Offboarding Employees is a Top CISO Priority
IT security departments have become pretty fastidious when it comes to offboarding ex-employees and contractors in order to ensure they don’t have the ability to access critical SaaS applications, corporate resources and sensitive data after they leave. In most cases, IT can complete the process of revoking a user’s privileges easily and quickly through the organization’s identity and access management (IAM) service, such as Okta or OneLogin. Of course, offboarding users from SaaS applications managed outside of the IAM service can be more challenging, though newer technologies are emerging to help manage these as well. At a minimum, however, offboarding of human users is now on the radar of, and a top priority for most CISOs to implement proper zero trust access controls.
….But Non-Human Identities and Third-Party Integrations Are Still Overlooked
This is not the case when it comes to non-human entities – SaaS-to-SaaS integrations that provide third-party vendors with access to corporate data, applications and privileges. These integrations are created using direct APIs, OAuth apps in SaaS marketplaces, and no/low code citizen development platforms such as Zapier, Workato, Mulesoft, and others.
The democratization of IT has empowered business users across organizations to reduce deployment time and enhanced business agility, productivity and collaboration by managing these SaaS-to-SaaS integrations directly. Unfortunately, they typically do so without IT security review or governance, thereby pushing them off the CISO’s radar.
This indiscriminate connection of SaaS applications significantly increases the risk of unvetted supply chain access to core business applications like Salesforce, Microsoft 365 and Google Workspace. This supply chain attack risk is a major, and growing, attack vector. For example, during the GitHub attack campaign in April 2022, attackers were able to steal and abuse OAuth tokens issued to well known vendors like Travis CI and Heroku. According to GitHub, the attackers were able to leverage the trust and high access granted to highly-reputed vendors to steal data from dozens of GitHub customers and private repositories.
On top of not having visibility into these employee/business unit adopted integrations, IT departments often lack awareness that non-human integrations impose a significant risk of expanding an organization’s privilege attack surface. In fact, even when it comes to IT-managed services, SaaS admins typically have a ‘set-and-forget’ mentality, not realizing that privileges can drift over time, and those elevated privileges can facilitate SaaS supply chain attacks and the lateral movement of threats. They also don’t consider that these integrations may at some point go unused, leaving unnecessary points of compromise. For privileges managed outside of IT, security teams are often unaware of their existence all together.
The Growing Challenge of Offboarding Non-Human Identities
The lack of awareness of the need to offboard non-human identities only exacerbates the risks inherent in unmanaged SaaS integrations. In many cases, it dwarfs the risks posed by improperly offboarded human users due to the lack of maturity of the non-human identity lifecycle compared to the broad adoption of human identities IAM controls like SSO, SAML and MFA. Disconcertingly, Valence Threat Labs analysis has found that over 50% of integrations between your third-party applications and business critical SaaS applications have not been used for at least 30 days for various reasons due to improper offboarding. This is because SaaS vendors and integrations are abandoned for multiple reasons, creating a wide range of challenges.
Offboarding Challenge #1: SaaS Evaluation/Assessment Hygiene
Let’s begin with proof of concepts (PoCs) for new third-party SaaS applications. An employee or team will often test several services, including integrating them into their overall SaaS mesh, before selecting the one that is best suited to the organizations’ needs. Most organizations today don’t have a process to ensure that such third-party vendors are properly offboarded after the trial and that all of their integrations to core SaaS applications are revoked. This can be exploited by hackers who can gain access to an account by stealing access tokens, or through other SaaS applications due to the lateral movement of threats or a supply chain attack.
Making matters worse, SaaS admins typically provision such integrations with excessive privileges due to the difficulty of manually configuring services with zero trust and least privilege best practices. This further facilitates the lateral movement of threats, placing organizational data at an even greater risk of cross-SaaS compromise once an attacker gains a foothold.
Offboarding Challenge #2: Natural Changes in Business Needs Over Time
The second offboarding challenge is the simple replacement of SaaS-to-SaaS integrations over time. Changing business needs often render certain SaaS applications and their integrations no longer necessary, while others become obsolete when innovative or improved technologies emerge. Revoking access for unnecessary, legacy or obsolete services and their integrations is often the last thing on a SaaS admin’s mind as they move to their next business project, and if it is a free or minimal cost application, there is little financial incentive to terminate it. Continuous SaaS hygiene in the wake of this natural drift is currently nearly impossible.
Offboarding Challenge #3: Application Owner or Organizational Change
Application ownership is currently a vague and cursory concept in most organizations. Without a comprehensive inventory of why specific applications exist within the organization and who is responsible for their access, privileges and activity, risk grows while security posture weakens. Connecting to third-party applications using OAuth tokens, for instance, can cause both SaaS management headaches and disrupt business continuity since they are often adopted by individual users for their own use without IT knowledge or an understanding of the company-wide business implications.
Suppose a marketing employee adopts Hubspot and then integrates it with Salesforce using their own Salesforce account rather than a dedicated organizational service account, which would be a standard procedure for IT teams when they are managing such integrations. The employee then sets up lead capture forms on the website, lead nurturing and distribution processes with the sales team, and so on. If the employee at some point leaves the organization and IT disables their account access during the offboarding process, the HubSpot integration will break, potentially disrupting the entire organization’s digital lead generation process.
The Need to Continuously Monitor Non-human Identities to Ensure Proper Offboarding
The key takeaway here is that overlooking the need to properly offboard non-human integrations harms the organizational security posture. IT departments must treat the offboarding of non-human identities with equal seriousness to offboarding their human users. Digital transformation, constant innovation and the adoption of SaaS applications provide significant business benefits, but organizations must take into consideration that the world of non-human identities within this digitized and automated environment is every bit as dynamic and a source of risk as that of human users. Security teams want to be business enablers, adapting to the modern API/integration economy where many innovative solutions “just need API access” to deliver their service.
This demands the ability to constantly monitor all changes to this dynamic environment in real time, identify and review new applications and integrations as soon as they enter the organization’s SaaS mesh, and offboard applications and integrations quickly when they sit unused. These are the fundamental actions necessary if security teams are serious about fully minimizing their attack surface, maintaining least privilege access, and ensuring that the principles of zero trust are applied across the board when it comes to access to their core SaaS applications and valuable corporate data.
Indeed, an effective, unified offboarding process must formally consider both human and non-human identities and their access privileges as a matter of course in order to minimize this burgeoning attack surface.