JPMC Just Lit a Fire Under SaaS Security — Are You Ready?

In late April 2025 Patrick Opet, Chief Information Security Officer at JPMorganChase, published “an open letter to third-party suppliers” on the company’s technology blog. Patrick’s opening line captured the attention of the world’s  technology press:

The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system.

While I won’t repeat the entire letter in this post, it makes some really insightful and important points that I want to briefly highlight.

The core of Patrick’s warning is that centralized SaaS and PaaS platforms now serve as single points of failure. Attacks on one provider “can immediately ripple through its customers” with attackers exploiting weak integration models and insecure access controls. He believes recent incidents in JPMorgan’s own supply chain highlight how rushed features and opaque vendor practices are amplifying risk while eroding traditional security boundaries.

It’s important to emphasize that Patrick is not arguing against SaaS itself. In his letter he recognizes “this model delivers efficiency and rapid innovation”, going on to say the industry must “establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities.”

Patrick makes three demands on the technology industry: 

1. Software providers must “prioritize security over rushing features”, embedding security by default.
2. The industry needs to modernize architectures to handle SaaS integration risks.
3. Security practitioners need to work collaboratively to safeguard increasingly interconnected systems.

This all sounds reasonable. But where to get started?

Authorization On The Front Line Of SaaS Security 

In practical examples of the risks SaaS presents, Patrick specifically calls out authentication and authorization as potential attack vectors. He highlights two concerns:

1. SaaS products being able to directly integrate with an enterprise’s backend systems. “If compromised, this direct integration grants attackers unprecedented access to confidential data”.
2. SaaS vendor staff “gaining privileged access to customer systems without explicit consent or transparency.” 

Patrick goes on to caution that the rise in AI, automation, and data management will only serve to dramatically amplify these problems. Wrapping up in his “call to action”,  he explicitly calls out the need for ‍

Oso has worked with many of the industry’s most sophisticated and forward thinking SaaS vendors. I can’t discuss all of them, but felt it useful to share a couple of examples from Oso customers who recognize the criticality of modernizing authorization to deliver safe, trusted and reliable services. This in turn has enabled them to sell “upmarket” by addressing the needs of the world’s largest and most demanding enterprises. 

Inside Productboard’s Leap to Enterprise and AI

Productboard is a customer-centric product management platform that helps organizations get the right products to market, faster. Founded in 2014, today over 6,000 companies including JP Morgan Chase itself use Productboard to understand what users need, prioritize what to build next, and rally everyone around their roadmap.

The company had built its own authorization system in-house, but faced a number of challenges:

• The system’s hardcoded authorization model couldn’t scale to meet enterprise demands for custom roles, granular permissions, and field-level access controls. 
• The move from a monolith to microservices made managing consistent and distributed permissions increasingly difficult. 
• The company’s AI initiatives further raised the stakes, requiring deterministic, secure, and fine-grained access across multiple data sources before any models could be safely deployed to production.

Productboard adopted Oso Cloud as its centralized authorization platform, working closely with the team for expert support on migration, policy design, and AI integration. What are the results?

• Accelerate enterprise readiness by 2–3 years by eliminating the need to build and maintain complex authorization infrastructure in-house.
• Enable faster delivery of secure, agentic AI applications by giving developers a centralized, reusable foundation for enforcing LLM access controls.
• Unlock new revenue opportunities and product differentiation through customizable, fine-grained access controls tailored to enterprise needs

The Productboard and Oso case study details the company’s migration journey.

Scaling Secure Global Hiring with Oyster

Oyster is a global employment platform that enables companies to hire, pay, and manage talent seamlessly—regardless of location. The company works with organizations in 180+ countries including Aston Martin, Automattic, Culture Amp, and Hired, and is recognized as G2’s leader in global employment platforms.

Like Productboard, Oyster had started out with its own custom authorization system, however it soon slowed them down. Creating new roles was labor-intensive, costly, and non-reusable—one took three months to build from scratch. The manual process for creating new permissions introduced security risks, increasing the chance of misconfigured access. Worse, the rigid framework couldn’t support the fine-grained, dynamic access controls needed to serve larger customers and expand into new markets.

By selecting Oso, the team has unified their authorization models into one maintainable framework with reusable, declarative policies that are decoupled from application code. Oso Cloud delivers sub-10ms checks while meeting global data residency and compliance needs.

‍

What has Oyster been able to achieve since adopting Oso?

• 8x Faster Role Creation: Reusable policies cut development time and speed up feature delivery.
  
• Stronger Security: Centralized checks reduce errors and protect sensitive data.
  
• Built for Growth: Flexible authorization powers enterprise needs and opens up new sales channels for the company.

You can learn more from the Oyster and Oso case study. 

Securing the Sound of AI: How AudioStack Scales Enterprise Trust

AudioStack is one of the world’s leading end-to-end enterprise solutions for AI audio production. Its proprietary technology allows enterprises to build complex audio production workflows substantially  faster and at a fraction of the cost of traditional methods—without compromising on quality. Customers include AWS Marketplace, iHeart Radio, News Corp, Omnicom Media Group, and Publicis Groupe.

The company’s existing authorization system was fragile and hard to maintain. Its lack of auditability challenged enterprise trust as there was no way to easily demonstrate access controls for regulatory compliance such as GDPR and SOC 2. Authorization complexity slowed feature delivery and diverted focus from core AI work. The team estimated an effort of 12 engineering months just for basic role maintenance. 

By working with Oso, AudioStack has unlocked:

• 2x higher feature velocity: Authorization is no longer a blocker—product teams move faster with less time spent managing internal authorization logic.
• Greater customer trust with improved audit readiness. Its proven authorization model supports brand safety and IP protection. The company is ready to respond to customer due diligence and compliance reviews.
• Future-ready AI architecture: Positioned to extend secure access control into generative AI RAG and agentic workflows.

What SaaS Providers Need to Do Next

JPMorgan’s open letter is more than a warning—it’s a directive. The era of treating security as a secondary concern is over. SaaS vendors must confront the hard truth: their products are now part of the global critical infrastructure, and the old ways of managing access and integration no longer hold up.

The message from Productboard, Oyster, and AudioStack is clear—modern, scalable, and auditable authorization isn’t just a security requirement; it’s a growth enabler. By investing in robust authorization frameworks now, SaaS providers can not only prevent catastrophic breaches, but also unlock enterprise markets, accelerate AI adoption, and earn long-term customer trust.

The next breach won’t just be a technical failure—it’ll be a business failure. The smart vendors are already acting. Contact us and we can help you get started.