How Third-Party Apps Can Compromise The Security Of SaaS Environments
By Brendan O’Connor
The risks from third-party applications have always been a concern for security teams. The SolarWinds breach is an example of a 3rd-party application inserting a vulnerability into an otherwise secure infrastructure. While the SolarWinds breach occurred in an on-premise environment, 3rd-party apps can also create vulnerabilities in SaaS environments.
Due to the nature of these third-party connections, they are frequently approved by individual users without any security oversight. While these may be quite useful, third-party apps are hidden pathways into an organization’s most sensitive data. These cloud-to-cloud connections exist outside the firewall and cannot be detected by traditional scanning and monitoring tools.
There are multiple issues that can arise with third-party apps, including not knowing which apps are approved, what access the app has, and who could install an app. A third-party app could have access to user groups, workspaces, or multiple areas in the corporate network. It could also have access to other SaaS applications.
In the event of an incident, it becomes even more complicated – the incident response team will have to investigate a compromise of the app, create timelines of when and where the app was installed, what it had access to, and other worst-case scenarios.
AppOmni’s data shows that, on average, there are more than 42 distinct third-party applications connecting into live SaaS environments within an enterprise. Approximately half of these applications were connected directly by end-users, not installed by IT administrators. The typical enterprise has an average of 900 user-to-application connections. This represents hundreds of “authorized” third-party connections to the data stored in the SaaS environment.
Of those 42 third-party apps, an average of 22 have not been used in the last six months – yet those apps retain the ability to access data via these connections. These inactive applications often represent a trial usage that was abandoned from a user’s perspective or applications where the business contract may have expired but the vendor access was not removed. It may not be clear that these application connections remain authorized until that access is revoked.
There are a variety of ways for 3rd-party apps to connect to cloud services, but there are three in particular to focus on:
- Service Account integration: Where a service is assigned a dedicated username + password to connect to the cloud service just like a human user.
- Administrator-installed applications: When an Admin connects a third-party application and makes it available to groups of users (or all users) of the cloud application.
- User-connected applications: When a non-Admin user grants an access token to a 3rd-party application, granting all of their privileges or a subset of their privileges to the third party. This flow uses something called OAuth. If you’ve ever signed into an application with your Facebook or Google account, you’re using an OAuth flow. Enterprise SaaS applications have the same functionality through OAuth.
We’ve known this is a problem for quite some time. Looking back at the Apollo breach, we saw the compromise of a 3rd-party app as the stepping stone to dumping 200 million contacts from a major SaaS application. Facebook’s Twitter account was compromised in early 2020. It wasn’t Facebook or Twitter’s security that was compromised. It was a third-party application that had access to the account.
When thinking of your overall attack surface, cloud applications are currently one of the biggest blind spots. There’s been a huge increase in cloud adoption driven by the pandemic and work from home. Existing investments in security technologies that focus on the network or the endpoint cannot help us with this challenge. It’s not that our on-premise tools have failed. The data has moved where on-prem tools can’t see it.
Getting visibility into the 3rd-party applications that are already connected to your cloud applications should be one of the top priorities for security teams. Successful organizations will have a process for continuously scanning and monitoring their cloud applications, and have a review and approval program for 3rd-party connections.
Find out who has access to your SaaS dataAppOmni’s SaaS security management platform gives security and IT teams an easy and automated way to secure their SaaS data and environments.
Get A Free Risk Assessment
Misconfiguration is a leading cause of SaaS data breaches.
AppOmni’s research shows that 95% of companies have external users with over-privileged access to data, and more than 55% of companies have sensitive data that’s inadvertently exposed to the anonymous internet.
Our risk assessment delivers visibility into who and what has access to your SaaS data and will help determine whether your security configurations match your business intent.
We Protect SaaS Data for Global Leaders Across Technology, Healthcare, and Banking
Two of Silicon Valley’s three largest tech companies
Fortune 100 banks, insurers, and healthcare
Several of the most respected cyber security providers