It won’t be a big revelation to say that SaaS applications have changed the way we work in both our personal and professional lives. We regularly rely on cloud and remote applications to perform our core functions, so the only true perimeter of our networks is the credentials we use to log into these services.
Unfortunately, as is often the case, our appetite for improved workflows, collaboration and communication outpaced our willingness to ensure that these tools and processes were secure when we plugged them into our environment, handing over control over the security of our data. Each of these applications requests a different number of permissions on our data, which often depend on third-party services, creating not a network but a tangle of interdependent entanglements that has become so complex that most security professionals don’t even know how many SaaS applications are connected. let alone what they are or their access rights.
Our collective – and understandable – temptation for flexibility and scalability has led us to where we are today: most of us cannot function in today’s business without SaaS applications because they have become critical to our operations, yet are vulnerable to attacks on these cloud services and applications.
Threat actors understand the ‘as a service’ model as well as anyone, often selling ransomware as a service on the dark web to their partners. They understand that an attack on these third-party SaaS application providers is not just affecting the values of one company, but many. We saw a The number of attacks from third-party programs increased by 68% in 2023, and all researchers agree that number will only grow as SaaS adoption grows.
Fortunately, there are steps that can be taken to unravel this tangle of SaaS yarn that IT and security teams around the world must grapple with.
Learn how to access public files from your SaaS applications
Understand your SaaS environment and monitor IT
It seems so simple: if you need to secure something, first you need to know what it is. However, as we know when it comes to SaaS, it’s never simple.
Shadow IT – any tool or program that is installed and has access to company data without the knowledge of IT and/or security departments – is very common. Think about it: When someone in marketing needs to use a new design tool available as a SaaS application, they log in, give it access to your shared files for easy download and/or upload, and they don’t want to go through IT to have it approved by for a number of reasons (it takes too much time, the application may be rejected, they have a short deadline, etc.). These applications often have a huge amount of visibility and permissions to company data, with no one on the security side even knowing they exist or looking for suspicious behavior.
To understand the scale of the problem and why getting a complete picture of your SaaS environment, let’s do the math.
- Most businesses have an average of ~500 business applications connected to its environment.
- Of these, ~49% are sanctioned/approved by IT/Security and ~51% are unauthorized applications.
- Each application usually has 9 users per application
- If we multiply the number of users per app (9) by the number of unauthorized apps (~255), this equals the average 2295 potentially unique attack vectors that IT and security teams don’t understand, and threat actors love to exploit.
That’s why understanding how many applications are connected to your environment, what they’re doing, what their permissions are, and what they’re doing is the most important step. These permissions and oversight also need to be continuous: you never know when someone might bypass IT and add a new app or service and give it full access to your data.
Discover all apps related to your data, including shadow apps
Close the open roads to your data
Once you’ve sorted out your apps, it’s time to model your permissions and make sure those apps and users don’t have excessive permissions. It also requires constant monitoring: often these applications can change their permission structures to require more access without you notifying them.
Recently, a rash of high-profile violations has become more frequent it’s all about cloud storage provider Snowflake actually highlighted how vulnerable organizations are often in this regard. Ticketmaster, Santander Bank, and Advance Auto Parts all fell victim to the same attack that resulted from past stolen credentials, a third-party storage provider (Snowflake) that allows these cloud storages to be set up without IDP or MFA, and companies ignoring best practices, to set up password-only protection of your massive data.
To take the first step in securing their SaaS ecosystem, companies must essentially plan it: understanding all connected applications, associated identities and activities. This can be time-consuming and is only the tip of the iceberg. It is also hoped that the responsible employees will be punished for using an unauthorized program.
To prevent infringement, companies must:
- Be aware of all SaaS applications in use (both known and unknown), especially those that need deep access or store proprietary/customer data
- Make sure these high-risk apps are protected by IDP, MFA, etc.
- Ensure that users of these applications do not have excessive privileges
- Get alerted and take action quickly when applications and/or data through them are accessed and/or moved in suspicious ways
This type of access, authorization, and usage monitoring provides the added benefit of helping your company stay compliant with various agencies and/or regulators. If your data is compromised due to a third-party hack, not knowing about the app and its access to data is not taken well. Nor should this type of monitoring come at the expense of usability, as we see in our current situation of rampant shadow IT.
Learn how you can receive notifications about users without MFA enabled in your SaaS applications
In conclusion: make sure your business works
From sales enablement to database management to artificial intelligence tools, SaaS applications are clearly here to stay. This is exciting and has opened up opportunities for us to work in new innovative ways and places. Since we are aware of this, it is time to start unraveling the ball of SaaS yarn that has become our environment.
As threat actors find more and more of these nodes of failure and dependency in this tangle, they will be better able to exploit them for larger – and more destructive – breaches. The more we prioritize ensuring the way we work, the more we can achieve.
Note: This article was written by Dvir Sasan, director of security research at Reco.
