As the new year kicks off, government agencies face increasing pressure to modernize their digital infrastructure while ensuring data security remains uncompromised. With new technologies and evolving threats on the horizon, it's crucial to understand the trends that will shape SaaS data security in the year ahead.
In 2024, the improper implementation of cloud security controls introduced substantial risks and resulted in actual compromises. As more government agencies move mission-critical applications to the cloud and adversaries increasingly target cloud-based systems, Software as a Service (SaaS) data security risks will continue to rise in 2025. At the same time, automation and Artificial Intelligence (AI) capabilities of platforms such as Agentforce also open new opportunities for enhanced efficiency and user experience that depend on resilient and trusted data.
With these dynamics in mind, here are several predictions related to SaaS data for 2025 that government agencies should prepare for:
2025 SaaS Data Predictions for Government Agencies
1) Greater Scrutiny on SaaS Data Security
The rapid rise of external exposures and insider threats impacting SaaS has raised concerns at the highest levels of government. Unauthorized access to government systems via BeyondTrust’s SaaS security solution illustrates the growing sophistication of attacks targeting these platforms. In response to recent cloud compromises, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 25-01, Implementing Secure Practices for Cloud Services, and is developing secure configuration baselines for widely used SaaS products in the Federal government. Executive Order 14028 (OMB Memo 22-09) mandates that Federal agencies implement Zero Trust security principles and to realize the security benefits of cloud-based infrastructure while mitigating associated risks.
[green]
In 2025, external scrutiny will drive internal pressure within government agencies to prioritize SaaS data security controls, with InfoSec and Executives seeking more frequent and detailed status updates. This will raise awareness of the Shared Responsibility Model that SaaS providers operate under, which places responsibility on the agency to protect data stored in the cloud, including managing least privilege access, recovering from backups, and detecting insider threats.
[/green]
To address these risks, agencies must move beyond surface-level approaches to SaaS security posture management such as API introspection. Instead, a bottom-up, data-centric approach is necessary that includes data classification and risk prioritization. It is also essential to implement alerting on malicious activities in logs, anomalous changes to sensitive data, and risky configuration changes. Effective response and recovery from SaaS data incidents will depend on reliable backups being available for analysis and restoration purposes.
2) A Push for Zero Data Loss or Downtime
In 2024, agencies increasingly realized their responsibility to secure their SaaS data by following Zero Trust security principles. With “data as the new perimeter,” Zero Trust data security will continue to be a priority for government agencies moving forward. In 2025, however, the focus will expand to data resiliency and integrity, with real time monitoring of data modifications and rapid restoration capabilities that aim for near zero data loss.
As government agencies modernize and rely more heavily on SaaS, any loss, corruption, error, or unavailability of data can disrupt critical systems and services. Traditional approaches to maintaining data integrity and availability relied on backups that provide a snapshot in time, which may miss key changes between snapshots. SaaS solutions utilizing Change Data Capture capabilities can continuously preserve and inspect every modification, enabling proactive detection and correction. Continuous backup of mission-critical data, combined with precision repair capabilities, effectively eliminates data loss and downtime. Such trusted and resilient data is essential for successful applications of AI, which require accessible, reliable, relevant, and error-free data.
3) Streamlined SaaS Data Security with Automation and AI
Demand for the modernization of government services continues to increase alongside mandates for stronger security controls and data privacy laws. These trends will amplify in 2025, necessitating more robust protection for greater volumes of cloud data.
The power and flexibility of SaaS make securing it complex and time-consuming. A scarcity of experts in this area makes it even more difficult. Few SaaS professionals are security experts, and even fewer InfoSec experts are familiar with the intricacies of SaaS applications and the various ways that data can be shared or accessed on these platforms. Managing security controls manually is costly, inefficient, and error prone, with misconfigurations causing 80% of cloud data security incidents.
[green]
For the average SaaS administrator, managing permissions alone can consume over 20% of their time. In government agencies, this workload is typically higher, with countless hours spent manually creating documentation to demonstrate that proper security controls are being maintained.
