2022 Shadow SaaS-to-SaaS Integration Report

On-Demand Webcast – SaaS Security Insights for CISOs: Valence's Shadow SaaS Integration Report

On-Demand Webcast – SaaS Security Insights for CISOs: Valence's Shadow SaaS Integration Report

On-Demand Webcast – SaaS Security Insights for CISOs: Valence's Shadow SaaS Integration Report

On-Demand Webcast – SaaS Security Insights for CISOs: Valence's Shadow SaaS Integration Report

Valence Threat Labs
July 18, 2022

In this 40 minute on-demand webcast, Ryan Gurney (CISO-in-Residence at YL Ventures), Demi Ben-Ari (Co-Founder & CTO at Panorays), Sounil Yu (CISO & Head of Research at JupiterOne) and Yoni Shohet (Co-Founder & CEO at Valence) discuss Valence's latest Shadow SaaS-to-SaaS Integration Report and its repercussions for CISOs' SaaS security strategies.

This first-of-its-kind report from Valence Threat Labs, combines a CISO survey (perception) and cross-tenant data drawn from the Valence SaaS Mesh Security Platform (reality), covers key trends, misperceptions, and challenges organizations face when trying to gain visibility and control over the growing and fast-changing world of SaaS-to-SaaS third-party integrations.

Yoni Shohet:

Hi, everyone. This is the Yoni Shohet from Valence Security. Hosting here in a panel discussion about SaaS security insights for CISOs, from the 2022 Shadow SaaS to SaaS integration report. Discussing the perception versus reality of the supply chain risks and SaaS applications.

Yoni Shohet:

With us, we have a great panel. We have Ryan Gurney, who's the CISO and residence in YL Ventures. Previously at Zendesk. And we have Demi Ben-Ari who's the co-founder and CTO at Panorays. And Sounil Yu, who's the CISO and head of research at Jupiter One. Previously at the Bank of America.

Yoni Shohet:

We're going to discuss today the findings of a report that was created jointly by Panorays, YL Ventures and Valence Security about the state of the risks that are associated with SaaS third party integrations and SaaS applications. And then, think about both what we can understand about the current state and the risks that exist for organizations within SaaS application. But also, what we can do better as an industry and within organizations to reduce the risk that is associated with SaaS to SaaS integrations and to improve the overall posture in term of supply chain risks.

Yoni Shohet:

We'll start by going through a few slides about the report to show the summary and the main points that were raised through the report. In terms of the questions that we asked, we asked mostly CSOs about better understanding their current state and how they presume the risk that is associated with the SaaS security and with the tougher integrations due to SaaS applications.

Yoni Shohet:

And we compared it to real data from our tenants and from real life customers and different sizes and scale, to understand whether or not the perception of the risk surface and of the risk that the organization is accepting in terms of integrations that users are creating is in line with what we see in reality in the data. We started to understand just what's the scale of these integrations. Usually, a typical organization has somewhere between a handful, maybe two dozen of core SaaS applications.

Yoni Shohet:

These SaaS applications have a lot of different third party integrations that are enabled within it, whether if it's a third party apps and extensions or different SaaS marketplaces. Or if it's through direct API based integrations or through no-code, low-code automation workflows. Like the Ocados, APR, Microsoft Power platform in the world. More than 50% of the CISOs responded that they have at most 200 integrations within their core SaaS applications.

Yoni Shohet:

Where our data shows that there are almost four to five times that number. Nearly 1,000 integrations in a typical environment in just these core SA applications. In the central of the mesh of integrations that exist between the different SaaS applications. And usually, the most astonishing part of it is probably that usually about the 50% of or 48% of these integrations are inactive or over-privileged in terms of the permissions that were granted to them.

Yoni Shohet:

Over the years, we tried and test a lot of different applications. We connect them to the course SaaS applications. We provide them access into the data. And we tried to understand whether or not this is a platform we want, or if we want a different platform within the organization. And eventually, this creates a growing risk surface that third party integrations that are consented. But there's no good processes today to revoke and remove unnecessary integrations and make sure that we do proper off-boarding post-POCs, where we test four different platforms. We choose one of them, nobody goes and revokes the other three that was oh so consented and connected to the core SaaS applications. And this is an area where we can definitely improve as an industry.

