Companies store an incredibly large volume of data and resources within SaaS apps like Box, Google Workplace, and Microsoft 365. SaaS applications make up 70% of total company software usage, and as businesses increase their reliance on SaaS apps, they also increase their reliance on security solutions.
SaaS security is not a new problem, however, the attack surface has widened. It started with managing misconfigurations and now goes far beyond. Today, it takes a holistic approach that includes the continuous monitoring and management of user access, roles and permissions, 3rd party apps installed by users, risks deriving from SaaS user devices and Identity Threat Detection & Response (ITDR).
Securing numerous potential attack vectors for each user becomes a challenge when dealing with a diverse range of applications, each having its own unique characteristics. Additionally, the environment is dynamic, from SaaS vendors recognizing the importance of security and continually enhancing their applications with robust security measures to the ever-evolving user governance required (onboarding, deprovisioning, adjustments in roles and permissions). These controls are effective only when properly configured by the organization, for each app and each user, on an ongoing basis. If that’s not enough, these applications are managed by various business departments, making it impractical for the security team to exercise complete control.
The objective in SaaS security is finding the balance between securing applications while still enabling users to do their jobs efficiently.
Below we explain each attack vector and line of defense for a strong SaaS ecosystem security lifecycle.
Misconfigured SaaS settings are one of the leading causes of SaaS data breaches. Security teams have no visibility into security-related aspects of these apps that in most cases are managed by the business departments. To further complicate the picture, each SaaS application uses its own language for settings. This prevents security teams from developing an easy-to-use guide for business teams directing their security efforts. With companies easily averaging over 100 applications, each with hundreds of configurations and multiple users, deciphering and managing security settings is no easy task.
Adaptive Shield integrates with more than 130 SaaS applications to monitor and manage security misconfigurations through in-depth security checks and auto/step-by-step remediation.
Image 1: Bird’s-eye view of the security posture by app
- App Breadth & Security Depth: Access in-depth security checks into settings for every application and every user, with contextual recommendations to deliver comprehensive security coverage.
- Prioritize Risk Management: Sort and filter misconfigurations by application, security domain, level of risk, and compliance to prioritize and manage different areas of the SaaS security posture.
- Guided Remediation: There are step-by-step descriptions and impact reports so the security teams and app owners know exactly how to fix the issue and which users will be impacted by the configuration change, by creating a ticket or auto-remediating.
- Compliance Mapping: The security checks are aligned with major industry and government security standards, including SOC2 and NIST, so security teams can see how SaaS security posture impacts compliance scores. You can also ‘Bring Your Own Compliance.’
Image 2: List of security checks categorized by app, domain, severity, numbers of users, etc.
Weaving an Identity Fabric and Detecting Identity-Centric Threats (ITDR)
Identity Threat Detection and Response (ITDR) capabilities feature a set of security measures designed to detect and respond to identity-related security threats based on key Indicators of Compromise (IOCs). These IOCs provide forensic signs of a potential breach, such as malware, data breaches, unusual behavior, and other suspicious events. ITDR closes the gap between continuous identity governance and identity threat detection within the SaaS ecosystem, covering Tactics, Techniques, and Procedures (TTPs) and unusual User & Entity Behavior Analytics (UEBA) such as account takeover through compromised identities.
When it comes to SaaS threats, existing threat detection and identity management methods don’t go far enough. Today’s SaaS environments are complex and ITDR capabilities within these landscapes require deep knowledge and proven expertise in the way SaaS applications are designed.
Adaptive Shield’s engines cross-reference and analyze in-context TTPs and suspicious events from multiple sources, enabling the accurate detection of very complex and subtle threats.
As a means of prevention and first line of defense, SSPM should operate as the security layer in the identity fabric to establish robust user governance. This includes excessive permissions, access entitlement, user deprovisioning, and more, across the entire SaaS stack. Adaptive Shield provides organizations with deep and consolidated visibility and control of user accounts, roles, permissions, privileged users, and activities.
Identity governance use cases include:
- Privileged Users: Identify users with the highest permissions within any application to prioritize misconfiguration management, device management, and third party app access.
- Permission Trimming: Ensure each SaaS user has the right level of access needed in order to ensure business operations while avoiding unnecessary access to sensitive data.
- User Deprovisioning: Detect users that have been disabled in the Active Directory while still having access to SaaS applications, and detect dormant, inactive users and privileged accounts from external domains to quickly ensure the deprovisioning of their access to SaaS if needed.
Image 3: View of User Inventory broken down by privileges and user-specific security checks.
Image 4: View of Threat Center and activity information
Users Connecting New Apps to Their Existing Apps
To improve app functionality, many users integrate third-party apps into the core SaaS stack. These integrations take place without the knowledge of the security team and often ask for intrusive permission scopes, such as the ability to read, write, and delete data. While many of these applications are harmless, if taken over by a threat actor they can cause significant damage.
Adaptive Shield detects every connected third-party application, as well as identifies their scopes. Security teams can then review the information, and make an informed decision on whether to continue using the application.
3rd party app use cases include:
- Visibility into Connected Apps: Measure your exposure and attack surface with an unprecedented view into apps connected to your SaaS stack.
- Measure Risk from Connected Apps: Identify high-risk connected apps and adjust permission settings or find alternate apps.
- Malicious App Threat Detection: Discover unknown applications that pose a real threat to your operations and data.
Image 5: View of 3rd-party connected apps with their severity levels and accessed scopes.
Users Are Accessing These Apps Through Compromised Devices
The login-anywhere nature of SaaS enables users to access sensitive corporate systems using unmanaged and compromised devices. These devices, which may contain malware, can be exploited to capture access credentials and tokens that can be used by threat actors. This is particularly high-risk when being done by an admin with broad access within the application.
Your SaaS security tool must review device data, and associate each device with a user. When high-privilege users access SaaS apps on a device that contains critical vulnerabilities, it pours the entire application at risk. Managing that risk is a key element of maintaining a secure SaaS stack.
Image 6: View of the SaaS User Device Inventory
Device-to-SaaS Risk Management includes:
- Privileged Users with Critical Vulnerabilities: Identify high-privileged SaaS users with poor cyber hygiene on their devices, devices that are non-compliant with organizational policies, and unmanaged devices.
- Device Missing Endpoint Protection Reporter: Create security checks that identify devices that are not reported by the endpoint device.
- Devices Missing Latest Version Agents: Prevent malware attacks by identifying devices that use out-of-date agent versions.