It’s Time To Unravel the SaaS Tangled Web

AndyC 22 August 2024

It’s no revelation to mention that Software as a Service (SaaS) solutions have transformed the way we function, both in our personal and professional lives.

It's Time To Untangle the SaaS Ball of Yarn
It's Time To Untangle the SaaS Ball of Yarn

It’s no revelation to mention that Software as a Service (SaaS) solutions have transformed the way we function, both in our personal and professional lives. Cloud-based and remote applications have become integral to our daily tasks, leading to identities being the primary boundary of our networks.

Regrettably – as often happens – our desire for improved workflows, collaboration, and communication has outpaced our commitment to ensuring the security of these tools and processes as they integrate into our environments. By relinquishing control of data security, we expose ourselves to various permissions requested by these applications, often dependent on services from other providers. This situation results in not a network, but a complex web of interdependencies that is so intricate that most security and IT teams are unaware of the number of connected SaaS applications, let alone their identity or access privileges.

Our natural inclination towards adaptability and scalability has brought us to a point where modern business operations heavily rely on SaaS applications, making us susceptible to attacks on these cloud-based services and applications.

Cyber threat actors grasp the “as-a-service” concept as well as anyone else, often marketing Ransomware-as-a-Service on the dark web to their partners. They exploit vulnerabilities in third-party SaaS application vendors knowing that breaching one vendor gains access to the data of many. The 2023 saw a 68% surge in attacks through third-party apps, with experts concurring that this figure will rise as SaaS adoption continues to grow.

Fortunately, there are measures that can be taken to disentangle this conundrum of interlinked SaaS applications facing IT and security teams globally.

Learn how to obtain insight into publicly shared files from your SaaS apps

Comprehend your SaaS ecosystem and hidden IT

Securing something starts with acknowledging its existence. However, when it comes to SaaS, matters are seldom straightforward.

Hidden IT, referring to tools or programs installed with access to company data without IT or security’s knowledge, is rampant. For instance, in marketing, individuals might opt to use a new design tool available as a SaaS app, granting it access to shared files for easy uploads or downloads without IT approval, citing reasons like time constraints, potential denial, or tight deadlines. Such applications often have substantial visibility and permissions into company data without security teams even aware of their existence or monitoring for anomalous behavior.

To grasp the magnitude of the issue and the importance of gaining a comprehensive overview of your SaaS landscape, let’s crunch some numbers.

  • On average, most businesses are connected to ~500 business applications.
  • Of these, ~49% are sanctioned by IT/security and ~51% are unsanctioned applications.
  • Each app typically has 9 users
  • Multiplying the number of users per app (9) by the unsanctioned apps (~255) yields an average of 2,295 potentially unique attack routes, unseen by IT and security teams, which threat actors are eager to exploit.

Hence, understanding the number of applications connected to your system, their functionalities, permissions, and activities is critical. Moreover, continuous monitoring is essential as there’s always a risk of someone circumventing IT processes to add a new app or service and granting it unrestricted data access.

Explore all connected applications, even shadow apps, within your data

Restrict access to your data pathways

Once you have a grasp on your applications, it’s imperative to structure permissions prudently to prevent over-provisioning for both applications and users. Vigilant monitoring is necessary as these applications might alter their permission structures to demand increased access without clear communication.

A spate of recent high-profile breaches linked to cloud storage provider Snowflake has underscored organizations’ vulnerability in this regard. Companies like Ticketmaster, Santander Bank, and Advance Auto Parts all succumbed to the same attack, stemming from past credential theft, lax security controls at the third-party storage provider (Snowflake), and a disregard for best practices when securing critical data solely with passwords.

To begin securing your SaaS ecosystem, mapping it out is essential: comprehending all linked apps, associated identities, and actions. This process is labor-intensive and merely the beginning of the security journey. Moreover, there’s an expectation for employees to disclose usage of unsanctioned applications to prevent breaches.

To avert breaches, companies must:

  • Be aware of all utilized SaaS applications, particularly those handling sensitive data
  • Ensure high-risk apps are safeguarded with Identity Provider (IDP) solutions, Multi-Factor Authentication (MFA), etc.
  • Ensure users of these applications possess appropriate privileges
  • Receive alerts and respond swiftly to suspicious activities involving applications and data

Monitoring access, permissions, and usage offers the added benefit of maintaining compliance with regulatory standards. Failure to be aware of application access and data exposure can have repercussions in case of a breach stemming from a third party. Monitoring measures should not impede usability, especially in the context of prevailing hidden IT issues.

Learn how to track users lacking Multi-Factor Authentication in your SaaS apps

In summary: fortify your operational processes

Undoubtedly, SaaS applications are now ingrained in various business facets, from sales enhancement to data management and artificial intelligence tools. This evolution presents exciting opportunities to work in innovative and unconventional ways. However, it’s equally crucial to start disentangling the interconnected SaaS web that defines our current environment.

As malevolent actors identify vulnerabilities and dependencies within this intricate web, they will exploit them with increasingly severe breaches. By prioritizing the security of our operational framework, we pave the path for enhanced accomplishments.

Note: This article is skillfully crafted and contributed by Dvir Sasson, Director of Security Research at Reco.

Found this article thought-provoking? This insightful piece is contributed by one of our esteemed partners. Follow us on Twitter and LinkedIn for more exclusive curated content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.