Yoni Shohet:

We also asked about the pace of the change of these integrations. 76% of the CISOs believe that they have up to 20 new integrations per month. In a typical tenant, we see a 73 new integrations per month per 30 days. This is three, four times the number of expected by the CISOs. Usually, these integrations are user driven. As the organizations are going through the process of decentralizing IT and a lot of decisions are made by the business units and by the end users within the organization. Therefore we're starting to see more decisions are driven there, the space, the scale, and the amount of decisions per day, that are made within these business units is significant.

Yoni Shohet:

Even for us as a startup and as a growing company, every time we increase our presence in a certain area, whether it's sales, marketing, product, engineering, we start to see more and more of these integrations build up in order to improve efficiency. And it's very difficult for the security team, from a central perspective, to stay up to date of everything that all these decentralized decisions that are being made within the organization, especially with so many different distributed SaaS applications being adopted.

Yoni Shohet:

And one of the last aspects I want to talk about is really about local platforms. Today, we have citizen developers that are adopting a no-code, low-code automation or hyperautomation platforms like Ocado and Zapier and the Microsoft Cloud platform and make. And the NeoSOFT that allow business units outside of the central software development, the organization to start to develop automation.

Yoni Shohet:

Usually, if this then that type of workflows in automation, most organizations, these platforms are not governed by security processes. We don't have AppSec, DevSecOps and the equivalent application security governance processes that we have built over the years for a application development, also adjusted for no-code, low-code development. And therefore, also a lot of CISOs are not even aware of whether or not these types of applications are being utilized.

Yoni Shohet:

We find that almost in every tenant that we were connected to, we find at least one of these applications. On average, we find four to five of these different platforms that are being used. Because again, every business unit uses their own application. In some cases, there's central adoption or organized adoption by the business applications team of a central platform. But usually, we see that at least one, if not four to five of these platforms are adopted.

Yoni Shohet:

And once these decentralized decisions are being made, they're also very difficult to track and secure and govern in terms of understanding how these indirect data flows are established. Because these platforms are granted keys to the kingdom without proper security governance in terms of how these keys are used and how these privileges within the different business applications are actually utilized for a productivity purposes in the organizations.

Yoni Shohet:

I'll pause here and I'll go to a panel discussion to the perspective of the panel about the different risks that we highlighted through our report. I'll probably want to start in understanding what's the most insightful finding from the report? What were the aha moments, or the moments that really astonished you in terms of looking at the perception versus reality within these SaaS to SaaS supply chain risks. Ryan, maybe we'll start with you and sharing your thoughts and perspective.

Ryan Gurney:

Yeah, sure. A few years ago, probably seven or eight, when I was a CISO, we did a discovery process ourselves. We actually sent out a message to engineers and everyone. Said, "Hey, how many SaaS applications do you think we have on our network?" And we used some DNS filtering and tried to figure out what that was.

Ryan Gurney:

And people guessed it was 50 to 100. And it ended up being 500. And so, the aha moment, and the reason I did that was I wanted to start a TPRM process of some sort that vendor risk matters. And it looks like from the survey that this is still an ongoing problem around discovery and identifying where these exist.

Ryan Gurney:

The second real quick one that I'll highlight, as I read through the report was the fact that most CISOs understand that this is a risk. They don't know necessarily how big it is, but they also may not have the tooling necessary to discover the entire issue, but also to control it. I think one of the findings was many have IDP. And they might be thinking that can totally fix the problem, but it doesn't with the non-human interactions. I'll pause there.

Yoni Shohet:

Yeah. We're shifting from shadow IT to shadow connectivity because the adoption of SaaS is getting more and more complex. It's not only the long tail SaaS applications and the core SaaS applications, it's now also how they interact with these non-human identities. And you said TPRM. I'll shift to Demi to get his perspective on the report and the findings.

Demi Ben-Ari:

Yeah. I'd like to connect to that, the gaining visibility. When again, we spoke about the mesh and how you actually recognize things in this all application mesh that we're speaking about. And forming different kind of TPRM programs. This is basically what we do also.

