SaaS is ubiquitous across the enterprise. Statista reports that organizations worldwide, on average, use 130 SaaS applications. And SaaS usage is growing, with thousands of SaaS applications available to power productivity ー from huge SaaS platforms like Microsoft 365, Salesforce, Google Workspace, and ServiceNow, to countless other SaaS applications designed to be used for nearly every type of business function.
The benefits of SaaS are numerous, including immediate access, automatic updates, and extensive configurability to meet specific needs. Since SaaS is easy to adopt, line-of-business users can (and do) connect SaaS-to-SaaS connections (typically referred to as third- or fourth-party apps) that often allow broad access to sensitive data. However, these same benefits also introduce security risks. Automatic updates can change default settings that could negatively impact an organization’s security posture. And the configurability that makes SaaS apps so powerful may present the greatest risk.
Here are three of the most common misconfigurations that impact SaaS platforms: data access permissions, third-party access, and conditional access rules.
Data Access Permissions
Security and IT teams manage user access to data, and it’s common for users to have more access than needed. If a certain role is given specific access, and someone in that role needs additional access for a project, the additional access may be granted but never revoked. Or a configuration default changes in an automatic update and that new default conflicts with the organization’s data access policies. The change may not be noticed and remediated until there’s an issue such as a data breach.
A better approach is least privilege access, similar to the concept of “need to know.” According to the Cybersecurity and Infrastructure Security Agency, “The Principle of Least Privilege states that a subject should be given only those privileges needed to complete its task.” If higher level access is required, it should be removed as soon as the project is complete. Continuous monitoring and processes should also be implemented to ensure access that is no longer needed is removed, especially admin level access.
Excessive Third-Party App Access
AppOmni’s research shows that, on average, there are more than 256 distinct SaaS-to-SaaS connections installed in a single SaaS environment within enterprise companies. SaaS-to-SaaS integrations and applications are often installed by individual users without security or IT oversight. Third party apps can become invisible conduits to sensitive data, and they present a risk of horizontal privilege escalation to other SaaS systems. Of the 256 third party apps mentioned above, an average of 100 have not been used in the last six months – yet they retain the ability to access data via these connections. These inactive applications often represent an abandoned trial usage or a terminated vendor contract.
IT and security teams should conduct an inventory of all third-party applications in their SaaS environment, and verify that third-party apps have been reviewed, approved, and are actively in use. A robust program to evaluate and approve third-party apps should include checking that the apps don’t have overly permissive scopes that give access to unnecessary data. Users typically can’t dictate what access an app has, but you can decide what apps are approved based on whether they require more access than needed. Continuous monitoring with automated tooling can save hundreds of hours over manual processes.
Conditional Access Rules
Conditional access rules add another layer of security to SaaS environments. These rules include requiring multi-factor authentication or blocking user attempts to login with legacy authentication protocols. Attackers often make modifications to conditional access rules to open access permissions further or implement exception rules. And they often get away with it due to the complexity of conditional access rules and the likelihood that those changes won’t be detected unless an organization has continuous monitoring in place.
Since conditional access rules can be nested and complex, it’s critical for IT and security teams to have a program of periodic verification in place to ensure conditional access rules are correct, plus continuous monitoring that alerts the team when any changes are made to those rules. It’s also important to keep an eye out for any changes and IP block exceptions.
SaaS security gives organizations visibility into the entire SaaS environment, from data access to third party applications. Continuous monitoring and quick remediation of these common misconfigurations can help keep your organization’s most sensitive data secure.
Related Resources
-
Microsoft Power Pages: Data Exposure Reviewed
Learn about a data exposure risk in Microsoft Power Pages due to misconfigured access controls, highlighting the need for better security and monitoring.
-
How to Detect Session Hijacking in Your SaaS Applications
In part 3 of this series, Justin Blackburn shares best practices to detect session hijacking and how AppOmni does this by flagging anomalies and through UEBA alerts.
-
AppOmni Achieves FedRAMP®️ “In Process” Status for Public Sector SaaS Security
AppOmni has achieved FedRAMP® “In Process” status, a major milestone in providing secure SaaS solutions to federal agencies.