As we near the end of 2023, it's an opportune moment to assess your roster of SaaS users. Beyond the potential cost savings from eliminating unnecessary license fees, maintaining a well-organized user inventory plays a crucial role in fortifying the security of your SaaS applications. Here are five compelling security reasons to clean your user list.
Offboard Users with Access to Your Apps
When employees leave a company, they set a sequence of backend system adjustments in motion. The initial step involves their removal from the company's identity provider (IdP), initiating an automated process that deactivates their email and revokes access to all internal systems. Enterprises that utilize Single Sign-On (SSO automatically revoke access to various online properties, including SaaS applications.
However, deprovisioning from SaaS applications isn't automatic. Enterprises must manually deactivate or delete users from non-SSO-connected apps and SSO apps that also have local access. This is especially critical for high-privilege users, who often have local access even if the app is typically accessed through an SSO.
Ensuring the complete deprovisioning of users is critical. With the typical end-of-year slowdown, now presents an opportune time to reassess user roles and remove access for individuals who no longer need it.
User permissions dictate the extent of access granted to each employee within an application. Administrative permissions, typically granted to team leaders, enable tasks such as adding new users and overseeing application usage. Employees may require read/write permissions for their roles, while support personnel might only need read permissions or the ability to download reports.
Overpermissioning poses a security risk by unnecessarily expanding the attack surface. In the event of a compromised user account, the threat actor gains access equivalent to the compromised user. As the year concludes, it's prudent to review user permissions, aligning them with respective roles. Implementing the principle of least privilege (POLP) ensures employees have precisely the access needed for their tasks. For applications with group functionality, grouping like-users with preset permissions helps standardize access, while in other apps, a thorough review allows trimming access to essential functionalities.
Eliminate Dormant Accounts
Dormant accounts, which are unused SaaS accounts, fall into three primary types: admin accounts utilized during the application's initial setup with broad privileges, internal accounts belonging to employees who no longer require or use the application based on their roles, and external user accounts that remain inactive.
The risks associated with dormant accounts are substantial. Admin accounts shared among multiple users typically have easily guessable usernames and passwords, coupled with local access, which can create an environment prone to abuse. Unused employee accounts pose a risk in the aftermath of a phishing attack, potentially providing access to threat actors who exploit employees who are unaware of their retained access. Additionally, the lack of visibility into external user activity raises concerns about the security of the user account.
As enterprises navigate the holiday season, it is advisable to scrutinize dormant accounts and proactively assess their risk. When warranted, these accounts should be disabled or canceled to mitigate potential security threats.
Prevent Account Sharing
Using a shared username to cut down on license fees introduces a heightened security risk. Shared accounts become challenging to secure as the number of users who know the access credentials expands with team changes. Moreover, opting for a shared login negates the use of critical security tools like Multi-Factor Authentication (MFA) and Single Sign-On (SSO), leaving the SaaS application more vulnerable.
The difficulties in detecting threats arising from shared accounts compound the security challenge. Anomalies in account access are less likely to trigger alerts if the account is regularly accessed from various locations, making it harder to identify suspicious activity.
Identifying departments that use shared accounts is not easy. However, enterprises can implement preventive measures and detection strategies. Mandating MFA or SSO complicates account sharing, and security teams can leverage user behavior analytics, including monitoring IP address logins, to identify instances of shared usernames. Taking the time now to uncover and address shared accounts contributes to a more secure SaaS environment in the upcoming year and beyond.
Automating User Monitoring and Management
Manually reviewing user rosters and comparing them to the IdP is remarkably tedious and can easily lead to mistakes. So is checking permissions, reviewing dormant accounts, and looking for signs of account sharing. Using a SaaS Security Posture Management (SSPM) platform like Adaptive Shield’s simplifies the process through automation.
Using SSPM’s user inventory, companies can quickly identify accounts that haven’t been used over a preset time period, find external users with high permission sets, and detect users who were removed from the IdP. SSPMs can also associate users with devices to further limit risk.
As you prepare for 2024, introducing an SSPM to monitor users is the most effective and efficient way to know who is accessing your SaaS stack.