In the last decade, most companies dove head first into the world of SaaS, a shift that has undoubtedly changed the way we do business forever. Organizations can now take an a-la-carte approach to building and scaling operations, mixing and matching best-of-breed solutions as they go. Companies pay for what they need, when they need it, and change providers when something better comes along. They can now perform almost all essential business functions from anywhere in the world, enabling remote work, increasing talent caliber and driving efficiency.
We can credit the SaaS model for delivering on the promise of cloud — speed, agility and convenience like we had never known — and making 2020’s overnight shift to remote work pretty painless (all things considered). But with every new opportunity comes a catch, and for SaaS, the catch is exposure that leads to new risks.
The darker side of SaaS
The freedom of SaaS has led to scenarios in which companies use hundreds of cloud-based applications, with individual teams using 50 or more in some cases. Managing SaaS consumes a ton of IT cycles and requires special focus. SaaS application sprawl creates a dynamic digital attack surface with boundaries IT and security teams cannot always see, and can never fully control. Without developing a strong SaaS Security Posture Management (SSPM) process within your security operations, you’re left crossing your fingers that SaaS vulnerabilities won’t be exploited - and, with the average organization experiencing 130 cyber breaches per year, they likely will be.
How SaaS exposes businesses to risk
Unlike more traditional practices like simply securing on-prem applications and databases behind a company VPN, security teams now need to keep data protected across SaaS and hybrid or multi-cloud environments. The more disparate SaaS apps your company uses, the more data takes up residence in the cloud, and the greater the chance of exposure from any over-privileged identities, forgotten or inactive accounts(known as “orphaned” accounts), or misconfigurations across platforms. This is assuming, of course, that you know all the different SaaS apps your organization is using and who has access to them. Most teams do not.
The easy adoption of SaaS apps make them inherently risky
As companies become increasingly reliant on SaaS, employees have taken matters into their own hands to improve productivity, increase team cohesion and meet deadlines. This results in two detrimental phenomenons:
Shadow IT is the practice of employees unilaterally employing their own SaaS applications, such as productivity apps, cloud storage, like Dropbox, or even communications apps. Unsupervised use of SaaS apps can lead to unanticipated exposure of credentials, confidential data and valuable IP.
On the other hand, Shadow Provisioning can occur on both approved and unapproved apps. Described as employees granting access to colleagues via unapproved processes, Shadow Provisioning can result in the accumulation of permissions across SaaS platforms without formal supervision. For example, a local admin in Salesforce creating privileged accounts, instead of having IT provision new accounts through the identity platform. It will always be easier for employees to grant their colleagues direct access to apps than to go through formal approval processes.
Shadow provisioning is particularly prevalent where official provisioning processes are slow, and teams are under pressure to deliver results. When faced with a deadline, teams can be tempted to adopt shadow provisioning techniques as a “temporary” measure to complete a project, intending to revoke access when no longer needed. However, such temporary measures can easily become permanent, as the team moves on to the next task, leading to permission sprawl.
Even when SaaS applications aren’t connected directly to an organization’s “crown jewels,” there’s no telling what sensitive information may be stored within, like credentials, customer data, or trade secrets. Shadow IT and Provisioning both increase an organization’s attack surface.
A vector for third-party risk
With more companies transitioning to the cloud in recent years, we’ve seen increased efficiency and agility, but also, the devastating results of increased exposure. This exposure can be mitigated by a strategic approach to cloud adoption but, unfortunately, many companies just “lift and shift.” This term describes the tendency of organizations to simply move users and data from legacy systems to the cloud while expecting no repercussions on security.
The problem with the “lift and shift” approach is that traditional systems like VPN or on-premises security operate on the assumption that everyone inside the perimeter is trusted. If they made it past security, they must be authorized, right? This logic does not apply in the cloud; the fact that an identity is moving freely within the cloud should not serve as proof that they’re supposed to be there. Given cloud-based applications can be accessed from anywhere, a Zero Trust architecture is required to keep contents safe. Identities should be verified at every access point within the cloud, rather than just at the front door.
