The uncomfortable truth about risk blind spots in SaaS solutions

2020/06/23

When an organization starts down the path of an Information Management Security (IMS) uplift program, a number of control deficiencies in SaaS solutions are often exposed:

  1. Identification of who has privileged access to core SaaS solutions can be done by point in time audits, but monitoring for changes requires significant manual effort.
  2. Service or non-named accounts are often used to link / connect SaaS solutions together to allow data access or replication.
  3. Customer and business data will often be output to ChatOps systems (e.g. Slack, MS Teams) by way of logging and debugging.
  4. User-level access to a core SaaS solution is often only required to connect it to another SaaS solution in which the privileged access is often not known or managed.
  5. These connected SaaS solutions are not managed or secured by the IT or Security team. They’re procured, paid for and operated by the business teams.
  6. The connected SaaS solutions either haven’t been procured with security controls or don’t support minimum controls like MFA for privileged users or account federation.

How do you go about detecting and eliminating these risk blind spots?

Not all SaaS solutions require the same controls, but knowing which do is critical, first and foremost.

It is inevitable that organizations start with the crown jewels that hold the business critical and customer sensitive data. This normally entails the finance system, the customer relationship system and identity management system.

The reality for most organizations, however, is their data is accessible from a far wider SaaS footprint than just these core systems. Business critical financial or customer data will end up being stored in spreadsheets in Office 365 / G-suite, in tickets in Jira / Notion and accessed via reporting systems such as Power BI.

Since the 2013 uplift to ISO 27001, identifying all information assets (including SaaS) has become a mandatory consideration. In order to achieve compliance to this control, identifying which SaaS solutions store and have access to the information assets is the first step.

Once you have identified the SaaS solutions in scope, start exposing risk blind spots.

There are blind spots you are aware of, and those you may not know exist in the first place. A privileged access change between audit times, for example, is a risk blind spot you may be able to anticipate if there has been high staff turnover since the last audit. An example of a risk blind spot you might not have anticipated is configuration drift out of your control. One of our customers disabled OneDrive for all their users. But when Microsoft released a new version, OneDrive was automatically turned on, via which users then started sharing documents externally. It took a while for IT to realize this issue, making it very challenging for them to roll back OneDrive sharing.

Automate, automate, automate.

Every SaaS is unique in its configuration. Office 365 alone comes with a dozen dashboards and thousands of settings. Understanding user configuration and differences across multiple SaaS platforms, then keeping track of unauthorized changes is crucial to secure data. But you do not want to do this manually one by one every time. It’s a waste of your productivity time and resources.

Use Detexian to automate:

  1. privileged access audit
  2. security configuration audit

for all the major SaaS platforms your business teams use.

With Detexian, not only do you know who your privileged and highly privileged users are in critical SaaS platforms at all times, you also have an immutable history of changes for audit and incident investigation purposes. The same goes for critical security configurations such as MFA and SSO.

Your IT team does not need to take back control of SaaS solutions to know what’s going on inside each SaaS in scope or those it is connected with. They can simply add all the SaaS solutions that need to be monitored to the Detexian Portal.

Your IT team can work with the business to negotiate what’s considered essential spending on non-functional security features if the business has to pay extra to acquire these features. For example, if SSO is mandatory but it would cost the business a lot more to get it, the IT team can use Detexian to monitor MFA exceptions.

Establish and enforce baseline security policy for SaaS

Once you connect to our automated assessment portal, it can get overwhelming at the first instance what steps you need to take first to eliminate the risks detected. Refer to our blog on “What is a good baseline security policy for SaaS apps” for our recommendations.

With Detexian, you can start your Information Management Security uplift program for SaaS solutions in a workable sequence that supports your organizations’ business goals without disrupting the business teams which rely on SaaS solutions for their daily operations.

Find out how you can automate the detection of SaaS risk blind spots in minutes and keep track of changes at all times. Inquire now for a free demo.

Secure what you can't see in the cloud

info@detexian.com
710 Collins Street
Melbourne VIC 3008
Australia
 
9848 Mercy Rd #2
San Diego 92129
USA

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2020 All Rights ReservedTerms & ConditionsPrivacy Policy