SaaS Security Series: Using Roles for Continuous SaaS Security Monitoring
Understanding the ins and outs of effective access, permissions, and sharing in Software-as-a-Service (SaaS) applications can be challenging for even the most mature security and IT organizations. When you scale this problem across thousands or tens of thousands of supported employees in multiple SaaS clouds the complexity of the problem scales exponentially. AppOmni solves this problem by allowing you to explore, monitor, and alert on representative Roles within your SaaS clouds and see which of your users are represented by that Role – and which aren’t.
Access Control is Hard
Role Based Access Control (RBAC) continues to be an industry-standard strategy in controlling and granting access to SaaS users for good reason – it makes sense to provision access based on job function and business need. But when it comes to implementing an RBAC strategy in practice it can be incredibly complex.
Large enterprises must support thousands or tens of thousands of internal users. This number grows in magnitude when external cloud users for service, support, and relationship management systems are considered. Multiply that by accounts in many different clouds and an effective security team must now find a way to understand hundreds of thousands of accounts in their cloud environments.
Access Control Drift Accelerates a Loss of Control
As SaaS applications add new features and businesses acquire new technologies or platforms, the access granted to users in the enterprise naturally grows as well. When new features or clouds are deployed IT teams find themselves under pressure to grant access as soon as possible and Security teams may be left trying to catch up. Under business pressure and facing increasingly complex permission schemas it is easy to see how individual users or groups may be inadvertently over permissioned in cloud applications.
A single over-permissioning issue rarely remains that way. New users’ permissions and access are frequently provisioned by cloning existing users. Mistakes in access controls and permissions are then propagated, growing the number and complexity of over-permissioned users. Incomplete or misunderstood attempts at fixing individual issues compound this problem. After a few release cycles of this, the entire enterprise consists of snowflake permission and access configurations. IT and Security teams are not given the tools to easily find or fix these issues, especially when there is a potential business impact to incorrectly removing permissions. The end result is an access control model optimized for least friction instead of least privilege.