SaaS Ball of Yarn

It's no great revelation to say that SaaS applications have changed the way we operate, both in our personal and professional lives. We routinely rely on cloud-based and remote applications to conduct our basic functions, with the result that the only true perimeter of our networks has become the identities with which we log into these services.

Unfortunately – as is so often the case – our appetite for better workflows, collaboration, and communications outpaced our willingness to make sure these tools and processes were secure as we hooked them into our environments, handing off our control of the security of our data. Each of these applications asks for various amounts of permissions into our data, which often rely on other vendors' services, creating not a network, but a tangle of interdependent intricacies that has become so complex most security and IT teams don't even know how many SaaS applications are connected in, let alone what they are or their access permissions.

Our collective – and understandable – temptation for flexibility and scalability led us to where we are now: most of us can't operate in modern businesses without SaaS applications because they have become so vital to our operations, yet are finding themselves vulnerable to attacks on these cloud-based services and applications.

Threat actors understand the "as-a-service" model just as well as anyone, often selling Ransomware-as-a-Service on the dark web to their affiliates. They understand that attacking these third-party SaaS application vendors leads to not just one company's crown jewels, but many. We saw a 68% rise in attacks from third-party apps in 2023, and researchers all agree that number will only go up as SaaS adoption continues to rise.

Luckily there are steps to take to untangle this ball of SaaS yarn IT and security teams worldwide are left to deal with.

Learn how to gain visibility into the files publicly shared from your SaaS apps

Understand your SaaS environment and shadow IT

It seems so simple: if you need to secure something, you need to know it's there first. As we know, though, when it comes to SaaS, it's never simple.

Reco SaaS Application Cyber Kill Chain
Reco SaaS Application Cyber Kill Chain

Shadow IT – any tools or programs that are installed and have access to the company's data without the IT and/or security teams knowing about it – is rampant. Think: when someone in marketing needs to use a new design tool available as a SaaS application, they log in, grant it access to your shared files for easy uploads and/or downloads, and they don't want to go through IT to have it approved because of any number of reasons (it takes too long, the application might get denied, they're on a tight deadline, etc.). These applications often have immense amounts of visibility and permissions into company data without anyone on the security side even knowing they exist or looking out for suspicious behavior.

To understand the scope of the problem and why getting a full view of your SaaS environment, let's do some rough math.

  • Most businesses have, on average, ~500 business applications connected to their environment.
  • Of those, ~49% are sanctioned/approved by IT/security and ~51% are unsanctioned applications.
  • Each application typically has 9 users per app
  • If we multiply the number of users per application (9) by the number of unsanctioned apps (~255), that equals an average of 2,295 potentially unique attack vectors that IT and security teams have no insight into and threat actors love to exploit.

This is why understanding how many applications are hooked into your environment, what they're doing, what their permissions are, and their activity is the most important step. These permissions and oversight also need to happen continuously: you never know when someone might bypass IT and add a new app or service and grant it full access to your data.

Discover all applications connected to your data, including shadow apps

Close the open roads to your data

Once you have a handle on your applications, it's time to model your permissions and ensure these applications and users aren't over-permission. This requires constant monitoring, as well: often these applications might change their permissions structures to require more access without making that clear.

Recently, the rash of high-profile breaches all associated with cloud storage vendor Snowflake has actually highlighted how vulnerable organizations often are in this respect. Ticketmaster, Santander Bank, and Advance Auto Parts all fell victim to the same attack, which was the result of past stolen credentials, a third-party storage provider (Snowflake) allowing these cloud storage vaults to be set up without an IDP or MFA, and companies sidestepping best practices to set up their massive data to be protected only by passwords.

To take the first step in securing their SaaS ecosystem, companies must essentially map it out: understanding all connected apps, associated identities, and actions. This can be labor intensive and it is just the tip of the iceberg. There's also hope that employees at fault will come clean about the use of an unsanctioned app.

Reco Black Hat Presentation
Reco Black Hat Presentation

To prevent a breach companies must:

  • Know about all used SaaS applications (both the known and unknown), especially those with deep access needs or hold proprietary/customer data
  • Ensure those high-risk applications are protected with IDP, MFA, etc.
  • Ensure users of those applications aren't overprivileged
  • Be alerted and able to take swift action when the applications and/or data through them is accessed and/or moved in suspicious ways

This type of access, permissions, and usage monitoring hold the added benefit of helping your company stay compliant with any number of agencies and/or regulators. If your data is breached due to a breach from a third party, not knowing about the application and its access to the data isn't well received. This type of monitoring must also not come at the expense of usability, either, as we see in our current situation of rampant shadow IT.

Learn how you can be notified of users without MFA enabled in your SaaS apps

In conclusion: secure how your business is working

Clearly, SaaS applications are here to stay, from sales enablement to database management to AI tools. It's exciting and has opened up opportunities for us to work in new, innovative ways and places. As we acknowledge this, it's also time to start unraveling the SaaS ball of yarn that has become our environment.

As threat actors find more and more of these nodes of failure and dependency in this tangle, they will get better at exploiting them with bigger – and more devastating – breaches. The more we prioritize securing the way we actually work, the more we'll be able to accomplish.

Note: This article is expertly written and contributed by Dvir Sasson, Director of Security Research at Reco.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.