When is it impossible to secure SaaS data?

It is indeed impossible to secure SaaS data when a user accesses an unsanctioned SaaS instance using an unmanaged device. This situation poses significant risks because the device in question is not controlled by the organization's security policies or measures, potentially exposing sensitive data to various threats such as malware, unauthorized access, or lack of proper encryption.

Unmanaged devices do not undergo the same security checks as managed devices, which can typically enforce security configurations, access controls, and monitoring. When users access unsanctioned SaaS applications—those not officially approved by the organization—it becomes increasingly challenging for security teams to implement protective measures or enforce compliance since they lack visibility and control over those applications. As a result, sensitive information can easily be compromised without adequate security provisions.

This scenario highlights the importance of maintaining strict oversight over both the devices accessing corporate data and the applications employed within the organization. Using managed devices to access sanctioned SaaS applications would generally allow for a higher level of security, while unmanaged devices accessing unsanctioned applications present the highest risk, thus making it difficult, if not impossible, to secure the data effectively.