Over the last year, we’ve seen increasing evidence of an upcoming recession. Interest rate hikes and inflation, energy uncertainty, and the war in Ukraine are all harbingers of rough times ahead. CNBC reported that more than 50,000 employees from Twitter, Meta, Amazon, Salesforce, and other tech companies lost their jobs in November. While no one knows exactly what 2023 will bring to the labor market, organizations need to be prepared for potential downsizing.
Removing user access for employees who no longer require access to company SaaS applications should be fairly straightforward. Most companies will disable users from their active directory and expect those users to be automatically removed from every application they have access to.
That works well when the SaaS app was set up with an SSO. However, many SaaS apps aren’t set up with an SSO. When users are removed from the IDP, they retain their login credentials.
Furthermore, many high-privilege users have extra accounts that are not managed within the IDP. This particularly applies to admins and app owners. Those users retain their high-privilege access, which can put all the data within the application at risk.
Shadow Users are Everywhere
When SaaS applications are created, the install team typically creates multiple testing user accounts that are not associated with an IDP. These accounts are granted various levels of access, depending on the functionality or activity being tested. Often, these accounts are given names that are easy to remember, and since the account may be shared by multiple users, passwords are often a simple phrase or number pattern that is easy to share and remember. After setup is completed, these accounts are dormant but can be used to provide access.
Additionally, teams will often share a single user license among multiple employees. Again, these accounts are frequently high-privilege with easy-to-remember passwords, simplifying the team’s ability to get their work done.
These dormant and shared high-privilege accounts represent a significant threat during periods of downsizing. Former employees can use them to easily access corporate SaaS apps and sabotage or steal corporate IP. During periods of downsizing, security should be tightened to include reviewing permissions of these types of accounts, rotating passwords, and limiting shared accounts to situations where it is the only option.
User accounts are also frequently given to external users. As teams collaborate with vendors and partners, it’s more efficient to provide access to the system rather than have employees copy, paste, and email data to their partners. While some accounts are limited through RBACs, often times partner and vendor accounts have full access.
These external user accounts always create a degree of risk for organizations. However, when employees are let go and vendors lose their connection to the company, the risk level increases. Unaffiliated third-party vendors and partners may share data with competitors The only thing standing between company data and the public internet are login credentials. Company and customer data may be stolen, leaked, or shared with competitors.
Know Your User Inventory
User inventories provide a complete account of each user in every SaaS system. These were easy to assemble when everything was done on-premises. However, the transition to the cloud and SaaS applications has decentralized user data and limited the view of security personnel.
An effective user inventory would enable security teams and SaaS app owners to find and disable these types of accounts, eliminating the threat they pose following layoffs.
The inventory should be the single source of truth for everything a security team needs to know about a user. It should include login names the user may use on different applications, mulitple login names a high-privilege user might have for a single app, the applications that they can access, and the level of privilege they have within the application. It is vital to disable every access credential once an individual is no longer part of the organization.
However, the user inventory also needs to include test accounts, shared accounts, and external user accounts. Security personnel should be able to see which accounts are not using corporate IDP, the last date the account accessed the system, and access roles that are available to the user account. With that information in hand, security teams and app owners can make an informed decision as to whether these accounts represent a threat and need their access removed or limited.
User Inventories Are Critical to Protecting Your SaaS
Downsizing can be traumatic for a company and its employees, but is usually done to protect the long-term interests of the organization. Ensuring that data remains safe throughout this challenging period is not an easy task, but with the right tools in place, security teams and app owners can ensure the integrity and security of their SaaS.