It’s Time To Disentangle the SaaS Tangle

AndyC 22 August 2024

It’s not a groundbreaking observation to state that SaaS applications have revolutionized the way we function, both in our personal and work lives.

It's Time To Untangle the SaaS Ball of Yarn

It's Time To Untangle the SaaS Ball of Yarn

It’s not a groundbreaking observation to state that SaaS applications have revolutionized the way we function, both in our personal and work lives. We regularly depend on cloud-based and remote applications to carry out our fundamental operations, resulting in the only true boundary of our networks being the identities used to log into these services.

Regrettably – as is often the case – our desire for improved workflows, cooperation, and communication outstripped our readiness to ensure the security of these tools and processes as we integrated them into our environments, relinquishing our control over the security of our data. Each of these applications requests various levels of access to our data, often dependent on services from other providers, creating not a network, but a web of interconnected complexities that has become so intricate that most security and IT teams are unaware of how many SaaS applications are linked in, let alone their identities or permissions.

Our shared – and justifiable – inclination for adaptability and scalability has led us to our current situation: most of us cannot function in modern businesses without SaaS applications, as they have become indispensable to our operations, yet we find ourselves exposed to threats targeting these cloud-based services and applications.

Threat actors grasp the “as-a-service” concept as well as anyone, often vending Ransomware-as-a-Service on the dark web to their partners. They realize that targeting these third-party SaaS application providers opens the door to not only one company’s sensitive information but many. We witnessed a 68% surge in attacks from third-party applications in 2023, and analysts universally concur that this number will only grow as SaaS adoption rises.

Explore ways to gain insight into publicly shared files from your SaaS apps

Comprehend your SaaS landscape and shadow IT

It appears straightforward: to secure something, you must first acknowledge its existence. However, as we are aware, when dealing with SaaS, simplicity is rarely the case.

Shadow IT – any tools or software installed with access to a company’s data without the knowledge of the IT and/or security teams – is rampant. Consider this: when a member of the marketing team requires using a new design tool available as a SaaS application, they log in, grant it access to shared files for easy uploads and/or downloads, and are reluctant to involve IT for approval due to various reasons (lengthy process, potential denial, tight deadlines, etc.). These applications often possess extensive visibility and privileges in company data without any security personnel being aware of their existence or monitoring for suspicious activities.

To grasp the extent of the issue and why obtaining a comprehensive view of your SaaS environment is crucial, let’s do some rudimentary calculations.

  • On average, most businesses have ~500 business applications linked to their ecosystem.
  • Among them, ~49% are approved/sanctioned by IT/security and ~51% are unapproved applications.
  • Each application typically accommodates 9 users per app.
  • If we multiply the number of users per application (9) by the count of unapproved applications (~255), it results in an average of 2,295 potentially distinct attack vectors that IT and security teams are unaware of and threat actors are eager to exploit.

This emphasizes why recognizing how many applications are integrated into your environment, their activities, permissions, and behaviors is paramount. Such oversight should also be continuous: you never know when someone might bypass IT to add a new app or service and grant it complete access to your data.

Explore all connected applications for your data, including shadow apps

Seal the pathways to your data

Once you’ve grasped your applications, it’s time to map out your permissions and ensure these applications and users are not granted excessive privileges. This necessitates ongoing vigilance since these applications might alter their permission structures to demand more access without clarity.

Recently, the wave of prominent breaches linked to cloud storage provider Snowflake has underscored the vulnerability of organizations in this regard. Companies like Ticketmaster, Santander Bank, and Advance Auto Parts all succumbed to the same attack due to historical pilfered credentials, a third-party storage provider (Snowflake) allowing these cloud storage repositories to be set up without proper identity protection or multi-factor authentication, and firms disregarding best practices by safeguarding their vast data solely with passwords.

To fortify their SaaS ecosystem, companies must essentially chart it out: comprehending all connected applications, relevant identities, and actions. This initial step can be laborious and only scratches the surface. Additionally, there is a prospect that employees accountable will disclose their use of an unsanctioned application.

To avert breaches, companies must:

  • Identify all used SaaS applications (both known and unknown), especially those with extensive access requirements or holding sensitive/custom data
  • Insure those high-risk applications are shielded with identity protection (IDP), multi-factor authentication (MFA), etc.
  • Ensure users of those applications are not granted excessive privileges
  • Receive alerts and respond promptly when suspicious activities are detected involving the applications and/or data flows

This form of access, permissions, and usage monitoring offers the added advantage of aiding your company in complying with various regulatory bodies and laws. Failing to disclose an application and its access to data in the event of a breach stemming from a third party does not bode well. Furthermore, such monitoring should not impair usability, as is evident in the prevalent shadow IT scenario.

Learn how to receive notifications regarding users lacking MFA in your SaaS applications

To sum up: safeguard the functionality of your enterprise

Evidently, SaaS applications are entrenched, from sales support to database management to AI tools. They bring excitement and enable us to work in new, innovative ways and locales. As we acknowledge this, it’s time to commence disentangling the SaaS tangle that has enveloped our environment.

As threat actors pinpoint more of these vulnerability points and interdependency nodes in this intricate web, they will become more adept at exploiting them with grander – and more devastating – breaches. The more we prioritize securing our actual working methods, the greater our achievements will be.

Note: This extensively written article has been contributed by Dvir Sasson, Director of Security Research at Reco.

If you found this article intriguing, please be aware that this article is a contribution from one of our esteemed partners. Follow us on Twitter and LinkedIn to peruse more exclusive content that we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.