With a transition to a hybrid or multi-cloud environment must come a new framework that focuses on security at the identity-to-data level. Otherwise, companies are left with a sprawling attack surface and decreased visibility. With every SaaS addition comes new permissions, with those permissions expanding faster than security teams can monitor. Companies start piling up “access debt” within days of adopting a new SaaS solution. It doesn’t help matters that SaaS providers, themselves, push new code and tweak configurations daily. Without a way to visualize and monitor your ever-evolving SaaS stack, data leakage, non-compliance, insider threats, permission sprawl and other threats go undetected and unchallenged.
Risk from the browser
With the expansion of SaaS and remote work, employees spend much of their time online. Taking advantage of multiple browser-based services exposes companies to many common forms of cloud-based risk including:
Malware picked up from browsers or during file-syncing
Vulnerabilities in APIs
Misconfigurations in cloud services and storage buckets, like automatic excess privilege or excessive OAuth sharing
Over-permissioned user identities and account
Threats from both the browser and the aforementioned third-parties have two common themes:
They involve a human element, a major enabler of breaches
Security systems will not detect them until it’s too late
Many SaaS vulnerabilities play a role in identities becoming compromised which paves the way for malware and ransomware attacks. Specialized SSPM tools provide the visibility and controls companies need to help keep this from happening.
What is SSPM?
You may have heard of Cloud Security Posture Management (CSPM), which traditionally has included - you guessed it - all things cloud. However, where CSPM is primarily concerned with protecting data and workloads in Infrastructure-as-a-Service (IaaS) platforms like Amazon Web Services, Google Cloud, and Azure, By analogy, SSPM focuses specifically on the automated, continuous monitoring of risk in or from SaaS applications. There are over 30,000 SaaS companies today; although they run in the cloud, SaaS applications have enough unique vulnerabilities that they require their own security strategy.
An effective SSPM approach will extend visibility across your entire SaaS stack and to detect and shut down exposure as it happens. SSPM solutions monitor SaaS environments for the risks cited above, with emphasis on:
Configuration errors that expose user or data to the public Internet
Risk of non-compliance with laws, security frameworks, and privacy mandates. E.g. SOX, ISO 27001, NIST, GDPR, CCPA
Over-permissioned users allowed to do more within SaaS applications than their job requires
SSPM brings together tools and best practices to secure your entire multi-cloud environments, resulting in a cohesive approach to securing data and valuable IP in the cloud. Some of the adjacent security disciplines that work alongside SSPM are:
Cloud Security Posture Management (CSPM) that evaluates overall cloud security posture including services like Google Cloud, Amazon Web Services (AWS), and Cloud Service Provider (CSP) offerings
Cloud Access Security Brokers (CASBs) that place security controls between users and cloud-based resources to enforce policies
Time to redefine “security posture”?
We tend to think of security postures in terms of weak and strong, which usually refers to how well organizations can withstand attack. For the most part, the industry still describes readiness in this way, with special focus on an organization’s ability to detect and filter out threats or how fast they respond. This definition needs to change.
With the emergence of Zero Trust — presuming all traffic and requests are guilty until proven innocent — discussions of security posture can finally expand beyond reacting, and, instead, focus on preventing threats from arising in the first place. Once seen as security’s futuristic Holy Grail, a prevention-based approach means making it harder for threat actors to gain initial access.
Should an attacker sneak onto your network, a preventive security posture can make it hard - even impossible - for them to find and target privileged data. It’s much harder for intruders to hurt you if they’re not able to see or do anything once they’re inside. This is where best-practices related to identity and authorization management come into your SSPM strategy.
The role of Access Management in SSPM
In today’s modern landscape, effective SSPM requires taking a proactive approach. Organizations should constantly monitor to mitigate risk from misconfigurations, compliance issues, suspect user accounts and permissions, as well as other weak links in your SaaS security chain.
