Cloud migration and IT democratization have created a continuously growing network of interconnected business applications, integrated to digitize and automate business workflows. Employees in the digital transformation age are now compelled to choose their best-of-breed applications, independently adopting and connecting SaaS applications, no/low code platforms like Workato and Zapier, and SaaS marketplace third-party apps in order to increase productivity, creating a convoluted web of ever-growing app-to-app integrations. This expanding new network is built in the cloud and is based on third-party vendor integrations, introducing the SaaS-to-SaaS supply chain as the future of enterprise interconnectivity.
Massive amounts of data are now flowing between these applications in the highly dynamic cloud environment, and the modern enterprise cannot revert to the days of data silos and isolated applications. However, with every new connection and automated workflow, a new and concerning risk surface grows with indiscriminate and shadow connectivity. A ubiquitous phenomenon of the interconnectivity era, CISOs should take heed and consider the challenges introduced by the size, expansion, security and governance ramifications of the SaaS-to-SaaS supply chain.
Zero trust for non-humans
For years, security teams have focused on securing human-to-app interactions, adopting security controls such as managed devices, endpoint security, CASB, ZTNA, MFA and IdPs. These solutions provided value for their original purpose, but the SaaS-to-SaaS supply chain today thrives on application integration, non-human identities and app-to-app connectivity – leaving out the human element in order to streamline and automate work processes.
The SaaS-to-SaaS supply chain continues to grow uninhibited, without alerting security teams on new risks and connections created by non-human identities that cannot be resolved using traditional security controls designed for human-to-app interactions. The continuous increase in non-human identities in app-to-app integrations and their robust access to sensitive data-intensive platforms heighten attackers’ motivation to exploit these new attack surfaces.
Security teams struggle with handling the scale and sophistication of impending attacks. Blind to these threats and with application adoption becoming as easy as signing a form, employees are no longer inclined to request CISO consent to adopt new apps, and CISOs are not able to govern third-party access due to the ease of bypassing existing controls. The number of supply chain attacks via third-party vendors has skyrocketed over the past few years, as malicious actors leverage non-human identities to gain unauthorized access to business applications.
Third-party API takeover attacks
Enterprise budgets and organizational resources are heavily routed to fortifying internal security postures, while critical assets are left exposed to external threats due to these unmanaged third-party integrations. The infamous Solarwinds attack brought organizational reliance on third-party integrations to the forefront, leading to an inevitable backlash against existing, woefully unsuitable solutions for third-party risk management. As part of the attack campaign, the abuse of application credentials, like in the case of Microsoft Azure, and the focus on API takeover attacks targeting third-party vendors like Mimecast, highlight how attackers leverage such integrations to gain unauthorized access to critical business applications.
Securing the hyper-automated enterprise
The SaaS-to-SaaS supply chain with its unique characteristics is prone not only to third-party breaches, but also to various other ways by which malicious actors may leverage it as an attack vector.
As organizations strive for automated business workflows, hyper-automation, no/low code and enterprise application integration (EAI) platforms are the methods of choice for connectivity. These platforms are now configured by citizen developers, without security governance and oversight, potentially leading to misconfigurations and sensitive data exposure. Attackers actively target such platforms as they hold the keys to the kingdom with their high privileges across the enterprises’ most critical business applications.
Malicious OAuth token access
Attackers have found that human error and employee trust are lucrative opportunities for exploits and trickery, and target employee independence with SaaS marketplaces for phishing campaigns. With the increasing adoption of multifactor authentication (MFA), traditional account takeover techniques have become less efficient as it’s no longer enough to have a username and password to gain access. Attackers leverage marketplaces and third-party apps to trick employees into installing malicious apps via sophisticated consent phishing campaigns that provide them with OAuth tokens with high privileges, bypassing many security controls, such as MFA.
It all comes down to managing trust
The SaaS-to-SaaS supply chain will continue to grow and provide enterprises with value at scale, simplifying and automating processes, enabling robust data collection, and maximizing the benefits of enterprise software. That said, security teams cannot continue to ignore the pitfalls and challenges of this wild, wild mess, as it creates organizational dependency on external vendors, leading users to trust third parties for integration and interconnectivity while potentially jeopardizing their most important assets.
The shift from human to non-human interactions necessitates a corresponding shift in the paradigm used to secure these integrations, without impeding workflows. These challenges cannot be mitigated and resolved in silos. Security teams must gain more visibility and control by bolstering their collaboration with business application teams, decentralized owners, citizen developers and end users to ensure the secure growth of the SaaS-to-SaaS supply chain and enhance innovation, increase productivity, and enable organizations to reap the benefits of their digital transformation journey.