The Valence 2023 State of SaaS Security Report tells a story that many in IT security feared – that cloud security really isn’t getting any better. In fact, security challenges related to cloud deployment and use continue to grow and are doing so at the rate of cloud expansion. But much of what the Valence report finds is even more problematic than it might be because so many of the security challenges are already known.
For example, according to Valence Security, while Software as a Service, meaning cloud based applications, are presented as being more secure than applications of the past, business practices adopted along with SaaS have had the opposite effect. To speed up access, SaaS apps have turned to authentication tokens, and these allow users to bypass user names, passwords and second factor authentication. According commentary by Valence on the report, this “grants easy access for users, tokens are trivial to steal. The upshot is a stolen token lets an attacker log in without needing to follow the authentication policies.”
The commentary says that attackers have increasingly turned to stolen credentials as an entry point into SaaS applications. This is made easier because of the number of accounts that are dormant on many networks and the amount of what Valence calls “uncontrolled file sharing.”
According to Valence, “30% of the time, files are shared with personal accounts, completely sidestepping corporate controls. On average, there are 54 shared resources (e.g., files, folders, SharePoint sites) per employee, and 193,000 shared resources per company. Most are idle and unused. The impact is the business loses control of its data and access to data is no longer limited to just employees.”
The commentary from Valence goes on to quantify the risks. “In addition, SaaS apps are a virtual treasure trove of opportunities for hackers. Some of other shocking findings of the Valance report are:
· Over half (51%) of an organization’s SaaS third-party integrations are inactive
· 90% of shared assets (files, folders, anyone-with-the-link permissions) remain unused for 90+ days
· 1 in 8 employee accounts are dormant (1 in 3 in some companies)
· 53% of CISOs don't have a process to ensure proper correlation between third-party risk management and integrations.”
“Even accepting there is a productivity benefit from simplifying SaaS access, there is nothing to be gained from leaving abandoned SaaS integrations and idle data sharing at risk.” The Valence commentary concludes.
Fortunately, the Valence report also looked at solutions to the deficiencies it found. The commentary from Valence listed the most important:
· Avoid SaaS misconfigurations by investigating how to leverage native security controls embedded into each SaaS application and configuring them according to industry best practices based on standards from NIST, CIS, and CSA
· Extend threat detection to ensure maximum coverage and analysis of SaaS applications events, activities and admin logs, to detect anomalous and malicious activities.
· For identities and permissions, closely manage accounts with high privilege and admin access and apply least privilege principles to ensure each user has the minimum required permissions.
· Ensure SaaS account deactivation is included in identity lifecycle processes and investigate idle accounts and deactivate if the employee has left the organization.”
If the list of recommendations seems familiar, there’s a reason for that. They are basically the same recommendations that have been made for security for years. The reason that they’re still showing up is because so few organizations are taking the steps necessary to actually secure their data.
The Valence report says that CISOs are unhappy with their SaaS solutions because of this, but in reality the problem isn’t with SaaS, but rather with the implementation of security on many SaaS platforms. The report makes recommendations for dealing with these security challenges.
· SaaS Security will need to evolve beyond visibility to include automated remediation.
· SaaS Security will need to be addressed as a collaborative effort
And there’s a warning for those who might not see any urgency, which is that generative AI will produce an enterprise SaaS adoption boom. The generative AI boom has already started.