How to detect malicious Azure apps that are accessing your sensitive data?
A user can unknowingly authorize a malicious Azure marketplace app. Find out how to eliminate this blind spot.
In the modern workplace, it is normal for the IT team to manage the organization's core solutions such as Office 365, G-Suite and Okta. The lines of responsibility often blur rapidly outside of this. A pretty common example we see is the Sales and Marketing team have privileged access to Salesforce which is federated (to Azure AD) and shared with the IT team; but when you get to Adobe Campaign, the IT team is not involved at all and the Sales and Marketing team exclusively have privileged access to this system. This means across Sales and Marketing, there are overlapping groups of users with privileged access which can:
make significant changes to the SaaS configuration and operation;
bypass critical security settings;
access sensitive information.
Each of these privileged users has access to significant volumes of business critical and customer sensitive data.
The rise of the SaaS marketplace
One of the major incentives to combine multiple SaaS solutions into an organization's ecosystem or footprint is the ability for them to integrate and enhance the business value. This is normally done by way of SaaS marketplace integrations: a privileged user authorizes a third-party application published in the SaaS marketplace to access or copy data between SaaS solutions.
If we look at the Sales and Marketing example above, this becomes problematic rapidly, as both Salesforce and Adobe Campaign privileged users have access to add marketplace integrations that have access to the customer data. If one of these users wants to access data in Airtable, then it’s as simple as installing a marketplace app and authorizing it on each end. This application may be published by Airtable, by a third party or a workflow engine such as Zapier. Once this integration is established, it is often forgotten about and becomes a SaaS blind spot.
This leads to multiple risks for an organization:
Their business critical and customer sensitive data gets copied to a third SaaS solution without any visibility or controls applied;
The marketplace app may and often will request significantly more privileges or data access than required for the task;
If the integration is via Zapier or a third-party provider, they also have access and authorization to access the data;
Malicious third-party SaaS applications can be authorized by a privileged user by accident or by being socially engineered.
These risks are often unknown to the teams responsible for information security at an organization.
Malicious third-party SaaS application risk is on the rise. Attackers are adding malicious applications to app stores and marketplaces every day in an attempt to compromise high value targets. Microsoft released new guidance about this new blind spot in early July 2020 “Protecting your remote workforce from application-based attacks like consent phishing“ that SaaS administrators should be aware of.
How to eliminate the SaaS to SaaS authorization blind spot
In order to reduce the risk of data breach of SaaS to SaaS authorizations, an organization must do the following:
Get visibility of privileged access in all SaaS solutions with access to business critical and customer sensitive data;
Discover all currently authorized applications on SaaS solutions, both via marketplaces and OAuth;
Evaluate if marketplaces and OAuth federations should be enabled or disabled in SaaS solutions containing business critical and customer sensitive data.
How can Detexian help?
Detexian is launching new features to reduce the risks of malicious applications:
Discovery of currently authorized marketplace and OAuth applications on Azure / Office 365;
Detection of both Privileged User consented and per-user consented applications;
Detection of permissions granted for each application, with excessive privileges being highlighted and notified;
Continuous monitoring and detection of new applications being registered and consented.
This is in addition to our key feature of Privileged Access visibility to provide you with peace of mind you need to secure your SaaS footprint.
Find out how you can detect malicious Azure applications, gain visibility of privileged accounts in minutes and keep track of changes at all times. Inquire now for a free trial.