A recent review by Wing Security, a SaaS security company that analyzed the data of over 500 companies, revealed some worrisome information. According to this review, 84% of the companies had employees using an average of 3.5 SaaS applications that were breached in the previous 3 months. While this is concerning, it isn't much of a surprise. The exponential growth in SaaS usage has security and IT teams struggling to keep up with which SaaS applications are being used and how. This isn't to say that SaaS should be avoided or blocked; on the contrary, SaaS applications must be used to ensure business growth. But using them has to be done with some level of caution.
Determining which SaaS applications are risky
The most intuitive risk factor to determining whether an application is risky is looking it up and seeing if it has been breached. SaaS applications are clearly a target as we see more and more SaaS related attacks. A breach is a clear indication to stay away, at least until the SaaS vendor completely remediates and recovers (which can take some time…). But there are other criteria to take into account when determining whether a SaaS application is safe to use. Here are two more to consider:
- Compliances - The security and privacy compliances the application's vendor has, or hasn't, are a good indication of its safety. Securing a SOC, HIPAA, ISO (the list goes on…) requires long and scrupulous processes in which the company has to adhere to strict regulations and conditions. Knowing a company's compliances is imperative to understanding its security level.
- Marketplace presence - Checking whether an application is present in well-known and accounted-for marketplaces is also a helpful step when determining its integrity, which can be linked to its security measures. In respected marketplaces, applications need to go through a vetting process, not to mention they receive user reviews which are arguably one of the most important indicators of an application's legitimacy.
While understanding which applications are potentially risky is important, it's no easy task. And it is also not the first step. According to Wing Security, the companies they reviewed all had a high three-digit number of SaaS applications in use. So the first and basic question security teams should be asking is:
How many SaaS applications are employees using?
Clearly, it is impossible to determine whether SaaS is used safely without first discovering how many SaaS applications are used and which ones. This is basic, but not simple. SaaS is used by any and all employees, and while enforcing SSO and using IAM systems is important and helpful, the decentralized, accessible, and often times self-service nature of SaaS applications means employees can start using almost any SaaS they need by simply searching for it online and connecting it to their company's workspace, easily avoiding the IAM. This is especially true when considering the many SaaS applications that provide a free tool or a free version of it.
That in mind, SaaS application discovery is also provided as a free, self-service tool so answering the above-mentioned question should be easy enough. Once a clear mapping of SaaS usage is in place, the next step is to determine the risky SaaS applications. Once risky applications are classified as such, it is important to revoke the tokens they received from the users who connected them to the organization. This can be a lengthy and cumbersome process without a proper tool in place (Wing offers risky application removal as another capability in its free version, but with some limitations that are lifted in its premium offering).
Ensuring SaaS usage is safe requires asking and answering two more questions:
1. Which permissions were granted to the SaaS applications?
It probably goes without saying that not all applications introduce risk all the time. It is also worth adding that even if a SaaS application is breached, the risk it may impose relies heavily on the permissions it was granted. Almost all SaaS applications require some degree of permission to access company data to provide the service for which they were designed. Permissions range from read-only to write permissions that allow the SaaS application to act on behalf of the user, such as sending emails in the user's name. Proper SaaS security posture management means monitoring the permissions granted by users to an application and ensuring it was only given the necessary permissions.
2. What is the data that flows in and between these applications?
At the end of the day, it's all about protecting critical company data, whether it's business information, Pii, or code. Data has many formats, and it flows in many different ways. The unique way in which SaaS is used across all business units and teams and by anyone in the organization poses the risk of data sharing using SaaS applications that are not designed for safe data sharing. It also poses the risk of data being shared between SaaS applications. Nowadays, many SaaS applications are connected, and onboarding one can give access to a subset of many others. It's a giant mesh of interconnectivity and data sharing.
Start with the basics - Get to know your SaaS layer
SaaS security can be overwhelming. It is a new, robust frontier that is constantly evolving. It is also just another risk in a long list of risks that security teams need to face. The key to solving SaaS security is knowing which applications are being used. This basic first step sheds light on the SaaS shadow IT challenge and allows security teams to properly assess the urgency and magnitude of their SaaS security risks. Knowing with certainty the amount and nature of SaaS in use should not be complex or expensive. There are many tools out there that can solve this, and you can try Wing. security's free solution to get an idea of what you're facing.