The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system.
There is a growing risk in our software supply chain and we need your action
SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure. While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences. Historically, software was distributed across diverse environments, each with unique security practices, inherently limiting the scale of any single breach. Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers. This fundamental shift demands our collective immediate attention.
At JPMorganChase, we've seen the warning signs firsthand. Over the past three years, our third-party providers experienced a number of incidents within their environments. These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers, and dedicating substantial resources to threat mitigation.
Security must be prioritized
Risks extend beyond concentration alone. Fierce competition among software providers has driven prioritization of rapid feature development over robust security. This often results in rushed product releases without comprehensive security built in or enabled by default, creating repeated opportunities for attackers to exploit weaknesses. The pursuit of market share at the expense of security exposes entire customer ecosystems to significant risk and will result in an unsustainable situation for the economic system.
Security architecture must be modernized
Most critically, SaaS models are fundamentally reshaping how companies integrate services and data—a subtle yet profound shift eroding decades of carefully architected security boundaries. In the traditional model, security practices enforced strict segmentation between a firm’s trusted internal resources and untrusted external interactions using protocol termination, tiered access, and logical isolation. External interaction layers like APIs and websites were intentionally separated from a company’s core backend systems, applications, and data that powered them.
Modern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (e.g., OAuth) to create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources. As a generic example, an AI-driven calendar optimization service integrating directly into corporate email systems through "read only roles" and "authentication tokens" can no doubt boost productivity when functioning correctly. Yet, if compromised, this direct integration grants attackers unprecedented access to confidential data and critical internal communications.
In practice, these integration models collapse authentication (verifying identity) and authorization (granting permissions) into overly simplified interactions, effectively creating single-factor explicit trust between systems on the internet and private internal resources. This architectural regression undermines fundamental security principles that have proven durability.
This problem is getting worse not better
Further compounding the risks are specific vulnerabilities intrinsic to this new landscape: inadequately secured authentication tokens vulnerable to theft and reuse; software providers gaining privileged access to customer systems without explicit consent or transparency; and opaque fourth-party vendor dependencies silently expanding this same risk upstream. Critically, the explosive growth of new value-bearing services in data management, automation, artificial intelligence, and AI agents amplifies and rapidly distributes these risks, bringing them directly to the forefront of every organization.
This weakness is known to attackers who are now actively targeting trusted integration partners—Microsoft Threat Intelligence recently authored a blog post that Chinese state actors were shifting tactics to target “common IT solutions like remote management tools and cloud applications to gain initial access” to their downstream customers.
Call to action
We stand at a critical juncture. Providers must urgently reprioritize security, placing it equal to or above launching new products. ‘Secure and resilient by design’ must go beyond slogans—it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks. Customers should be afforded the benefit of secure by default configurations, transparency to risks, and management of the controls they need to operate safely within a SaaS delivery model. The ecosystem must address trustworthy integration. There are some solutions available today, like confidential computing, customer self-hosting, and bring your own cloud, which all give organizations stronger controls to protect their data while enabling them to benefit from SaaS solutions.
We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities. Traditional measures like network segmentation, tiering, and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model. Instead, we need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems.
The most effective way to begin change is to reject these integration models without better solutions. I hope you’ll join me in recognizing this challenge and responding decisively, collaboratively, and immediately.
Patrick Opet, Chief Information Security Officer, JPMorganChase