Security teams can’t protect every byte within their digital footprint. Limited resources mean making choices, and so security teams run assessments to evaluate the value of their assets, the cost to protect those assets, and the damage to the company should an asset be breached or compromised.
In some industries, regulatory requirements shape those decisions, while other industries can be determined based on organizational needs.
The assessment frequently leaves SaaS applications, and the data they contain outside of the company’s protective shield. Organizations often believe the data stored within SaaS applications is less sensitive than other corporate IP and accept that the security tools built into the SaaS app are strong enough to provide adequate protection.
In a sense, those assessments are right. Most SaaS apps don’t contain the company's crown jewels, and nearly every SaaS application comes with a robust security tool set that should protect all the data within the SaaS app. Unfortunately, that view is leaving critical data exposed online, putting organizations at risk of data exposure, ransomware, and regulatory fines.
What Data is Stored in SaaS Apps?
Companies store some of their most important data within SaaS applications.
Salesforce stores all company leads, its sales pipeline, and customer data. Sharepoint contains critical files and work product. Bamboo HR stores employee data. GitHub contains software code. Netsuite stores key financial documents. Google Workspace and Microsoft 365 contain files and email.
Organizations’ tech stacks are comprised of applications like these. Failing to secure the data would represent a significant loss to a company. Depending on the nature of the attack, all data stored within the application could be lost forever, shared with competitors, or held for ransom.
Motives for SaaS Attack
Generally speaking, there are three motivations for an attack on a SaaS app. Threat actors want to steal data, steal money, or sabotage a company. Each of these attack types manifests itself in different forms. A grab for data, for example, might involve threat actors remaining in the shadows while playing the long game, while a saboteur or ransomware attack would involve different styles of attack.
When SaaS applications are left unprotected organizations can quickly find themselves dealing with a large scale SaaS security incident.
Data theft often involves competitors accessing a SaaS application and downloading critical company information. Threat actors need to gain credentials to access the SaaS, and then move laterally to increase their access and find the intellectual property they crave. Once they find the data, they tend to download it slowly to avoid raising any security flag.
These attacks can be difficult to detect, considering that the perpetrators are often authorized or former employees. Companies that recently laid off employees or are involved in negative news stories are at higher risk of sabotage.
Like all SaaS apps, security begins with access management. Organizations should be especially careful with high-privilege dormant accounts, such as those accounts that were used for setup but have been dormant or accounts shared by multiple users. Access must also be removed for employees that have been let go.
These accounts, if left active, offer pathways to sensitive data without any way for security teams to know which current or former user is accessing them.
Most don’t usually associate ransomware with SaaS applications. Today, we are seeing an increase in these types of attacks. SaaS data is accessed through a user account or malicious app, and then encrypted pending the payment of a ransom.
These ransomware attacks often carry a secondary attack mode, particularly when the compromised SaaS app contains PII data or involves highly regulated industries. In addition to encryption, the threat actor threatens publishing the data online. In these nightmarish scenarios, organizations are motivated to pay the ransom to protect themselves from negative PR and regulatory penalties for failing to adequately protect the data they collected.
Protecting Your SaaS
For the most part, the security configurations on SaaS applications are sufficient to secure the data contained within the application. In a perfect world, those configurations would be set once, securing the apps and the data within against nearly all threats.
However, SaaS configurations are often adjusted by users trying to enhance functionality or improve accessibility. Configuration drift leads to vulnerabilities, which creates an opening for threat actors to take advantage. Third-party applications, which are connected to SaaS applications and granted scopes enabling them to delete records, send emails, and add new data, increase the attack surface.
Lacking visibility, the security team has no way of knowing whether SaaS applications have retained their secure posture over time, or whether a malicious third-party application has been inadvertently connected to a business-critical application.
SaaS Security Posture Management (SSPM) with SaaS threat detection automates security checks and provides the visibility needed for every third-party app. It enables security teams to detect threats against data and respond appropriately against imminent threats. Adding SSPM to your security stack is vital in securing SaaS-based critical data.