COMMENTARY: One of the most talked-about moments at the RSA Conference (RSAC) this year wasn’t a product launch or a keynote. It was a letter.Patrick Opet, chief information security officer of JPMorgan Chase, published an open letter to third-party suppliers on the first day of the conference.[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]His message was blunt: Get your act together. Opet’s letter called out the lack of reliability, accountability, and transparency from too many cybersecurity and SaaS vendors. For many security leaders, it put words to a frustration that’s been simmering for years: we’re spending more than ever on tools, and yet we still can’t answer basic questions during an incident.The letter was more than a complaint—it was a call to arms. And judging by the conversations it sparked at RSAC and on LinkedIn, it hit a nerve.
A supply chain built on blind trustOpet’s core message was clear: third-party SaaS vendors now play a critical role in enterprise security postures, but many are falling short of the responsibility that role demands. “SaaS has become the default,” he wrote, “embedding concentration risk into global critical infrastructure.”This model delivers speed and convenience, but it also creates new single points of failure. When a major SaaS provider goes down or gets breached, the impact ripples through thousands of connected customers. JPMorgan Chase knows this firsthand. Over the past three years, the bank has dealt with multiple incidents across its supply chain, forcing it to isolate compromised vendors and redirect massive internal resources to mitigate cascading threats.Opet’s letter highlights a fundamental asymmetry: Vendors hold the keys, but customers bear the consequences.
The need for visibility
The most immediate and solvable issue raised in Opet’s letter—and echoed in dozens of LinkedIn comments—was the lack of usable logging and visibility from vendors. As one commenter put it: “It’s absolutely critical that SaaS providers stop thinking of things like logging and SSO as additional SKUs.”That sentiment has been backed by data. In a recent analysis of 70 popular SaaS platforms by our research team:
Only 45% met baseline logging requirements, such as providing accessible API logs or distinguishing between human and machine activity.30% lacked full API logging altogether, meaning some forms of access leave no trace.40% failed to distinguish between human users and machine-to-machine integrations.Nearly 50% required additional licensing or manual support requests just to access security logs.The data shows that it’s not just a compliance concern, but an operational one. When an API key gets compromised or an OAuth token gets used to exfiltrate sensitive customer data, most security teams are effectively blind. Logs may not exist, are often incomplete, or may misattribute actions to the wrong identity.
Token sprawl and non-human identity risk
Opet and many in his network also called out the rising risk from non-human identities through OAuth tokens, API keys, and AI automations. These identities often have extensive, persistent access to sensitive data, and unlike user accounts, they typically lack MFA, expiration dates, or any kind of behavioral monitoring.When these non-human identities are compromised, they are often used silently for weeks or months. One contributor to the discussion called this “the silent threat of SaaS,” and again, logging gaps make it worse. Even when activity is logged, it’s often attributed to the wrong entity, such as a user session ID instead of the actual automation or integration that initiated the request.The result: misattribution, missed alerts, and missed breaches.So what’s the solution? Opet calls on vendors to embrace secure-by-default configurations, give customers meaningful control over data access, and provide continuous evidence of security control effectiveness, not just annual audit reports.This isn’t a new wish list: it’s a baseline expectation. The shift from “secure by design” slogans to “secure-by-default” architectures is long overdue. As Opet writes: “The most effective way to begin change is to reject these integration models without better solutions.”Real change needs to come from buyers insisting that SaaS vendors do better.
Where we go from here
The letter has already sparked a wave of support and a sense of collective momentum, but talk isn’t enough. If we want to avoid the next Okta, MOVEit, or Snowflake-level breach, we must act decisively.Here are four steps security leaders can take today:
Ask SaaS vendors better questions: Don’t just ask if a SaaS platform offers logs. Ask if it logs all API requests, distinguishes between humans and machines, and allows token-level monitoring.Audit machine identities: Treat API keys and OAuth tokens as first-class citizens in the organization’s identity strategy. Know what sensitive data they access, rotate them frequently, and monitor their behavior.Operationalize AI deployments: AI lives on the same infrastructure, talks to the same APIs, and inherits the same vulnerabilities as everything else in your stack. We need to understand and monitor its data exposure, permissions, and downstream consequences.Push for transparency: Join the chorus. As buyers, we have leverage. Ask vendors for secure-by-default options, real-time visibility, better logging, and clear incident response protocols.Patrick Opet’s letter didn’t just express frustration: it lit a fire. His call for accountability has already moved teams into action and raised expectations. This will take a partnership.It’s time to raise the bar for the entire industry: together.Amir Khayat, co-founder and CEO, VorlonSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
