NOTE: This is the fifth entry in my blog series based on the 2023 State of SaaS Security Report. The first introduced the report. The second focused on SaaS breaches. The third focused on data security. The fourth opined on SaaS identities. This post explores some of the misconceptions around SaaS misconfigurations.
We hear a lot about attackers exploiting vulnerabilities, but did you know that misconfigurations are just as common according to the Verizon 2023 Data Breach Investigations Report? You read that right - organizations are as likely to weather a breach due to an employee mistake as they are from an exploited vulnerability. It makes sense - why would an attacker exploit a vulnerability when a misconfiguration just gives them access?
Vulnerable by Default
It’s a common misconception that SaaS vendors do all the security work for you. This is rarely the case.
SaaS vendors, like most businesses, optimize for revenue, business growth, and customer adoption. How do they do that? They reduce onboarding friction, increase customer satisfaction, and upsell to more premium or enterprise features. Sometimes, the way they reduce friction and increase customer satisfaction is by allowing customers to do insecure things like ignore MFA, or choose bad passwords.
Sometimes, the upsell IS security - we’ve seen things like single-sign on, encryption, role-based access control, and other security features sold as add-ons, or only included in premium or enterprise tiers.
For example, we recently shared an article by Brian Krebs, where he pointed out that several organizations were leaking sensitive information from their Salesforce Community websites, due to simple misconfigurations. These accidents stemmed from unclear language that confused Salesforce administrators when setting up and configuring these sites. Vermont’s CISO, Scott Carbee, was quoted as saying, “My Team is frustrated by the permissive nature of the platform.”
One needs to look no further than open S3 buckets to realize how damaging misconfigurations can be. Misconfigurations have enabled a lot of data leaks that have led to embarrassment, lawsuits, regulatory fines, and even extortion situations.
Similar issues can occur via misconfigurations of SaaS applications and platforms. As with cloud infrastructure, each SaaS platform comes with its own unique set of features and configuration options. There’s no normalized, common issue to look for across the SaaS landscape - each has to be investigated individually. SaaS platforms also have the concept of shared responsibility in common with cloud service providers. Don’t make the mistake of assuming the SaaS provider assumes all security responsibility or monitors for attacks - this is not typically the case.
This is exactly what the Valence Threat Labs team is focused on, day in and day out. Our team has identified hundreds of security findings across dozens of SaaS apps, such as Microsoft 365, Google Workspace, Salesforce, GitHub, Slack, Okta, and others. These issues range from ensuring logging is enabled, to protecting admin accounts, to preventing private data from being published publicly by default.
Not all misconfigurations are as simple as ticking a checkbox in a SaaS settings page, either. For example, unless a custom activity policy is defined in Microsoft Defender for Cloud Apps, no one will get alerts about suspicious usage patterns. Microsoft has some very useful anomaly detection, but it’s not on by default! It’s common for busy administrators to overlook the steps required to enable these detections.
The reasons for security misconfigurations varied. As we’ve previously mentioned, SaaS defaults are often not ideal from a security perspective but are rarely changed by SaaS administrators. This could be because administrators are too busy, are unfamiliar with security best practices, or just don’t have time to review SaaS configurations.
One of the most common reasons for security misconfigurations is bad UI/UX, particularly when it comes to data visibility. Sometimes “public” means “everyone inside my organization can see it”, and sometimes it means, “everyone connected to the public Internet can see it”. The difference is literally having to declare a data breach, or avoiding it.
Our 2023 State of SaaS Security report highlighted some insights as to why SaaS misconfigurations occur so frequently:
- Employees without IT or security training are managing SaaS configurations
- Insecure defaults
- Poor UI/UX
- Poor, or missing documentation
- Urgency leads to sloppy work
It’s necessary to learn how to leverage native SaaS controls to align with industry best practices (thankfully, Valence’s SSPM can help here, by mapping misconfigurations to standards). Without a way to monitor for configuration drift, or even better, prevent drift with automated policies, drift will happen.
Check out the 2023 State of SaaS Security Report
These are just a few highlights from this year’s State of SaaS Security report from Valence Threat Labs! This blog series will continue to explore and share interesting insights from the report, but why wait? Check out the full report for more details and real-world examples of SaaS breaches now!