It’s no major insight to mention that SaaS applications have revolutionized the way we function, both in our personal and work lives. Cloud-based and remote applications have become indispensable for our day-to-day tasks, shifting the primary boundary of our networks to the identities used to access these services.
Regrettably – as is often the scenario – our eagerness for enhanced workflows, cooperation, and communication outpaced our diligence in ensuring the security of these tools and processes before integrating them into our environments, relinquishing control of our data security. Each of these applications requests varying levels of access to our data, often dependent on services from other providers, resulting in a web of interconnected complexities instead of a clear network. This complex web has become so convoluted that most security and IT teams are unaware of the number, identities, or access permissions of the connected SaaS applications.
Our collective – and justifiable – attraction to adaptability and scalability has led us to our current conundrum: most modern businesses cannot function without SaaS applications, as they have become critical to our operations, yet they are susceptible to attacks on these cloud-based services and applications.
Threat actors grasp the “as-a-service” concept as well as anyone, often peddling Ransomware-as-a-Service on the dark web for their associates. They realize that targeting these third-party SaaS application providers yields not only one company’s valuable assets but many. The 2023 saw a 68% surge in third-party app attacks, and experts unanimously agree that this number will escalate as SaaS adoption rises.
Thankfully, there are measures to disentangle this labyrinth of SaaS intricacies confronting IT and security teams globally.
Explore methods to gain insight into publicly shared files from your SaaS apps
Comprehend your SaaS ecosystem and hidden IT
It sounds straightforward: to secure something, you first have to acknowledge its existence. However, when it pertains to SaaS, simplicity is a rarity.
Hidden IT – referring to tools or programs installed with access to company data without the knowledge of IT or security teams – is rampant. Consider this: when a marketing professional needs to utilize a new design tool available as a SaaS app, they log in, grant access to shared files for convenient uploads/downloads, and avoid involving IT for approval due to various reasons (lengthy process, potential denial, tight deadlines, etc.). These apps often possess extensive visibility and permissions into company data without security personnel being aware of their presence or monitoring for suspicious behavior.
To grasp the magnitude of the issue and why obtaining a complete view of your SaaS ecosystem is crucial, let’s perform a quick calculation.
- The average business typically has around ~500 business applications linked to their system.
- Of these, ~49% are sanctioned/approved by IT/security, while ~51% are unsanctioned apps.
- On average, each app has 9 users per application.
- Multiplying the number of users per app (9) by the unsanctioned apps (~255) results in an average of 2,295 potentially unique attack vectors that IT and security teams are unaware of, providing fruitful ground for exploit by threat actors.
Hence, understanding the number of applications integrated into your ecosystem, their functionalities, access permissions, and activity is paramount. This monitoring and oversight must be continuous since there’s always a possibility of someone circumventing IT by adding a new app or service with full data access.
Uncover all apps linked to your data, including shadow apps
Seal the pathways to your data
After getting a grip on your applications, the next step is to model permissions and ensure that applications and users do not have excessive access. This necessitates ongoing monitoring since these apps may alter their permission structures to demand increased access without clear notification.
Recently, a surge of prominent breaches associated with cloud storage vendor Snowflake has underscored the vulnerability of organizations in this regard. Corporations like Ticketmaster, Santander Bank, and Advance Auto Parts all succumbed to the same breach stemming from past stolen credentials, a third-party storage provider (Snowflake) permitting setup of cloud storage vaults without IDP or MFA, and firms taking liberties in securing their extensive data solely with passwords.
To fortify their SaaS ecosystem, companies initially need to map it out comprehensively: identifying all linked applications, associated identities, and activities. This process could be labor-intensive and only represents the starting point. There’s also an expectation for errant employees to confess about using an unsanctioned app.
To forestall breaches, companies must:
- Identify all utilized SaaS applications (both known and unknown), particularly those handling sensitive data
- Safeguard high-risk apps with security mechanisms like IDP, MFA, etc.
- Ensure users of these apps have appropriate access levels
- Stay alert and ready to respond swiftly if apps or data are accessed or manipulated suspiciously
This form of access, permission, and usage monitoring also aids in regulatory compliance. Ignorance about an app and its data access, leading to data breaches via third parties, is unacceptable. It’s essential to conduct this monitoring without compromising usability, especially when faced with rampant hidden IT issues.
Learn how to receive alerts for users lacking MFA on your SaaS apps
In summary: safeguard your operational practices
Evidently, SaaS applications are entrenched in our workflows, facilitating sales, data management, and AI functionalities. As we celebrate this advancement and the newfound work avenues it presents, it’s equally vital to begin disentangling the SaaS complexities enveloping our environment.
As threat actors identify more of these vulnerabilities and dependencies within this intricate web, they will exploit them more adeptly, resulting in larger – and more damaging – breaches. Prioritizing the security of our operational practices enables us to achieve more.
Attention: This insightful article was expertly crafted and contributed by Dvir Sasson, Director of Security Research at Reco.
About Author
