Chase CISO condemns the security of the industry’s SaaS offerings

The JPMorganChase chief information security officer (CISO) publicly criticized software as a service (SaaS) cybersecurity efforts today, and issued a call to suppliers to respond to the challenge of inadequately protected offerings. But analysts found his memo so short of details that they were perplexed about what he was asking for.

Chase CISO Patrick Opet spent much of his letter, which the company published on April 25, arguing that SaaS elements have made the enterprise environment far less secure.

“Traditional measures like network segmentation, tiering, and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model,” Opet wrote. “The modern SaaS delivery model is quietly enabling cyber attackers and, as its adoption grows, is creating a substantial vulnerability that is weakening the global economic system.”

Opet added, “SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure. While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences.”

Although analysts and security specialists generally agreed with Opet’s arguments, the lack of particulars made it unclear what specifically he proposed enterprises do about it, other than requesting that vendors prioritize cybersecurity more.

More of a call for discussion

Georgia Cooke, digital security analyst at ABI Research, questioned what precisely enterprises could do differently. “This is more of a call to discussion than a call to action,” Cooke said.

Cooke argued that Opet questioned the security of SaaS products, but then defended his purchases, and the purchases of other enterprise CISOs, noting he “absolves the purchases by framing (CISOs) as having had no choice. It’s very broad and in some sense unrealistic.”

Opet’s letter said this problem is not new, but it is dangerous.

“In the traditional model, security practices enforced strict segmentation between a firm’s trusted internal resources and untrusted external interactions using protocol termination, tiered access, and logical isolation. External interaction layers like APIs and websites were intentionally separated from a company’s core backend systems, applications, and data that powered them,” he wrote. “Modern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (for example, OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources.”

For example, he pointed out that an AI-driven calendar optimization service that integrates directly into corporate email systems through read only roles and authentication tokens could improve productivity, yet, if it were compromised, the “direct integration would grant attackers unprecedented access to confidential data and critical internal communications.”

At the end of his letter, the CISO made what sounded like a proposal for change, but without details, it was unclear how anything would happen.

“The most effective way to begin change is to reject these integration models without better solutions,” Opet said. “I hope you’ll join me in recognizing this challenge and responding decisively, collaboratively, and immediately.”

A Chase employee, who asked to not be identified by name, tried to put that last line into context.

“There is no threat of boycott, [but] simply a commentary on integration models that don’t adequately address risks, and our decisions not to support them,” the Chase official said. “To achieve this, we’d like to build on the working groups in the IAM space, collaboratively with hyperscalers, financial institutions, and software companies that can enable the change and see solutions that provide continuous validation and transparency of supplier controls.”

The official explained that the Chase CISO’s team is “looking for the software industry to recognize the criticality of these risks today and collectively work together on a number of fronts [including] establishing and scaling standards, architectural patterns, and solutions to richer authorization decisions, providing transparency in the suppliers’ use of privileged access, especially when it results in access to our systems or data, and using technologies that de-risk the supplier in custody of our data, for example, [by offering] confidential compute, or bring your own cloud.”

Solutions missing

Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, said that he generally agreed with the Chase description of the cybersecurity challenges today.

“One of the key points in the letter is that the modern SaaS model concentrates sensitive data behind a handful of cloud front doors. JP Morgan itself has logged multiple third-party incidents in the past few years and now sees that concentration as a systemic risk,” Jean-Louis said. “Patrick is right that token-based OAuth hooks and plug and play APIs have eroded the old outside versus inside perimeter. And attackers have noticed. His call for a secure by default SaaS model and continuous proof of controls is honestly long overdue.”

That said, Jean-Louis noted, “I think where the letter overcorrects is in suggesting that traditional defenses like network segmentation, protocol termination, and tiering are no longer viable. If anything, they’re no longer sufficient, but once an integration token is abused, those legacy defenses can still slow lateral movement inside both enterprise networks and hyperscale cloud environments. The future is identity- and context-aware segmentation, not segmentation’s demise.”

He added, “Secure by default needs to be translated into short-lived, bound tokens, granular, just-in-time scopes, immutable audit logs, and a published SBOM with signed updates. Until suppliers can deliver that, buyers should make risk-aware decisions about these ‘trust me’ integrations. Putting that in practice means treating every SaaS onboarding as a material risk vendor review.”

In addition, Jean-Louis said the letter suffered from having “no concrete yardstick. What is missing is ‘What guidance are you offering to fix those issues?’” 

“That’s where you are blindsided. What the letter is missing are recommended approaches or solutions,” Jean-Louis said. “How are you going to do that? Disconnect from your cloud solution? Your Crowdstrike and all? This is too vague. Rejecting integration doesn’t really say anything. I don’t see any alternative [specified].” 

He suspected that Chase legal and other officials were involved in making significant edits to the letter, and thus, “the essence of the letter is lost trying to protect themselves.”

SaaS not the problem: Analyst

However, ABI’s Cooke disagreed with Opet’s pointing to SaaS as the problem.

“SaaS is not a driver of commercial consolidation to a small set of providers. Quite the opposite, because smaller providers have the opportunity to deploy with reduced upfront investment and flexibly scaling infrastructure,” Cooke said. “In an environment heavily dependent on a small set of vendors, the single point of failure stands regardless of deployment model.”

She added, “whether SaaS drives the current state of permeability of networks is debatable, particularly in the context of a rise of AI, which would require capacity for data exfiltration to vendor processing regardless of the deployment model, including the historically separated high value data Opet identifies. This is a balance of risk. Many would argue that the increased sophistication in Threat Detection and Incident Response (TDIR), which stems from connecting to a vendor’s interconnected threat hunting engine, is worth the risk of connectivity.”