The rapid adoption of Software as a Service (SaaS) applications across all levels of enterprise has created massive security risks that often go unnoticed by security teams. The benefits of SaaS, however, are large enough that organizations take on these risks every day. SaaS provides companies with access to data and resources from anywhere at any time, without the need to maintain their own infrastructure. With most organizations across the globe already employing a multitude of SaaS applications in either a hybrid- or multi-cloud environment, the question the industry is facing as a whole is not, “Should we adopt SaaS?” but rather, “How do we adopt SaaS applications safely?”
Authorization at the center of SaaS Security
The answer to this question is authorization. An identity-first approach to using SaaS is the only way to bolster security across an organization’s multi or hybrid-cloud environment.
Authorization is the critical backbone for Zero Trust security. When contemplating the question, “who can take what actions within our SaaS app?,” authorization deals with both the “who” and the “what.” It’s vital to ensure only the right people have access to an organization’s valuable IP. But, even the “right people” can have their identities compromised, making it crucial to limit every identities’ permissions within an organization to the bare minimum they need to do their job. This concept, also known as the principle of least privilege, is one of the key tenets to securing SaaS through authorization.
But, what exactly are we securing against?
The Big Six SaaS Vulnerabilities
Depending on headcount, enterprises end up with thousands of SaaS users to manage, averaging 150+ SaaS apps for organizations with 1,000+ employees; this staggering number only increases as headcount rises, and attack surface expands in direct correlation. There are six primary threats to an organization's SaaS environment:
Weak passwords: Passwords are often the weakest link in security, and employees may use weak or reused passwords, making it easy for threat actors to gain access to sensitive information. This is why authentication isn’t enough when approaching SaaS security. Over-privileged identities are a desirable attack vector for cyber criminals.
Shadow IT: SaaS applications are often adopted from the bottom-up, causing a rise in unauthorized SaaS apps used without IT approval or formal documentation. Even if not directly linked to the company “crown jewels,” unapproved applications can contain sensitive information, unprotected credentials or other valuable IP.
a. Joiner/Mover/Leaver (JML) Provisioning: As employees join, move or leave a company (JML), their transitions incur permission domino effects that can leave a trail of orphaned accounts, over-privileged accounts, or both. These account access errors accumulate as quickly as the org chart changes and can be difficult to identify and remediate without the proper tools, leaving companies vulnerable.
b. Shadow Provisioning: Also known as Ad-hoc provisioning, or the accumulation of permissions across SaaS platforms without formal supervision, Shadow Provisioning is a necessary evil of the modern day workload. When team members need unusual access to complete special projects, they may be given temporary privileges to complete their work without going through formal channels. It’s often not acceptable for employees to halt a project while the Identity team considers an access request. Therefore, when faced with a deadline, many team members will circumvent company provisioning policies and grant direct access to keep things moving.
Insider threats: While many employees don’t have any level of access to your cloud infrastructure and databases, almost all have SaaS accounts, which makes sensitive data in SaaS much more vulnerable to insider threats. It’s difficult to imagine your team members wreaking havoc upon your organization, but it does happen, and can cause irreparable damage.
Misconfigurations: SaaS applications often store data within the cloud, making them a prime target for threat actors who can exploit misconfigurations like automatic admin privileges or excessive OAuth sharing. When integrating with legacy systems, SaaS applications often require a team of developers at the onset. If this implementation is not done correctly, the initial set-up can result in hidden misconfigurations that are only found later when exploited.
Lift & shift vulnerabilities: When moving to the cloud, organizations must take a thoughtful approach to adopting SaaS. “Lifting” the framework used on traditional, on-premises systems and expecting them to work in the cloud can end in disaster. Although cloud-based SaaS solutions can have incredible benefits, they also come with more entry points and vulnerabilities than traditional systems. A “one size fits all'' security strategy will not work for both.
Despite knowing about these well known vulnerabilities, many companies still fall prey to SaaS breaches and cyber threats. Is it because they’re hoping their overarching security policies will protect them? Maybe. But the more likely cause is that implementing SaaS security requires a focus on authorization that is extremely difficult to achieve manually. Automating SaaS access governance is the best way to ensure the right people can take the right actions on the right SaaS applications (at the right time)!
