Cross-SaaS contamination: How to prevent unauthorized access to your organization
Over the past five years, the average SaaS usage in global organizations has grown exponentially. Whereas it's estimated that an average 16 SaaS applications were used per organization in 2017, research dictates a whopping increase of this average to 110 SaaS applications in 2021.
While this number is subject to change according to a myriad of factors, such as industry, size-of-operations, and the number of staff in an organization, it's apparent that SaaS security is a rampantly growing concern for any modern business.
However, in spite of the unanimously increasing dependence upon SaaS applications, the average business's implementation of appropriate security controls is alarmingly behind the curve.
Many organizations have found themselves playing catchup in the new decade, and given the sharp increase of SaaS usage since the pandemic (and the subsequent advent of remote working), SaaS applications have arguably introduced some of the most prevalent security gaps in the new decade.
Two of the biggest issues pertaining to modern SaaS-to-SaaS security are:
How SaaS applications communicate and interact with one another
The way that employees engage with SaaS applications within their organization
To break these issues down, let's take a look at Slack and Microsoft Teams - two of the most commonly used SaaS and workplace communications apps. Slack and Teams are both renowned for their innovative and intuitive third-party SaaS support. They offer the capability for advanced integrations of services such as GitHub, Google Docs, and an array of outlying third-party softwares.
And while Slack and Microsoft Teams are both highly secure, highly encrypted communications platforms, they unfortunately inherit a plethora of unmitigated risk by allowing integrations from SaaS companies of varying security standards.
According to Slack's Help Center, "an app's permission scopes depend on the kind of things it's supposed to do". Among other permissions, this often includes the ability for third-party apps to both view and post information within Slack channels. These capabilities frequently result in third-party SaaS organizations accessing private information, such as email addresses, calendar & meeting invites, messages and transmitted files.
One of the most prevalent cases of this becoming a problem is the infamous GitHub-related exposure of Slack credentials. Slack's API enables automated exchange of commands, content and data to and from GitHub - a powerful feature that development teams have been utilizing for years.
However, an issue with this particular SaaS-to-SaaS interaction between Slack and GitHub is that many developers neglect to remove confidential access tokens and login credentials from the data being transmitted to and from GitHub. When not appropriately vetted,this effectively results in access to company Slack channels, and the data within being exposed in public GitHub repositories.
For a hacker or cyber-criminal, SaaS oversights such as these are a treasure trove of information, resulting in an enticing backdoor for subsequent data breaches.
Naturally, SaaS-to-SaaS security issues don't start and end with Slack or Microsoft Teams. They apply to all kinds of integrative SaaS applications, including Hubspot, OneDrive and Google Calendar; all of which allow for customisation via a plethora of independent softwares.
Furthermore, a recent insight from Microsoft reveals that 80% of employees use non-sanctioned apps - apps that are yet to be reviewed by IT, and consequently, may not be compliant with required security and compliance policies.
These undetected apps fall under the domain of 'Shadow IT', referring to the use of information technology systems, devices, software and applications that an IT department has not explicitly approved. Undetected apps, or 'Shadow IT', not only have an increased chance of subverting your organizations' security measures, but they are also responsible for an enormous amount of unmitigated risk in the average business.
When you combine both the known and unknown SaaS-to-SaaS interactions occurring within an IT environment, the risk for a security compromise or data leak is enormous.
Seems like a lot, right? Thankfully, there are some tried-and-true measures that any organization can take to mitigate these accumulative SaaS risks. By firstly gaining an awareness of the applications used within your IT and SaaS environments, you can then comfortably identify and roll out appropriate security measures to harden your SaaS apps and ultimately reduce SaaS risks.
The basic lifecycle of SaaS risk reduction can be broken down into three steps, as follows:
Identify: This involves locating the SaaS apps being used throughout your organization and cataloging them in a central location. Given the nature of Shadow IT, we recommend utilizing a SaaS Discovery tool to identify all applications in a given SaaS environment.
Harden: Once you have an overview of the applications being used in your organization, you can begin to harden your SaaS apps via a range of security controls. At a minimum, these security controls typically involve setting restrictions & permissions on each app, applying password policies and multi-factor authentication on each app, ensuring that all apps are patched regularly.
Ongoing Review: Once you have appropriately identified your SaaS apps and hardened your SaaS environment, the next step is to continuously monitor app usage in your organization.
How Detexian helps
Detexian reduces these risks by discovering:
Unauthorized apps staff use with their corporate email accounts
If those apps have access to your business and customer data
When new apps are granted and permissions change
Many apps are granted excessive permissions such as read/write access to files, emails, calendars. If left unknown, these apps are ticking timebombs for data breaches.
Find out how to discover unknown, untrusted apps with access to your data in 2 minutes, Try Detexian Discovery for FREE