Two trends have reinvented the enterprise’s relationship with software: SaaS and public cloud.
The management of custom, in-house software and workloads have been vastly simplified by migrations to one or more of the public cloud providers - offerings like AWS, Azure, Oracle Cloud, and Google Cloud. The once hyper-specialized field of IT (storage admins, network admins, database admins, sysadmins) is steadily giving way to generalists (cloud and devops engineers).
For everything else, there’s SaaS.
The modern office moves at the speed of business, which no longer slows to wait for IT or security approvals. Commercial off-the-shelf software is mostly SaaS these days, and requires little technical know-how to get up and running. All it takes is an employee credit card, some minor setup, and anyone can become a SaaS admin. This is the story of how the office moved to SaaS and what security and IT folks need to do to catch up.
Who Moved Our Cheese?
In the famous Invisible Gorilla experiment and later book of the same name, Christopher Chabris and Daniel Simons set out to demonstrate how easy it is for people to miss unexpected changes. There’s often a difference between what we think we know, and reality. Sometimes things happen that we don’t expect and we explain them away as anomalies. Sometimes changes occur so slowly that one day we wake up and wonder, “when did all this happen?”
The SaaS revolution was very much like this. The first few SaaS apps to hit the market were met with skepticism. We didn’t know where our data was being stored. We didn’t like the feeling that we couldn’t see and touch the servers we were using. Trust had to be earned.
Before long, SaaS became so common, it became difficult to keep track of. The level of scrutiny declined with each new SaaS app onboarded until trust became the default. More recently, SaaS apps have grown into massive, multifaceted platforms, and are often onboarded by folks entirely outside the IT department. What were once simplified versions of on-premises software became increasingly complex due to demands for more features, role-based access control, integrations, and to increase the level of customization available to customers.
At some point, we realized that the most critical functions of the modern office have all moved to SaaS. Email, calendars, files, payroll, CRM, ERP, source code repositories, and many more critical functions are all delivered by SaaS for the vast majority of organizations today. For folks that didn’t have their “when did this happen” moment by 2020 know exactly when this process was completed for their organization: the COVID-19 pandemic.
The pandemic made a permanent shift in attitudes toward working remotely, empowering employees. The employee has more control than ever - over how to equip their home office and what tools to use - both physically and digitally. This new reality creates some challenges for IT and security teams that we’ll discuss later.
What Changed For The Better?
Speed and time-to-value: with the move to SaaS, it no longer takes weeks to plan and design a software rollout. We don’t have to order hardware, install and configure software. We don’t have to plan code freezes or outage periods for patching. We don’t have to buy more hardware to upgrade a few years down the line. The efficiency and simplicity of using SaaS have made the decision to switch an easy one.
SaaS has also made some new use cases possible. In the old days, building an integration between two products often required a team of contractors to write code and build a custom solution to synchronize data between two systems. These days, most SaaS have openly available APIs and pre-built integrations for the most common SaaS platforms. A few clicks, share API keys or consent to a third-party app in a SaaS marketplace, and a SaaS-to-SaaS connection is made. Low/No Code platforms like Microsoft Power Platform, Zapier and Workato make it possible to automate workflows between SaaS applications without a user needing to be present.
Auditing access control across the millions of files organizations produce was once an impossible task. File servers would be brought to their knees trying to log every file interaction. Cloud-based file storage solutions like Dropbox, Google Drive, Box, and OneDrive log this information seamlessly, and it is all available via an API.
Additionally, it’s possible to share a file with anyone, anywhere - something that was previously a massive challenge. Email servers might limit attachment sizes to 5 megabytes or less, leading to disorganized file shares with wide open access controls. Sharing a file with someone outside the organization was even more difficult, often leading to someone hastily setting up an FTP server and fast-tracking firewall changes. Now, we simply right-click, copy a link, and paste it into an email or chat message.
Creating an account is no longer an onerous process that requires creating yet another password (or simply reusing one). SaaS applications make it easy to sign in with Google, Microsoft, Facebook, GitHub, Apple, and many other common SaaS platforms. Creating an account often takes just a single click.
However, SaaS should be easier to audit, configure and control, so where’s the problem?
What Didn’t Change?
The business brand of urgency that leaves security concerns behind didn’t change. Why would it? SaaS was more convenient than ever. Enterprise killer apps now exist on smartphones. Files, email - all corporate data is automatically synchronized between phone, tablet, and laptop computers. There always seems to be enough time to get new software working, but not enough to lock it down and apply least privilege. Existing bad security habits worsened and new bad security habits emerged.
Dubious Data Sharing
Understanding what data we have, the significance of it, and where it lives is more challenging than ever. Instead of all data being dumped into a handful of databases and file servers, it could now be nearly anywhere. Data needs to be accessible and portable, but these attributes that make it useful make it easy to misplace or lose.
