Monitor Your SaaS Environment for Three Common SaaS Misconfigurations
By: John Whelan, Senior Director of Product Management @ AppOmni
SaaS is ubiquitous across the enterprise and accounts for approximately 70% of software usage in companies. And SaaS usage is growing, with thousands of SaaS applications available to power productivity ー from huge SaaS platforms like Microsoft 365, Salesforce, Google Workspace, and ServiceNow, to countless other SaaS applications designed to be used for nearly every type of business function.
The benefits of SaaS are numerous, including immediate access, automatic updates, and extensive configurability to meet specific needs. Since SaaS is easy to adopt, line-of-business users can (and do) connect 3rd party applications that often allow broad access to sensitive data. However, these same benefits also introduce security risks. Automatic updates can change default settings that could negatively impact an organization’s security posture. And the configurability that makes SaaS apps so powerful may present the greatest risk.
AppOmni’s research has shown that 55% of companies have sensitive data exposed to the internet, often caused by misconfigurations. Here are three of the most common misconfigurations that impact SaaS platforms: data access permissions, 3rd party access, and conditional access rules.
Security and IT teams manage user access to data, and it’s common for users to have more access than needed. If a certain role is given specific access, and someone in that role needs additional access for a project, the additional access may be granted but never revoked. Or a configuration default changes in an automatic update and that new default conflicts with the organization’s data access policies. The change may not be noticed and remediated until there’s an issue such as a data breach.
A better approach is least privilege access, similar to the concept of “need to know.” According to the Cybersecurity and Infrastructure Security Agency’s (CISA) definition, “The Principle of Least Privilege states that a subject should be given only those privileges needed to complete its task.” If higher level access is required, it should be removed as soon as the project is complete. Continuous monitoring and processes should also be implemented to ensure access that is no longer needed is removed, especially admin level access.
AppOmni’s research shows that, on average, there are more than 42 distinct 3rd party applications connecting into live SaaS environments. Third party integrations and applications are often installed by individual users without security or IT oversight. Third party apps can become invisible conduits to sensitive data, and they present a risk of horizontal privilege escalation to other SaaS systems. Of the 42 third party apps mentioned above, an average of 22 have not been used in the last six months – yet those apps retain the ability to access data via these connections. These inactive applications often represent an abandoned trial usage or a terminated vendor contract.
IT and security teams should conduct an inventory of all third party applications in their SaaS environment, and verify that third party apps have been reviewed, approved, and are actively in use. A robust program to evaluate and approve 3rd party apps should include checking that the apps don’t have overly permissive scopes that give access to unnecessary data. Users typically can’t dictate what access an app has, but you can decide what apps are approved based on whether they require more access than needed. Continuous monitoring with automated tooling can save hundreds of hours over manual processes.
Conditional access rules add another layer of security to SaaS environments. These rules include requiring multi-factor authentication or blocking user attempts to login with legacy authentication protocols. Attackers often make modifications to conditional access rules to open access permissions further or implement exception rules. And they often get away with it due to the complexity of conditional access rules and the likelihood that those changes won’t be detected unless an organization has continuous monitoring in place.
Since conditional access rules can be nested and complex, it’s critical for IT and security teams to have a program of periodic verification in place to ensure conditional access rules are correct, plus continuous monitoring that alerts the team when any changes are made to those rules. It’s also important to keep an eye out for any changes and IP block exceptions.
SaaS security gives organizations visibility into the entire SaaS environment, from data access to third party applications. Continuous monitoring and quick remediation of these common misconfigurations can help keep your organization’s most sensitive data secure.