Risks from the SaaS applications commonly stem from identities having more permissions than they need, both in terms of what data they can access, and what actions they can take on that data. With the right (or rather wrong) access, threat actors can burrow their way from the SaaS application deep into your IT infrastructure, moving laterally across applications to find something of value. Potential examples include:
A compromised identity has access to data stored within your organization's SaaS application and the potential blast radius for a breach carries over to your company
Accounts on collaboration tools like Slack get compromised allowing a bad actor to find shared credentials
A mismanaged Github account lets intruders steal source code and scan it for exploits
A Zero Trust approach
A “trust no one” mentality should drive everything, including your companies’ approach to SSPM. Zero Trust security policies are inextricably linked to user identity so that security follows users to assets and workloads across your entire IT environment.
Applying a healthy skepticism to SSPM guides IAM leaders and security professionals to adjust risky security policies and remediation workflows, as well as procure the right tools.
Authorization management platforms that empower continuous monitoring and automation give organizations the tools they need to effectively implement SSPM best practices through the lens of Zero Trust. They can use these tools to streamline the process of defining and enforcing policies across users and applications while protecting sensitive data in compliance with industry standards and Zero Trust frameworks such as NIST and MITRE ATT&CK.
Least Privilege in the day-to-day
One of the hardest pieces to attain (and maintain) within the Zero Trust framework is the principle of least privilege. Achieving least privilege in your SSPM strategy requires leveraging automation to review and clean up permissions — write, edit, delete, etc. — on a real-time basis. Access requirements don’t change only at the time of hire, termination or role change; Therefore, permissions need to be easily adaptable.
Team members often are trying to work as quickly as possible to hit deadlines and build solutions, causing them to take shortcuts that actively detract from an organization’s ability to maintain least privilege (remember Shadow Provisioning?) The permission sprawl piles up, accumulating as “access debt” and leaving organizations vulnerable, even if their security policies look bulletproof on paper.
Using automation to implement least privilege within your SaaS applications means cleaning up after game-time decisions are made, eliminating the risks of Shadow Provisioning. An employee may have needed special access to launch a new product, but may not need that permission after the launch is complete. Automated access management ensures employees' permissions change with the daily variation of their job requirements and - here’s the key - change back when permissions aren’t needed anymore.
Authorization platforms like Veza make it possible to effectively enforce the principle of least privilege to reduce potential danger from SaaS applications. Since extra licenses for SaaS apps can be expensive, implementing the principle of least privilege also has the promise to save organizations money by limiting the number of licenses in use.
Visualize and understand the effective permissions of identities.
The first step is to understand exactly what permissions users have on sensitive data today. Veza integrates with your apps and data systems to capture authorization metadata. By connecting all these systems together, Veza visualizes and makes clear the identity-to-data relationships present within SaaS applications.
Veza also standardizes permissions across different systems into simple language: Create, Read, Update, and Delete. This makes it easy for organizations to clearly see where privileged identities may be hiding, even if they don’t know the specific permission names for each SaaS application used. Salesforce’s “admin” may mean something very different than Snowflake’s “user.” This clarity is key in ensuring that least privilege is being maintained in practice.
Veza’s Authorization Graph gives IT the power to perform a deep dive into your SaaS ecosystem to surface over-privileged identities, dormant or orphaned accounts, unutilized licenses and access. You’ll also uncover the permissions that SaaS apps hold on sensitive data assets like Snowflake tables and S3 buckets.
Monitor continuously for access misconfigurations
Veza continually monitors the state of authorization across all your SaaS applications. You can create alerts to automate responses or remediation as key permissions change. For example, Veza can alert you to new users with delete privileges or full admin privileges within Salesforce. This continuous compliance-based approach allows you to maintain least privilege over time and eliminate misconfigurations before an attacker can exploit them.
Streamline governance with intelligent access reviews
If your organization handles sensitive data, you likely conduct some sort of regular access review, especially for highly privileged users like IT admins and executives. But traditional access reviews don’t go deep enough to ensure least privilege.
By showing exactly what permissions an identity has to data within SaaS applications — and how those permissions are granted through groups, roles and the role-based access controls of each data system — Veza lets you conduct intelligent access reviews that curb excess privilege within your portfolio of SaaS apps.
A field guide to bad permissions part 2: expired permissions
Why expired permissions go unnoticed The main reason expired permissions go unnoticed is that it’s…
A field guide to bad permissions, part 1: ungoverned permissions
That is, permissions that aren’t captured or tracked in the tools you use for access governance,…