Demi Ben-Ari:

From our experience with customers even, getting the first visibility, that aha moment of discovery is hard. You basically even do not know. And the report, I think, reflects that really well. And especially what you mentioned at the beginning, the complexity, because integration, it can mean many things today and different kind of relationships even. You plug and plan, install things without even knowing that it actually does something.

Demi Ben-Ari:

And the whole how many you have, this is I think the hardest question of all of our customers. Which are your integrations, your third parties that you're interacting with and how many you have? And continuously doing that, because it's not a one-off you don't discover, and that's it. We didn't change anything. Ryan mentioned talking to developers. It's basically everybody today. It's not only developers because your sales people install something on the Chrome extension and that's it. It's a SaaS application that you interacted with. Right.

Demi Ben-Ari:

It's a SaaS application that you kind of interacted with. And how many internal plugins you have in your Salesforce HubSpot? I can go on and on and about speaking on that and the mapping and the process around that, and continuously remediating all the vulnerabilities that are discovered, are impossible without proper tooling, I think.

Yoni Shohet:

Interesting. Sounil, I think you, when we started to talk about this space, you called it PITA-

Sounil:

Yeah.

Yoni Shohet:

... for a lot of different reasons, but it's interesting to hear your perspective, getting some more data and contextualizing some of the fact from the, let's say the industry and different CISOs.

Sounil:

Yeah. So PITA, for those who don't know, stands for plugins, integrations and third-party apps. And I came up with that acronym because it also follows another acronym that we all know and love, that I think really describes the problem space as well as I could in defining the acronym.

Sounil:

Anyway, I'm actually surprised that the numbers are as low as they were reported. In fact, I was expecting them to be much higher. As Ryan mentioned earlier, the estimate of how many we use was 10 times lower than the actual. So from 50 to 500, also what's interesting is, that which we think we use, is also 10 times as many as what's actually formally approved. So I would hazard or guess that maybe somewhere close to five to 10 SaaS apps were actually formally approved through some system. And that's typically what I've seen in previous organizations.

Sounil:

The reason why I thought the numbers might even be higher, is because if we consider that we tend to be off by an order of magnitude, then the number of integrations amongst those would also be off by even greater, because, minimally by the order of magnitude, so 10 times greater. But even more, because we have the network effect of SaaS applications and integrations. So the more SaaS applications that we have, the more integrations from an exponential standpoint we'll see.

Sounil:

So we may be off right now by three or four times, which I think is already kind of low. I wouldn't be surprised if in the next couple... If we don't have ways to manage this, it will be off by 50 times, 100 times, a thousand times in the future.

Yoni Shohet:

Yeah. So maybe because we're just covering the core Saas applications and their integrations, if you will multiply it also by the long tail and all the other applications that can probably increase. But basically what I'm hearing from what you're saying, is also, maybe it's a good time to also solve some of these issues and make sure that from a culture perspective, you secure it properly.

Sounil:

Well, let me offer a perspective here. I actually don't think that this is a problem. I think it's actually a predicament. Problems can be solved. Problems can be controlled. And I heard that word earlier as well. Problems can be fixed, whereas predicaments can only be managed. And this is a situation where we're in a predicament, and there's nothing we can do to solve this problem, short of just stopping the use of SaaS applications altogether, which is not going to happen.

Sounil:

So we need to manage this. We can't really control it as much as we can just manage the risks that we have associated with this. And so we need tools to be able to understand the breadth of the predicament that we're in, and act accordingly. And that acting accordingly is not us telling the SaaS providers, "Hey, you go fix this or fix that." It's us taking the steps to be able to again, manage that risk accordingly.

Yoni Shohet:

Yeah, I think one of the misperceptions that we see in the market, is that in the share responsibility model between us and the SaaS applications, they're in charge of security or infrastructure, but eventually we get configurations that we need to manage. And eventually if we decide to connect anything to our Salesforce or to our Office 365 or to any type of these SaaS applications, it's our responsibility to understand that this vendor is someone, or a vendor that I approved to get access from a supply chain access perspective.