[/green]
As a result, agencies will increasingly demand solutions that codify SaaS security expertise. These solutions will automatically surface risk-prioritized vulnerabilities, detect insider threats, and produce audit reports. Advances in AI, including trusted agents, will accelerate automation in SaaS data security solutions, reducing time spent on routine tasks and audit documentation to meet compliance requirements.
4) Advances in SaaS Data Threat Detection
Adversaries are increasingly targeting SaaS data, using more sophisticated attacks and escalating insider threats. Unauthorized access to SaaS systems often begins with stolen credentials or API keys, making malicious activities harder to detect. Over half of IT security incidents are caused by insiders, further complicating detection efforts.
Making matters worse, government agencies currently lack clear visibility into their SaaS users and data. Alert fatigue from large volumes of data modifications compounds the problem. To address this, agencies need solutions that automatically detect high-risk security problems and anomalous activities.
AI-driven threat detection for SaaS will deliver real-time actionable alerts with risk contextualization, prioritizing high-risk events and recommending response and remediation actions that are data-centric. Delivering reliable, actionable alerts will allow automated blocking of malicious activities, improving security and resilience, and reducing the disruption, cost, and impact of SaaS data security incidents.
5) SaaS Security Will Fuel Innovation and Successful Outcomes
Government agencies must meet strict security controls to avoid slowing innovation. For modernization projects utilizing SaaS, shift-left strategies, which involve InfoSec stakeholders early in the process, will be essential in 2025. Security must be built into development processes, including anonymizing sensitive data in dev/test environments and protecting data lakes used for analytics and AI.
[green]
Secure development practices stimulate innovation, reduce errors, and improve deployment speeds. Agencies with faster development velocity and speed of iteration have higher quality delivery and successful outcomes. Agencies that can readily and securely access historical SaaS data for analytics and AI will benefit from multiple iterations to gain insights, make adjustments, and improve decisions.
[/green]
In 2025, SaaS development will shift from DevOps to DevSecOps approach, integrating security by design, data classification, and anonymization from the outset, not as an after thought.
How Government Agencies Can Prepare In 2025
- Make SaaS data resilient: Implement continuous backup and precision restore of SaaS data to ensure accessibility, reliability, relevance, and integrity. Any of these issues can cause disruption of critical systems and services and can prevent successful digital transformations and AI applications.
- Practice SaaS data recovery: If you wait until a major SaaS data incident occurs to try out your recovery capabilities, you will not be ready. Follow NIST SP 800-53 guidelines for recovery planning. Regularly test recovery capabilities to ensure readiness in the event of an incident.
- Know your sensitive SaaS data: If you are treating all of your data the same, then you are mistreating some of your data. Use automated classification to streamline data labeling, helping to inform access restrictions, encryption, and retention policies.
- Rank risks to your SaaS data: If you are treating all of your risks the same, then you don’t have visibility into what could cause the worst InfoSec incident. Prioritize risks using automated, bottom up, data-driven tools tailored to your risk operating context.
- Avoid alert fatigue: Focus monitoring efforts on the most sensitive data and high-risk activities to reduce false positives and improve detection. This includes automated threat detection and alerting on user activities, API calls, data modifications, high risk permission assignment, and policy violations.
- AI-driven threat detection: Combine risk contextualization with AI to detect threats more quickly and effectively, reducing the impact of incidents.
- Implement SaaS DevSecOps: Integrate security controls throughout the SaaS development lifecycle and involve InfoSec from the outset of a project to ensure security by design.
As government agencies continue to embrace SaaS solutions, the stakes for data security have never been higher. In 2025, successful agencies will prioritize building resilience into their data strategies, leveraging continuous backup, automated threat detection, and AI-driven solutions to maintain compliance and reduce risks. By preparing today, government agencies can turn SaaS challenges into opportunities—fueling innovation, enhancing service delivery, and ensuring the trustworthiness of critical data systems.
Check out our guide or register for our webinar with Carahsoft to learn more.\
