Which major SaaS platforms allow users outside your organization to have privileged access?
External users can be found in all major SaaS platforms, sometimes with the highest level of privileged access.
In traditional on-premise networks, all identity is normally stored in a central store, an LDAP directory of some kind of which the most common is Microsoft’s Active Directory. This central store is almost always supported by the IT team or outsource partner and not able to be accessed remotely. When people need access to systems or data, a formal support request is needed and privileged access is rarely given out to business users.
Since the shift to SaaS at the modern workplace, organizational identity is often internal on a per-SaaS basis rather than a central store. While the majority of enterprise SaaS platforms support Single-Sign-On (SSO) which can be used to ensure only internal users can access the SaaS platforms, we at Detexian find this is rarely implemented. This is because the business users who choose, procure and operate the SaaS do not understand the feature or as we see quite often, it requires additional spend and was never purchased as a feature. Consequently, we find that external users can be present in all major SaaS platforms, sometimes with the highest level of privileged access.
Why are external users so common in our SaaS?
It is common to see that many accounts in SaaS solutions holding sensitive data are external to an organization. External users are frequently found for the following reasons:
Third-party suppliers and contractors working with the organization to meet business objectives, e.g. a digital marketing agency will often request and be given access to Monday or Salesforce for a campaign;
Many organizations outsource support for their SaaS solutions to specialist consultancies or the vendor themselves who will require access to the SaaS solutions;
Former staff whose access was not removed when they left.
This has led to many organizations’ data being exposed as external users are frequently granted the same permissions as internal staff including privileged access.
Why do external users present significant security risks?
At Detexian we find that external accounts are a SaaS blind spot for most organizations we work with. As the business chooses, procures and operates SaaS, the management of external users in these SaaS solutions is often non-existent. These accounts present significant risks:
They have access to the organizations’ business critical and customer sensitive data;
The access will not be removed when there is no longer a business need for it;
External or guest accounts are often not secured well. Users reuse passwords and frequently are not in scope for controls such as MFA;
Access to the SaaS is available from everywhere, accounts can be logged onto from anywhere on the internet and not just the corporate office;
The external party may not have sufficient (or any) contractual liabilities to the organization, in event of breach there may be zero recourse even if negligence can be proved.
When access is provided to a SaaS with traditional username / password, it often persists longer than intended. For example, if a staff member leaves, their email access will be cut off by IT but the SaaS access does not require the leaving staff member to have access to the email, just to remember the username and password.
The above risks make the organization vulnerable to multiple threat vectors including account takeover via credential spray or stuffing attacks, data download and storage on endpoints and ultimately data breach and exfiltration.
The risks above are significantly increased when the external user accounts are shared, given privileged access or frequently both. For more details on the risks of shared privileged access please see our previous blog.
What can we do about it?
There are many use cases where an external party needs access to an organization’s data and SaaS solutions. In order to reduce the risk of data breach due to external users, the organization must do the following:
Get visibility of external users in all SaaS solutions with access to business critical and customer sensitive data;
Evaluate the privileges of all external users, reduce or remove any access not required to SaaS;
Evaluate if each external user account is still required based on business need and last use. Remove if not required anymore;
Implement an external users process in each SaaS.
An example of a good external user access process that most organizations should look to implement is as follows.
External access is provisioned:
After being documented and approved;
For a fixed time period;
To named individuals;
Where the third-party organization has contractual controls specifying liability in event of security event or weakness;
Be reviewed regularly and removed if no longer needed.
Find out how you can detect external users, gain visibility of privileged accounts in minutes and keep track of changes at all times. Inquire now for a free trial.