Yoni Shohet:

But Sounil, continuing on that, when you think about how different organizations decide to manage the risk, the risks that is associated with adopting SaaS applications, you have a nice, I would say, variety of experience of both from a large organizations like Bank of America, and also going a bit into the venture funding business, and also eventually now at a vendor or a small startup. How do you see a company culture in terms of pace of innovation, size, sector, adoption of SaaS, or where there are in the maturity curve of adopting SaaS maturity and shifting to a SaaS mentality affecting how company addresses also this, or manages this type of risk?

Sounil:

Sure. So ultimately it depends on the organization you're at and how much business disruption you want to create, or how much business acceleration you want to offer. I think in the context of large institutions that don't have a very large SaaS footprint, they can probably operate, continue to operate pretty well while putting in pretty aggressive SaaS controls that limit the uses of SaaS Azure, govern what SaaS has used a priority. However, in small organizations that want to move fast and need to move fast, and with marketing and sales people who want to use the latest widget available in some SaaS application, or someone who's doing graphics design, who wants to use another app, we need to be able to give them the flexibility to move pretty fast.

Sounil:

Those integrations that emerge from that, again, poses interesting challenges for us. But it's really, again, a balance for, "How fast do we want to move relative to the perceived risks that we may otherwise have to manage if we choose to allow these ones to be put into our environment?" At the end of the day, it's not just the security decision. The reason why we're in this problem, or the reason why we're in this predicament to begin with, is because it's a business driver. And if we can somehow understand how to balance the speed at which the business runs, with the safety brakes that we want to put in to minimize any car crashes, that's the real challenge that we need. And I feel like we don't have a really great breaking system in the event that some information gets disseminated through one of these integrations in such a way that all of a sudden now that information is proliferated in then a thousand different places.

Yoni Shohet:

Interesting. So you saw, for example, from your experience in larger organizations, they were much more on the break stopping, and then deciding case by case, rather than just enabling by default, and they're detecting and responding these types of risk that are introduced?

Sounil:

Yeah, actually, a good way to describe it is, in one organization, a very large one, the brakes were on and we slowly let it go. The other one, in a startup, the gas is fully down, and we're now just trying to apply the brakes in a managed way.

Yoni Shohet:

Yeah. I think we're seeing in a lot of the industry that eventually without the involvement of these business units and end users that are in charge of these decisions, just impossible to actually manage that risk, because you just missed the critical business context. There's so many moving parts in a organization, small or big. I think Demi could probably share us also [inaudible 00:17:58] risk from his experience. And in his even organization, not only with his customers, that there are so many different moving parts that is impossible for a security team to stay in context of everything that is happening. And so, Demi, what are your thoughts on this?

Demi Ben-Ari:

I highly agree. I couldn't agree more, because eventually the process, you should be taking that entity, the third party integration, and again, I can mention a lot of things because it's not only a company that you're evaluating, it can be a sub-product of a company, et cetera. So the context, the word thing is super important. And then the due process and what type of data they're processing, if they're holding PI or not. Or maybe what type of interaction or what type of permissions they have, talking about all of the tokens and all of the things that kind of were compromised, in least like third-party breaches, are super important. Because right now, eventually you need to keep on monitoring that. The context might change. Somebody, some kind of admin can actually give more permissions, can add more integrations and add that actually changes that interaction that you have with that entity.

Demi Ben-Ari:

And this is the continuous challenge that CSOs, and me, myself even at Panorays, when I'm managing our own third party risk, I'm tackling that. And think of it that a lot of times the CSO is external to all of these entities, with the moving parts. So you sometimes even do not have control. Unless you have again, proper tooling in place to create visibility and continuously actually monitor that.

Yoni Shohet:

Yeah. So I think also in a lot of our conversations, what comes up, is that continuous supply chain risk management procedure that starts with understanding the vendor and their risk, and combining that with the contextualizing in the own exposure that the organization has from working with that vendor or how they're interacting with the vendor in terms of the actual business unit's engagement with these types of vendors.

