When it comes to services delivered via the cloud, cybersecurity professionals expend much of their time and energy on Infrastructure-as-a-Service (IaaS) — especially AWS, Azure, and the Google Cloud Platform. Yet this leads professionals to overlook a related, yet very distinct concern — the security liabilities posed by Software-as-a-Service (SaaS) apps.
Failing to acknowledge and address the risks of SaaS apps opens the door to insider threats — and even a single person afforded improper access to sensitive data via SaaS can wreak havoc. Here’s why unsecured SaaS apps are such major liabilities, and what security teams can do about it.
There are three main reasons why organizations ultimately focus more on IaaS rather than SaaS. First, cybersecurity leaders are often stretched thin. They are focused on managing scarcity, which often demands adding more resources or reducing the number of active priorities. This ultimately means making hard choices about what to prioritize —and in a world where IaaS compromises are so highly-publicized, SaaS often gets shafted.
Second, SaaS apps are usually created and run by businesses. This means security teams will vet the business, assume a reputable business would operate a reputable app, and leave it there. Those security teams might request that the IT department implement certain configurations, but security usually doesn’t have visibility into whether they were actually implemented.
Third, and most important, the technology needed to monitor and secure SaaS apps has only recently become available. Even a few years ago, monitoring the entire attack surface, SaaS included, simply wasn’t feasible.
Unregulated SaaS use has become a major problem for a few reasons. Anyone can register for a SaaS app and connect it to work data. If they’ve registered without company authorization, they’re likely using the free or standard version of an app, rather than the enterprise version. In many cases, only the enterprise version has features needed to maintain a high level of cybersecurity — including multi-factor authentication, encryption, and integration with security information and event management (SIEM) systems.
These vulnerabilities don’t end when an employee leaves a company. If someone does not access an app through corporate two-factor authentication systems, and security doesn’t know they’re using a SaaS app, there’s nothing stopping an ex-employee from accessing an app (and associated data) after all of their other credentials have been revoked.
Identify and scrutinize hidden SaaS use
The risks tied to SaaS are more than hypotheticals. High-profile exposure of sensitive data through SaaS apps like Box has increased awareness of SaaS risks over time, leading to the popularity of SaaS management platforms (SMPs) and SaaS security posture management (SSPM) software. Many also rely on cloud access security broker (CASB) platforms to help. While all three product categories have their uses, they also have shortcomings. For example, CASB platforms typically rely on a device agent to inform them of user activity. An admin might get notified that a user has visited the Box website, but that’s all they can see.
In shining light on shadow SaaS, security teams need to gain full visibility into every app currently in use — even those that are hidden. This requires an approach that combines the benefits of SMPs (the ability to detect, monitor and discover SaaS usage) with the benefits of SSPM (the ability to monitor the security configurations of known SaaS apps), but also includes breadth, depth, and context. Breadth represents the visibility needed to see the full range of an organization’s SaaS apps, including shadow SaaS, as well as the connections between apps. Depth reflects the ability to see each app’s settings and configurations, as well as easily-overlooked signs of malicious activity. Context requires knowing how users access and use apps, including the devices and services involved in the process.
Cybersecurity professionals have a lot on their plates, but they need a way to automatically find SaaS vulnerabilities. Otherwise, current and ex-employees may have unrestricted access to sensitive data via misconfigured SaaS apps. It’s true that IaaS is high-profile, and time-consuming, but it’s far from the only threat to keep in mind. It only takes one unsecured SaaS app to violate regulations, lose data, and damage the company’s brand.
Amir Ofek, chief executive officer, AxoniusX, the R&D innovation division of Axonius