Cloud Security
SSPM
SaaS security
CSPM

What is SSPM: SaaS Security Posture Management

What is SSPM: SaaS security posture management. Detects misconfig, third-party OAuth apps, over-privileged users and MFA gaps.

SecraJuly 6, 202610 min read

SSPM (SaaS Security Posture Management) is the category of tools that continuously evaluates the security configuration of the SaaS applications an organisation uses, detecting misconfigurations, OAuth grants to third-party applications, over-privileged users and missing MFA. It covers the platforms where the real work of the business lives: Microsoft 365, Google Workspace, Salesforce, Slack, GitHub, ServiceNow, Zoom or Workday. It emerged around 2020 as an answer to a problem CSPM does not solve: protecting the SaaS application layer, not the cloud infrastructure it runs on.

This guide explains what an SSPM actually detects, how it differs from CSPM, where it sits versus CASB, SaaS-DLP and ITDR, how it fits inside CNAPP and SASE, the vendor landscape in 2026 and what a realistic adoption path looks like for a mid-size organisation.

CSPM protects how your cloud infrastructure is set up. SSPM protects how the SaaS applications your employees use are configured. A public S3 bucket is caught by CSPM. A user approving an OAuth app with Mail.Read permission over every mailbox is caught by SSPM.

CSPM versus SSPM: where one ends and the other begins

They are sibling categories that solve different layers of the same posture problem. The confusion is common because both talk about "posture management", but the object they audit is different.

  • CSPM audits cloud infrastructure (IaaS and PaaS): AWS accounts, Azure subscriptions, GCP projects. It detects exposed buckets, IAM roles with *, Security Groups with 0.0.0.0/0 or disabled encryption. It is the posture of what you deploy. We cover it in detail in what is CSPM.
  • SSPM audits SaaS applications (the SaaS model in the IaaS, PaaS and SaaS split): Microsoft 365, Google Workspace, Salesforce. It detects too many global admins, unregistered MFA, mailboxes with auto-forwarding to external domains, public sharing in SharePoint or Drive and third-party apps holding persistent OAuth tokens.

The key difference is the shared responsibility model. In SaaS the provider secures the platform, but the tenant configuration (identities, permissions, integrations, retention, sharing) is the customer's responsibility. That set of configuration options is exactly what an SSPM inventories and evaluates.

What an SSPM detects

An SSPM's finding catalogue groups into four families, which apply across every connected SaaS.

Tenant misconfigurations

Insecure settings exposed in each application's admin console. Concrete examples by platform:

  • Microsoft 365 / Entra ID: legacy authentication not blocked, Security Defaults disabled without Conditional Access to replace them, user consent to applications enabled without an admin consent flow, mailboxes with external auto-forwarding, SharePoint defaulting to "Anyone" sharing.
  • Google Workspace: two-step verification not enforced per organisational unit, Drive sharing outside the domain left unrestricted, third-party apps with OAuth data access without an allow list, domain-wide delegation granted to service accounts.
  • Salesforce: profiles with "Modify All Data", connected apps without an IP policy, guest users with excessive object permissions (the vector behind several Experience Cloud data leaks).
  • Slack: workspaces that let anyone install apps without approval, bot tokens (xoxb) with broad scopes, external shared-channel invitations without control.

Third-party OAuth application risk

This is the most distinctive contribution of SSPM. When an employee connects a productivity app ("give me access to your calendar and mail"), they grant an OAuth token that persists even if the password changes and that often survives MFA. An SSPM inventories every grant, shows the scopes granted (offline_access, Files.ReadWrite.All, Mail.Read), flags unverified or abandoned apps and detects the illicit consent grant pattern (consent phishing). Real attacks such as Midnight Blizzard against Microsoft in 2024, or the mass OAuth token theft in the 2025 Salesloft Drift incident that hit Salesforce tenants, exploited exactly this surface.

Over-privileged users

Too many global admins, service accounts with broad roles, external (guest) users with access to internal data, inactive accounts that still hold a licence and permissions. The SSPM cross-references roles, last logins and effective scope to flag the excess.

MFA and identity gaps

Users without registered MFA, weak methods (SMS) on privileged accounts, Conditional Access policies with forgotten exclusions, no geographic blocking. Here the SSPM overlaps with the Zero Trust discipline, to which it contributes the real per-application state inventory.

SSPM versus CASB, SaaS-DLP and ITDR

SSPM does not live alone. It shares ground with three categories it should not be confused with.

CategoryWhat it doesRelationship to SSPM
CASBProxy or API between users and SaaS: controls access, shadow IT and sessions in real timeComplementary: the CASB governs traffic, the SSPM governs configuration
SaaS-DLPPrevents leakage of sensitive data within and out of the SaaSComplementary: it looks at content, not posture
ITDRDetection and response over identities (attacks on Entra ID, Okta)Overlapping: SSPM is preventive, ITDR is runtime detection

In practice, the CASB answers "who accesses which app", DLP answers "what data leaves", ITDR answers "this identity is under attack" and SSPM answers "this application is misconfigured and exposes the organisation". They are pieces of the same SaaS security puzzle, not substitutes for one another.

Where SSPM fits in CNAPP and SASE

Two macro-categories absorb adjacent functions, and it helps to know where SSPM falls.

  • CNAPP (Cloud Native Application Protection Platform) unifies CSPM, CWPP, CIEM and IaC scanning. SSPM stays outside the classic CNAPP, which focuses on infrastructure and workloads. Some vendors are starting to add SSPM modules, but today it remains mostly a separate category.
  • SASE / SSE (Secure Service Edge) integrates SWG, CASB, ZTNA and sometimes DLP. SSPM tends to converge with the CASB block inside SSE platforms, especially after the sector's acquisitions.