Demi Ben-Ari:

And especially all the things that SBA actually like relates to as we speak. People are speaking-

Demi Ben-Ari:

actually relates to as we speak. People are speaking about that. How can you actually get that list? Okay. It's a continuously changing list.

Yoni Shohet:

Yeah. Interesting. And I think Ryan, from your experience, you also talk a lot about how the relationship with the business unit is critical. How did you see the different size, phase, stage of the company or the culture in general affected this specific problem space?

Ryan Gurney:

Yeah. I think Sounil and Demi said it well. Certainly at a small company, growth is paramount, and you know that going into the seat as a CISO. And so you have to play this role of a lot of empathy, frankly, to your employees but also to your customers. And you have to play the role that... And you educate your employees that you are the customer's eyes. That's your role and everybody has to have that perspective from a risk standpoint. And I'll give you a couple anecdotes here. One was it's not just the third-party vendors that you have to care about when you think about this. You also have to have empathy for your own customers. And if you're building a SaaS application as your core business, how are you making it so that you're not putting your customers in a position where they may have to make some poor risk decisions?

Ryan Gurney:

And early on at one of the vendors I was at as a CISO, we only had the ability to have one API token per platform. And you would think that's crazy today, but this was quite a few years ago. Well, what that meant is that same API token, the customer was encouraged to do integrations, would share that with 20 other vendors. One of those has a data breach or suspected data breach and now they have to go rotate that token, which means they have to rotate it across all 20, which causes a disruption in business. That wasn't us being very empathetic to our customers' plight.

Ryan Gurney:

And so the whole industry has to think about this in a very cognizant way of, "How am I not only ensuring that my customers have the ability to run their business that way, but how can I get in front of monitoring misuse of tokens perhaps and giving them a heads up?" and even taking the stance, "Listen. If we suspect that a token was misused, it would be great to tell you and ask you and get suggestions on when you want us to revoke it, but if we have high susceptibility that it looks like it was misused, we're going to revoke it right now and then we're going to tell you, because that lag time's a killer." So in a small company, yes, you have to empower the business and people are going to go use whatever SaaS applications they want, but you also have to be thinking about your own product and evolve that over time and be showing a lot of empathy.

Yoni Shohet:

Interesting. So speak about kind of the token abuse, recently there was a publication about the GitHub attack campaign, where the attackers were able to breach through well-known integrators that have access to GitHub through OAuth, in this case, it was Heroku and Travis CI, steal tokens from these companies and use and abuse these tokens in order to gain unauthorized access eventually to GitHub repositories and even to GitHub's own repositories in their own tenants and steal sensitive data and access codes that is eventually stored within GitHub in the SaaS applications. So I think that when we're thinking about supply chain risks in context of SaaS applications, this is exactly that, where the customer wasn't breached, GitHub wasn't breached, but one of the third-party vendors that have access to GitHub on behalf of the customer was breached and through that, the tokens were abused and leveraged in order to steal data from the GitHub tenants.

Yoni Shohet:

Of course not the first. It's one of many cases that we've seen over the past two years. And general, the vast majority of attacks or well-known attacks that we're seeing is somehow related to third-party vendors and to supply chain access one way or another because eventually the attackers realized that it's the weakest link that they can find in the security posture of organizations. Demi, I'm curious to hear kind of what type of examples do you hear of attacks or either risks or concerns that customers have or that organizations have in terms of supply chain risks in the context of SaaS, specific horror stories that you heard from customers of incidents that they had or risks that they're most concerned of?

Demi Ben-Ari:

So you kind related to that when you mentioned the mesh, because eventually the supply chain attacks today are becoming really, really sophisticated. Think of it that attackers and adversaries choose these, I would say, lower types of security vendors to breach and especially if they have a widespread of a customer base, and then they want to basically pawn all of their customers. They're not targeting the vendors. The vendor are not the important piece here. And because of all of the things that interconnectivity, you're giving tokens, and Ryan mentioned that, only one token, you would be surprised how many vendors today also offer only this type of thing. Okay? So not going 10 years back and these things are... Customers are tackling that with a risk based approach. You literally sometimes won't onboard a new vendor if they don't have proper security controls implemented in place or on the shared responsibility principle that they're giving you the leverages to actually do so.

