June 22, 2023
Macro trends such as the shift to cloud services, a growing remote (or hybrid) workforce, and heavy reliance on third-party partners and contractors mean organizations are working with more software-as-a-service (SaaS) applications than ever. It also means that attackers are taking advantage of the ubiquity of SaaS as they target insecure default configurations and weakly secured identities.
Over the past year, attackers have attempted to intercept OAuth tokens, bypass multifactor authentication schemes, and exploit misconfigured systems and applications to gain unauthorized access to business-critical applications, such as GitHub, Microsoft 365, Google Workspace, Slack, and Okta — to name a few.
In the new "2023 State of SaaS Security" report, researchers from Valence Threat Labs identified various ways SaaS usage exposes organizations to attack. The report findings are based on organizations that have deployed Valence Security’s SaaS security platform.
The upshot? Organizations have to do a better job of tracking abandoned applications, files, and user accounts.
- Over half — 51% — of an organization's SaaS third-party integrations are inactive.
- Most — 90% — of an average organization's shared assets (files and folders shared with external collaborators) have not been accessed for at least 90 days.
- On average, 1 in 8 employee accounts are dormant (with the user no longer with the company, for example).
- On average, 10% of an organization's shared integrations and data belong to ex-employees.
More SaaS = More Risk
SaaS has also evolved to be an ecosystem of interconnected applications sharing data and identities; they are no longer standalone single-function applications. But all of that integration is a problem because applications have too many privileges, and data sharing is out of control.
- 100% of organizations grant full read/write access to email, files, and calendar to at least one third-party tool or service.
- There are 21 integrations per organization with tenant-wide access to company and employee data.
- Files are shared with personal accounts 30% of the time.
- There are 54 shared resources (files, folders, SharePoint sites) per employee, and 193,000 shared resources per company, on average. Most are sitting idle.
SaaS has its benefits, but abandoned SaaS integrations and idle data sharing introduce risk to the enterprise. Organizations should regularly remove unused integrations and revoke sharing to reduce the attack surface. Data shares should be automatically revoked after a certain time period (such as 30 days), and user accounts should be deactivated when they leave the company. Life cycle management is critical to ensure that existing business processes are not impacted when an employee leaves the company and that their account gets deactivated, the report states.