users and third-party integrations interacting with SaaS platforms. This will let you evaluate risks associated with cloud-to-cloud connections and non-human identities.
ZTNA is an important step on the zero-trust journey, but it's not the destination. Failing to secure your applications themselves, especially business-critical SaaS platforms, leaves organizations dangerously exposed.
Implementing a partial zero-trust strategy is akin to building a chain with missing links—the entire structure is compromised. Enterprises must recognize that true zero trust requires security not only at the point of access, but also within the application itself.
For CIOs, the mandate is clear: Extend zero-trust principles deep into the application layer now. It will help you forge robust cyber resilience and realize the real security value of your zero-trust investments.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?