How 3rd Party Apps Can Compromise The Security Of SaaS Environments
By: Brendan O’Connor, CEO @AppOmni
The risks from third-party applications have always been a concern for security teams. The SolarWinds breach is an example of a 3rd party application inserting a vulnerability into an otherwise secure infrastructure. While the SolarWinds breach occurred in an on-premise environment, 3rd-party apps can also create vulnerabilities in SaaS environments.
Due to the nature of these third-party connections, they are frequently approved by individual users without any security oversight. While these may be quite useful, 3rd party apps are hidden pathways into an organization’s most sensitive data. These cloud-to-cloud connections exist outside the firewall and cannot be detected by traditional scanning and monitoring tools.
There are multiple issues that can arise with 3rd party apps, including not knowing which apps are approved, what access the app has, and who could install an app. A 3rd party app could have access to user groups, workspaces, or multiple areas in the corporate network. It could also have access to other SaaS applications.
In the event of an incident, it becomes even more complicated – the incident response team will have to investigate a compromise of the app, create timelines of when and where the app was installed, what it had access to, and other worst-case scenarios.
AppOmni’s data shows that, on average, there are more than 42 distinct 3rd party applications connecting into live SaaS environments within an enterprise. Approximately half of these applications were connected directly by end-users, not installed by IT administrators. The typical enterprise has an average of 900 user-to-application connections. This represents hundreds of “authorized” third-party connections to the data stored in the SaaS environment.
Of those 42 3rd party apps, an average of 22 have not been used in the last six months – yet those apps retain the ability to access data via these connections. These inactive applications often represent a trial usage that was abandoned from a user’s perspective or applications where the business contract may have expired but the vendor access was not removed. It may not be clear that these application connections remain authorized until that access is revoked.
There are a variety of ways for 3rd party apps to connect to cloud services, but there are three in particular to focus on:
- Service Account integration: Where a service is assigned a dedicated username + password to connect to the cloud service just like a human user.
- Administrator-installed applications: When an Admin connects a third-party application and makes it available to groups of users (or all users) of the cloud application.
- User-connected applications: When a non-Admin user grants an access token to a 3rd party application, granting all of their privileges or a subset of their privileges to the third party. This flow uses something called OAuth. If you’ve ever signed into an application with your Facebook or Google account, you’re using an OAuth flow. Enterprise SaaS applications have the same functionality through OAuth.
We’ve known this is a problem for quite some time. Looking back at the Apollo breach, we saw the compromise of a 3rd party app as the stepping stone to dumping 200 million contacts from a major SaaS application. Facebook’s Twitter account was compromised in early 2020. It wasn’t Facebook or Twitter’s security that was compromised. It was a third-party application that had access to the account.
When thinking of your overall attack surface, cloud applications are currently one of the biggest blind spots. There’s been a huge increase in cloud adoption driven by the pandemic and work from home. Existing investments in security technologies that focus on the network or the endpoint cannot help us with this challenge. It’s not that our on-premise tools have failed. The data has moved where on-prem tools can’t see it.
Getting visibility into the 3rd party applications that are already connected to your cloud applications should be one of the top priorities for security teams. Successful organizations will have a process for continuously scanning and monitoring their cloud applications, and have a review and approval program for 3rd party connections.