Powering SaaS Access Governance with automation
To enjoy the benefits of SaaS while staying secure, companies should implement an identity-first approach to SaaS access governance that is powered by automation. Making sure only the right people have access to the right applications is one of the most powerful prevention tactics against security threats and breaches. However, manual methods for provisioning, validating, and reviewing access to apps are expensive, complex, time-consuming and nearly impossible to execute correctly. Identities pile up faster than you’d think. SaaS accounts include not only human identities (your admins or contributors within an organization), but also non-human identities that allow data to be passed between your disparate systems and the cloud. Add in integrations between different SaaS apps and external guest-users and contractors, and organizations are left with piles of access debt.
Wrangling these identities is crucial and can no longer be done using spreadsheets. With the constant changing of roles and permissions, continuous monitoring of identities and access is the only way to effectively manage permissions, alert security teams when the IdP is circumvented, fix misconfigurations when they occur, or quickly identify and protect against potential threats. With real-time data on permissions, security teams can keep track of the revolving door of SaaS user permissions within their organization. This real-time visual on an organizations’ disparate SaaS apps empowers security teams to achieve and maintain the most bulletproof SaaS security strategy possible.
Securing SaaS also benefits the bottom line by reducing capital spent on licenses and seats. Unearthing unneeded and unused access across your stack means fewer providers, fewer seats and a smaller spend.
Zero Trust within your SaaS access posture
Zero Trust architecture is the foundation of automated SaaS access security. A comprehensive SaaS Security Posture Management (SSPM) strategy should include continuous verification of user identity and access rights, granular access governance and permissions, dynamic risk assessments and adaptive security measures, and enhanced visibility and monitoring capabilities.
Applying automation to your SaaS access posture strategy gives security teams the power to initiate an overarching shift in company culture toward a Zero Trust mindset. By automating the tedious work of monitoring and controlling access to data, security teams have the time and resources they need to educate other departments on how they can contribute to SaaS security. This can be done by improving processes like strengthening password policies, fixing risky posture such as accounts that bypass multi-factor authentication, providing methods for stronger data protection and encryption measures, or by encouraging a shift in the way employees approach the usage of all cloud-based applications.
How Veza automates SaaS Access Governance
Automated access governance is the bridge to achieving and maintaining least privilege within your SaaS access posture strategy. Veza is the authorization platform for identity-first security that acts as that bridge.
By automating access governance for the modern SaaS and data environment, Veza gives organizations the power to protect against the “Big Six” SaaS vulnerabilities and streamline their access management processes by:
Leveraging automation to review and clean up permissions — write, edit, delete, etc. — on a continuous basis. Access requirements don’t change only at the time of hire, termination or role change; Therefore, permissions need to be easily adaptable.
Keeping track of all SaaS applications, identities and accounts in real-time, even as licenses change and providers are switched.
Using automation to implement least privilege within your SaaS applications by surfacing local users and eliminating the risks of Shadow Provisioning. Automated access management ensures employees' permissions change with the daily variation of their job requirements and change back when permissions aren’t needed anymore.
Creating alerts to monitor access changes when they do happen, allowing you to quickly remediate permissions when necessary.
Integrating with your apps and data systems to capture authorization metadata. By connecting all these systems together, Veza visualizes identity-to-data relationships to assist in threat detection and risk scoring; create alerts to notify teams when a threat is identified.
Helping you visualize privileged identities that may be hiding, even if you don’t know the specific permission names for each SaaS application used.
Conducting comprehensive security assessments at any time, either for internal use or external audits and compliance exercises.
Veza’s Authorization Graph gives IT, security and compliance teams the power to perform a deep dive into your SaaS ecosystem to surface over-privileged identities, dormant or orphaned accounts, unused licenses and access.Veza also uncovers the permissions that SaaS apps hold on sensitive data assets like Snowflake tables and S3 buckets. It can also be applied to your other cloud and data systems, giving you a full picture of access across all platforms within your organization.
Streamline governance with intelligent access reviews
If your organization handles sensitive data, you likely conduct some sort of regular access review, especially for highly privileged users like IT admins and executives. But traditional access reviews don’t go deep enough to ensure least privilege.
By showing exactly what permissions an identity has to data within SaaS applications — and how those permissions are granted through groups, roles and the role-based access controls of each data system — Veza lets you conduct intelligent access reviews that curb excess privilege within your portfolio of SaaS apps.
A field guide to bad permissions part 2: expired permissions
Why expired permissions go unnoticed The main reason expired permissions go unnoticed is that it’s…
A field guide to bad permissions, part 1: ungoverned permissions
That is, permissions that aren’t captured or tracked in the tools you use for access governance,…