NOTE: This is the fourth entry in my blog series based on the 2023 State of SaaS Security Report. The first introduced the report. The second focused on SaaS breaches. The third focused on data security. This post delves into the security challenges related to SaaS identities.
There’s a lot of focus in cybersecurity on vulnerabilities, exploits, and assets. We focus on the data that was stolen, the device that was hacked, or the malware deployed. At the center of all these incidents, however, are identities.
The identities linked to employees and machines are a critical factor in nearly all breaches and serious security incidents. In fact, identities are one of the simplest and most popular ways for an attacker to gain access. Credential theft is quite popular, and there are a variety of ways an attacker could get access to accounts and their associated passwords or secrets.
Identity Challenges
Protecting identities has always been a challenge. Every time new protections are introduced and implemented, attackers seem to find a way around them.
Multi-factor authentication (MFA) initially seemed like a silver bullet for solving authentication woes, but there are now a variety of techniques for defeating them. Another option is to simply go around additional authentication factors by stealing auth tokens. Once an attacker steals an auth token, they can simply log in as that user - no additional factors required!
The second installment in this series, More SaaS Adoption → More SaaS Breaches, provides some examples of MFA bypasses and token theft.
Enforcing login through corporate SSO, SAML, or IdP such as Okta, Ping Identity, Microsoft Entra ID (fka Azure AD), OneLogin, and others, is also typically not enough. Many organizations assume they enforce corporate SSO across all identities and accounts in the organization, but there are nearly always exceptions. Edge cases such as shared accounts, service accounts, and external contractors break the holistic protection that a centrally governed login mechanism might promise.
Other identity challenges are related to the distributed nature of SaaS applications and platforms. If an employee leaves the organization, or is being investigated, it’s impractical to log into every SaaS application to understand the breadth of their access, and to properly offboard or disable their access.
Correlating Identities Across Platforms & Apps
The obvious solution is what the Valence Platform does today: build a profile for each identity - regardless of whether that identity is an employee, a machine, or an automated process. Context is key to understanding an environment. Regardless of whether an incident responder or someone in procurement is trying to understand a situation, the context surrounding the identity will help.
Identity and the context surrounding it can provide a lot of insight into employee activity, and is also at the center of many important questions. For example:
- Who shared this file and why?
- What do these 23 accounts with MFA disabled have in common?
- Why do we have 47 global M365 admins, and do we really need that many?
- What portion of these email forwarding rules belong to contractors, versus full-time employees?
- Who gave administrative rights to these third-party integrations?
- Why do some employees have dozens of external data shares, while a few have thousands?
- Why are some GitHub users not tied to the corporate SSO?
- Why is this exec’s account still active, 3 months after they left?
- And has there been any activity since their final day as an employee?
The answers are stories that can’t be told without linking to an identity. Without normalizing and correlating identity information across disparate SaaS platforms and applications, answering these questions is a manual mess. Not only would it be time consuming to correlate this information manually, it would require contacting the SaaS administrators of each app and platform in question - potentially dozens of different individuals.
Report Findings
This year’s report made a few things clear. For example, employee and account lifecycle management is tricky and often poorly managed - particularly when employees leave the organization. On average, 10% of all of an organization’s external data sharing and SaaS integrations remain tied to ex-employees long after they’ve left.
100% of organizations have dormant accounts that haven’t been deactivated. In one case, 1 in 3 accounts within an organization were dormant.
None of the organizations we analyzed had MFA enabled across all active employee accounts. There are always exceptions, which raises other questions and challenges. Are there cases where it’s acceptable and necessary for an employee account to have MFA disabled? Are contractor accounts handled differently from employee accounts, especially where MFA and other authentication protections are concerned?
Finally, it was clear that no two organizations were the same. Each had unique challenges and exceptions that required compromises when it came to managing identities. All the more reason to closely monitor and automate policy management across SaaS platforms!
Check out the 2023 State of SaaS Security Report
These are just a few highlights from this year’s State of SaaS Security report from Valence Threat Labs! This blog series will continue to explore and share interesting insights from the report, but why wait? Check out the full report for more details and real-world examples of SaaS breaches now!
.jpg)
