Three common types of SaaS misconfiguration (and how to fix them)

Cyber security is often boiled down to a couple of cliches. Strong passwords, a sturdy firewall, and anti-virus softwares. And while all of these measures are crucial components of business security, they do not adequately represent the most prevalent threats in modern cybercrime. 

In a recent survey from The Cloud Security Alliance (CSA), it was revealed that 43% of organizations had experienced one or more security incidents resulting from a SaaS misconfiguration. This refers to when a 'Software As A Service' (SAAS) has suffered a data breach on account of poorly configured security settings and/or lacking security practices. 

And while 43% of surveyees is an alarming figure, a further 20% of those surveyed by CSA were simply unsure of whether they'd experienced SaaS misconfiguration incidents. In all likelihood, the amount of organizations with vulnerabilities resulting from unactioned SaaS misconfigurations is significantly higher.

SaaS misconfigurations can appear in many different forms, and for the purpose of this article, we'll categorize the most common ones under three types: Excessive privileges, Weak Identity Access Management, and Excessive OAuth Sharing. 

Excessive privileges

Have you ever opened up a SaaS app to find that every user has admin privileges? Or perhaps you've found staff opening and editing assets that they shouldn't have access to? These are both examples of excessive privileges - a security oversight wherein users have the ability to make changes to or access parts of a SaaS app beyond what their role should allow. 

Excessive privileges introduces a high amount of risk, and is simultaneously overlooked by many IT admins. Not only can excessive privileges result in accidental damages caused by staff, such as deletion of crucial documents and data, but it also enables hackers who have compromised a user account to act freely in a targeted environment. 

Studies have shown that up to 46% of Amazon Web Service S3 buckets held excessive cloud storage permissions, indicating that almost half of AWS S3 buckets may be misconfigured and should be deemed insecure.

Another common example is over-allocation of Microsoft 365 admin privileges. Depending on the type of admin access, users may have the ability to:

• Manage usernames.

• Delete and restore users

• Reset passwords

• Force users to sign out

• Create, edit, delete, and restore Microsoft 365 groups

• Send emails on the behalf of delegates

• Manage all aspects of billing, and much more

Microsoft and AWS both recommend the practice of granting least privilege, wherein only the permissions required to perform a task are granted to users.

Weak Identity Access Management

Identity Access Management is a sizable part of any good security system. In short, it involves the policies, processes and technological tools utilized by an organization to ensure that when a system is accessed, it's accessed by an identifiable and approved user. 

This includes measures such as password policies, geographical and IP-Address login restrictions, multi-factor authentication and much more. 

Password allocation should not be left to users directly. One of the more frustrating statistics that an IT admin can read is that 59% of Americans use a person's name or a family member's birthday as a password. Furthermore, passwords are rarely changed, and are frequently re-used across a number of platforms. 

This ultimately results in vulnerabilities being carried into the organization from personal accounts. For example, if a phishing attack and consequential password breach on a personal account, resulting in a password used in the workplace being exposed, and eventually leveraged against the organization. 

We recommend utilizing password management tools to automatically generate strong, encrypted passwords, and securely store them in a central, well-fortified location. When used correctly, the need for staff to know their individual passwords can be erased, allowing a range of complex and diverse passwords across all SaaS apps. 

Furthermore, ensure that Multi-Factor Authentication is used on all SaaS apps. The simple act of an SMS Verification or 2FA-Application combined with staff logins is said to prevent up to 99% of attacks.

Excessive OAuth Sharing

OAuth is a protocol that enables SaaS apps to act upon other services on a user's behalf. This typically enables sharing or making changes to data, or activating SaaS services via external prompts. 

A common example of OAuth is implementing any SaaS app into your calendar program, such as Zoom into Google Calendar. 

The issue with OAuth is that as your number of SaaS apps grows, users may unknowingly grant excessive OAuth sharing permissions between apps. This introduces often incalculable risk and attack vectors to an organization, as a compromise in one SaaS app then gains the ability to enact harm upon another. 

Ensure that your organization is aware of the OAuth configurations between your SaaS apps, and implement routine checks to ensure that only intended OAuth sharing is enabled within the business. Read more on OAuth safety here: Click Here

This may sound like a lot to tackle. In fact, one of the leading causes of SaaS misconfigurations is a lack of visibility regarding what changes are made in SaaS app security settings. 

Given that many organizations are dealing with hundreds of SaaS apps, it's understandable as to why so many systems wind up misconfigured. 

However, when a breach does occur, the organization and those in charge of managing IT and security may be held accountable in spite of whether they had prior knowledge of exploited SaaS misconfigurations. 

We recommend applying the tips laid out in this article, and utilizing SaaS app discovery scans to gain a better overview of your SaaS apps and their configuration requirements.