The operational takeaway: in 2026 SSPM is still a distinct purchase or module, although the market is pushing to consolidate it inside identity and SSE platforms.

Vendor landscape 2026

The SSPM market is young and consolidating through acquisitions.

  • AppOmni. Independent reference vendor, strong in deep enterprise SaaS coverage (Salesforce, ServiceNow, M365) and data exposure detection.
  • Obsidian Security. Focused on posture and SaaS identity threat detection, with good OAuth coverage and threat detection.
  • Adaptive Shield. A pioneer of the category, acquired by CrowdStrike in 2024 and integrated into its Falcon platform.
  • Wing Security. Oriented to SaaS discovery and third-party application risk, with a self-service approach.
  • Grip Security, Nudge Security, DoControl, Valence, Reco. A second wave focused on SaaS discovery, non-human identity governance and assisted remediation.
  • Microsoft Defender for Cloud Apps (MDCA). Formerly MCAS, it includes SSPM capabilities that generate posture recommendations via Secure Score for connected apps (Salesforce, ServiceNow, GitHub, Okta, Zoom). It is the natural choice if the organisation already lives in the Microsoft ecosystem.

The space is consolidating: Adaptive Shield inside CrowdStrike is the clearest example that SSPM tends to fold into larger endpoint, identity or SSE platforms.

Standards and frameworks it maps to

A serious SSPM translates its findings into frameworks auditors recognise:

  • CISA SCuBA (Secure Cloud Business Applications). Secure configuration baselines for Microsoft 365 and Google Workspace. It is the most specific reference for SaaS posture.
  • CIS Benchmarks for Microsoft 365 and Google Workspace.
  • MITRE ATT&CK, Cloud and SaaS matrices, to map OAuth abuse, consent phishing and token persistence techniques.
  • ISO 27001:2022 (A.5.23 use of cloud services, A.8.9 configuration management) and SOC 2 (CC6 logical access), where the SSPM output serves as continuous evidence.

Realistic adoption path in a mid-size organisation

Five steps to deploy SSPM without derailing the project.

  1. Discover and connect the critical apps first. Start with the two or three SaaS that concentrate sensitive data: usually Microsoft 365 or Google Workspace and the CRM. The connection is via API (app registration, service account), with no agent.
  2. Prioritise by real exposure, not by volume. The first pass generates hundreds of findings. Attack first what combines privilege and external exposure: global admins without MFA, unverified high-scope OAuth apps, public data sharing.
  3. Govern third-party OAuth. Enforce admin consent, revoke tokens from abandoned apps and define an allow list. It is the finding that prevents the most incidents per euro invested.
  4. Integrate with ticketing and identity. Send findings to Jira or ServiceNow, and integrate with the IdP (Entra ID, Okta) to close the remediation loop with clear ownership.
  5. Periodic review and drift. The SSPM runs continuously and alerts on new drift. A fortnightly security-team review keeps the tool alive and avoids the classic abandonment at 90 days.

Honest limitations of SSPM

  • Uneven coverage by application. Every SSPM covers M365 and Google Workspace well; depth on niche SaaS varies a lot between vendors. Verify coverage of your specific applications before signing.
  • It is preventive, not runtime detection. The SSPM tells you a configuration is insecure, not that it is being exploited right now. For that you need ITDR or the SaaS platform's own detection engine.
  • It depends on API connection quality. Poorly scoped read-only permissions leave blind spots. The initial permission setup determines what the tool can see.

Frequently asked questions

Are SSPM and CSPM the same thing?

No. CSPM audits the posture of cloud infrastructure (AWS, Azure, GCP): buckets, IAM, networks, encryption. SSPM audits the posture of SaaS applications (Microsoft 365, Google Workspace, Salesforce): admins, MFA, sharing and third-party OAuth apps. They are sibling categories that cover different layers of the cloud stack and complement each other.

Do I need SSPM if I already use Microsoft 365 native security features?

They help, but they are not enough if you run several SaaS. Secure Score covers the Microsoft tenant well, but it does not unify Google Workspace, Salesforce or Slack in a single view, nor does it consistently inventory OAuth grants across platforms. SSPM adds unified multi-SaaS coverage and a maintained rule catalogue.

Does SSPM replace a CASB?

No, they are complementary. The CASB controls traffic and access in real time (who uses which app, shadow IT, sessions), while the SSPM audits the security configuration inside each application. Many organisations end up with both, and in SSE platforms they tend to converge.

What is third-party OAuth risk and why does SSPM cover it?

When an employee connects an external app to their SaaS account, they grant an OAuth token that persists even if the password changes and usually survives MFA. A malicious or compromised app with broad scopes (Mail.Read, Files.ReadWrite.All) can read mail or files persistently. The SSPM inventories these grants, evaluates their permissions and lets you revoke them, closing a vector behind real 2024 and 2025 incidents.

How do you start rolling out SSPM in a mid-size company?

By connecting first the two or three SaaS with the most sensitive data (usually Microsoft 365 or Google Workspace and the CRM), prioritising findings that combine privilege and external exposure, and governing OAuth consent from the start with enforced admin consent. From there you integrate with ticketing and the IdP and set a fortnightly review.

SaaS security posture with Secra

At Secra we combine SaaS posture assessment with offensive identity and cloud audits to deliver an actionable view: the SSPM covers breadth and continuity, while the manual review validates which configurations and which OAuth grants are truly exploitable. If you want a posture review of your Microsoft 365, Google Workspace or Salesforce tenants, or help deploying and operating SSPM, see our cloud services audit or reach us through contact and we'll come back with a first assessment.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article