What is Access Control?
Access control is the key to your SaaS kingdom. It determines who has access, their permission levels, and the steps they need to take to enter into the system.
Access control is the center of your SaaS security foundation, which is why it accounts for 59% of all SaaS configurations. Of the 13,000 configurations Adaptive Shield checks out of the box, over 7,500 address access control.
Access control is a multi-level domain, with layers of security elements all intended to prevent unauthorized users and threat actors from accessing your data. This first line of defense requires oversight and nuanced approach to balance SaaS usability and availability with security.
Why is Access Control so Complex?
Access control configurations impact every employee within the company with access to specific apps. Employees from different teams may require different areas of access, while employees with a team may need different levels of access.
In an app like Salesforce, IT admins need administrative access. Some sales personnel may need access to marketing costs, while others might also need access to reports. On the sales team, sales reps should only have access to their leads, while sales managers should have access to all the leads within their department or domain.
Creating these types of role-based access profiles is complex, and it’s tempting to over-permission users. The configuration settings may appear overwhelming, which is why we’re sharing some foundational settings within Salesforce, Microsoft 365, and Google Workspace for an effective access control policy.
Authentication Policies in Salesforce
Salesforce is the leading CRM in the market. It contains an immense amount of sensitive information, and protecting that data is of paramount importance. Comprehensive user authentication policies are vital to ensuring security.
Single Sign On - Required or Just Enabled?
Connecting Salesforce to your organization’s SSO/IDP solution is one of the core ways to ensure and enforce access control. Over 80% of the Salesforce instances our research team reviewed have enabled SSO. However, only 2% of those organizations required users to login through SSO.
A surprising 98% of organizations allow their users to access Salesforce using a basic username and password authentication. This misconfiguration enables threat actors to capture usernames and passwords through sophisticated phishing attacks or other means. Once that username is compromised, threat actors have access to a wealth of customer and pipeline data.
Access Control Benchmarks for Salesforce
Here are some other Access Control configuration benchmarks that you can use to measure your security posture against.
Controlling Access in Microsoft 365
Microsoft 365 documents, presentations, spreadsheets, and email are among a company’s most valuable resources. Sharepoint servers contain files, making it easy for employees to collaborate on critical projects. The data within Microsoft 365 demands robust access control. Here are Access Control benchmarks to measure your company against.
M365 and the Importance of Disabling Legacy Protocols
Legacy authentication protocols in M365 may be undermining your entire security setup. Security teams can implement SSO, harden password policies, require MFA, and keep Azure Active Directory updated and well maintained – and still find themselves exposed.
Legacy authentication protocols within M365 means usernames and passwords are often stored on the device. These login credentials are sent at every request, increasing the likelihood of those access credentials being compromised especially if sent without Transport Layer Security (TLS).
Basic authentication, while necessary for companies using legacy software, is unable to enforce MFA and is superseded by modern authentication. These include IMAP, OAB, Exchange ActiveSync (EAS), and others.
As a result, over 80% of the M365 instances we reviewed had at least one legacy authentication protocol enabled, and over 50% had two or more. 10% have almost all legacy authentication protocols enabled, and many of them are used daily.
As a result, over 80% of the M365 instances we reviewed had at least one legacy authentication protocol enabled, and over 50% had two or more. A surprising 10% have almost all legacy authentication protocols enabled, and many of them are used daily.
Access Control Benchmarks for Microsoft 365
Securing Google Workspace and App Passwords
Like M365, Google Workspace uses legacy authentication protocols, such as IMAP and POP. In addition, it uses some high-risk configurations that are unique to Google Workspace. App Passwords are a special tool used to connect third party applications to a SaaS stack. App Passwords can provide access into an application, and they don’t require MFA for authentication.
App Passwords were created to allow external apps to integrate with Google Workspace as the equivalent of an API key. However, they allow users to bypass MFA and SSO.
To strengthen an organization’s security and reduce risk, app passwords should never be used by super admins. Regular users can use App Passwords, as long as the passwords are monitored and rotated appropriately.
Access Control Benchmarks for Google Workspace
How to Regain Access Control
Access Control is a significant security function and creates the first line of defense of an organization’s SaaS security policy. In turn, security teams are responsible for strengthening and ensuring an organization’s access control.
Security teams can begin creating a strong foundation of access control by:
- Requiring SSO across the organization
- Enforcing MFA for all users
- Removing legacy protocols
- Disabling app passwords for super admins
Up next in our Benchmark for SaaS Apps Series is Data Leakage Protection, the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data.