Valence has found that the average business has 54 externally shared resources (e.g. files, folders) per employee and 193,000 per company. Sharing these resources keeps businesses running. One problem is that they don’t get unshared when no longer needed, creating a massive, growing attack surface that largely goes unseen. Another is that there’s rarely a process to determine if someone is authorized to access a file.
A very popular sharing option is the kind where “anyone with the link” can access it. These links can be shared with impunity - a list of customers shared with a sales partner can easily be forwarded to a competitor. Privileges need to be continuously reevaluated based on changing business needs and employee roles.
Inane Integrations
Precisely what makes SaaS so successful is what creates such a challenge for IT and security teams. The productivity benefits are massive, but with little to no oversight, security issues, cost concerns and governance quickly becomes a problem.
As with external data sharing, integrations often remain even though they’re not being actively used. Unlike data shares, integrations can delegate breathtaking amounts of access to third parties.
On average, Valence has found that an organization will have 21 tenant-wide SaaS-to-SaaS integrations. That means 21 third parties have full access to act as an administrator: creating and deleting accounts; reading anyone’s files or emails; reading and editing any employee’s calendar.
That’s an average of 21. It’s hard to imagine why any organization would need to give that many third parties that level of access. The answer, more often than not, is that they don’t. As soon as they become aware of these integrations, most organizations remove most of this access. Some are often proofs of concept that were never revoked after the POC was done. In other cases, the company migrated to a new vendor, and admins either forgot to revoke the old vendor, or were afraid of breaking something by doing so. Regardless of the scenarios, a lack of visibility into SaaS use is clearly an issue.
Massive Misconfigurations
Like public cloud providers, SaaS has a shared responsibility model. There’s a common assumption that SaaS vendors would choose the most secure defaults possible for their customers, but that’s not the formula for selling more software. SaaS vendors that want to win over competitors remove friction and make adoption as easy as possible - which often requires security compromises. Instead of chasing vulnerabilities and CVEs, security teams have to worry about misconfigurations with SaaS applications.
The result is that most SaaS applications are optimized for a smooth, positive user experience - not for security or privacy. It took AWS years to update its UI/UX, making it more difficult to make costly access control errors with S3 buckets. Even the most baseline security configurations, like ensuring only employees can access an application, can be confusing and difficult to work out. In one example, Vermont’s CISO, Scott Carbee, expressed frustration with Salesforce Community sites, saying, “my team is frustrated by the permissive nature of the platform.” It seems many well-meaning features can present themselves to security teams as bugs.
So again, as with cloud providers, it makes sense to have a SaaS security tool that keeps track of everything from critical security gaffes to best practices and privacy requirements across multiple, disparate SaaS apps.
Unmanaged Identities
Identities have always been a challenge to manage, regardless of the era we’re talking about - even with SSO and/or an IdP. In large and even mid-sized companies, employees are constantly in flux - joining the company, leaving, changing departments, getting promotions, or getting shuffled around in a reorg. Human resources is often reticent about removing accounts, for fear of losing critical data or breaking an important process. To that point, our data shows that 1 in 8 accounts is dormant on average.
Contractors also require access to data and systems, often for limited timespans. Some contractors may be closely and individually vetted, while others are only vetted as an organization, by a vendor management program. There are also non-human identities that need access to data and systems but can’t use multi-factor authentication. These non-human identities are often used by third-party software and SaaS using the popular OAuth standard.
Granting access to data and systems is often a stressful, urgent process. The CEO needs to give a demo to a client in 30 minutes. Without the right access, a contractor won’t be able to meet a deadline, delaying a product launch. Trying to grant exactly the right levels of access could result in a painful back-and-forth that wastes precious time, so more often than not, administrators grant more access than needed.
Managing all these identities and the access granted to them is a nearly impossible task without a tool to help with the analysis. Spotting mistakes and deficiencies is important, but it is equally important to be able to see contextual information across many systems.
Conclusion
The digital office has moved and it seems like we’re in a constant state of catching up. The modern organization’s files, schedules, communications, concerns, plans, and goals all live in SaaS applications today. It’s easier than ever to collaborate, but it’s also easier than ever for data to leak. We’ve passed the tipping point where SaaS security, hygiene, and threats can no longer be safely ignored, or pushed off to be next year’s worry.
Valence was built to help organizations manage SaaS security risks resulting from misonfigurations, unused and overprivileged SaaS-to-SaaS integrations, ungoverned external data sharing and unmanaged identities. Valence enables security teams to effectively engage users to ensure that security decisions to remediate these risks are made within the context of business need and that end users work with and see security teams and processes as business enablers, not impediments. See the Valence SaaS Security platform in action.
Unleash the power of Valence, your ultimate defense against SaaS security risks. From tackling misconfigurations and excessive SaaS-to-SaaS integrations to managing external data sharing and user identities, Valence has got you covered. It empowers your security teams to make informed decisions, balancing your business needs with security imperatives. With Valence, security becomes a business enabler, not an obstacle, turning your business teams into strategic allies. Experience the Valence SaaS Security platform first-hand.
.jpg)