Demi Ben-Ari:

And the horror stories that are endless. You mentioned GitHub. The GitHub thing is compromising all of the private repositories also, which is also kind of the IPO of the company that can compromise a lot of other things, but other types of breaches, like SolarWinds, Kaseya, [inaudible 00:25:56] as an example. So different things that relates to taking a vendor that has a widespread of customers and basically attacking them to be able to attack all of their aggregate customer base. Once they actually compromise them, it can be even something more sophisticated. Think of it that the Microsoft Exchange thing that kind of occurred in 2020. What do you think? It didn't relate to something in the context of SolarWinds and other things that were or might have been compromised. All it takes of getting credentials of somebody and actually exploiting them is also something that complex adversaries might actually do.

Demi Ben-Ari:

And I'm not saying if it's nation states or if it's somebody that is a [inaudible 00:26:41] that is trying to assemble something like that. It's happening as we speak. Literally we're hearing that on a weekly basis. Okay? And that challenge of continuously actually going and being up to speed on that is... Again, Sounil defined it really, really well. It's not a problem. It's something that we have to take that in account and move forward with that.

Yoni Shohet:

I think one of the challenges I'm hearing a lot from CISOs is that when they read about the headlines about new supply chain attacks or new vendors that were breached, the first questions that they ask is, "Are we affected? Do we have this vendor?" And they need to start going to different distributed admins that they have and to different business units asking them, "Are you using this? Are you using that? Are you using this?" And they have to do incident response live post-breach and having that type of continuous inventory and threat intelligence and continuous risk assessment of the vendors that are engaged, is becoming more and more difficult due to, again, to that decentralized IT model, because especially with the GitHub example, which is probably the best example from the recent few months, a lot of our customers, the first thing that they tried to see is through our platform to see if there's access to GitHub with these specific vendors and whether or not they're exposed because they didn't have that type of continuous process precisely in place beforehand.

Yoni Shohet:

Sounil, curious of kind of your experience, if there's any examples that you want to pitch in terms of risks or specific tech examples that you've seen or heard of maybe from colleagues or anything else.

Sounil:

Yeah. Actually let me frame the attack examples in a wholly different way that may resonate very strongly with others. I'm going to actually frame this along the lines of our organizational privacy being violated. Organizational privacy. So what is happening here? We have these integrations that enable our organizational data to go into all these different places and who knows where it goes. It goes and gets promulgated into all these places that we just don't really have a good grasp of. And because of that, we have data brokers who get compromised that then enable access into other systems that continue to violate our organizational privacy. And I used the word privacy very deliberately because we've seen this play out before in other personal examples where our individual privacy has been breached. And that's because you have all these different vendors within the personal PII data ecosystem that somehow exchanged all this information back and forth.

Sounil:

And so we're kind of repeating this pattern at the organizational level. And if we frame it that way, then it also gives us a chance to say, "Well, how are we tackling the individual privacy issue? And where are we running into successes? Where are our successes? And what are some challenges?" Might some of the challenges or successes on the organizational privacy side actually may be helpful in addressing the challenges that we have on the individual privacy. Maybe some of the successes that we've had on the individual privacy-

Sounil:

On the individual privacy, maybe some of the successes that we've had on the individual privacy side may be useful for us to consider on the organizational privacy side, because we see attacks against both. And I think there's an opportunity to learn from both sides and say, "Is there something that we're doing for individual privacy that actually is really effective?" And some of that could be laws. It could be the equivalent of GDPR but applied to an organization, to a corporation as opposed to an individual.

Yoni Shohet:

Like a right to be forgotten for organization after you off-board a vendor.

Sounil:

That's right. Exactly. I'm done with this vendor, and I say goodbye, and I want this very clear understanding and confirmation that all my organizational data's been wiped. Can I get that sort of confirmation? What's the equivalent of a DSR for an organization>?

Yoni Shohet:

Interesting.

Demi Ben-Ari:

It's a process. People are tackled with that. It's like off-boarding, how do you do an off-boarding or a third party integration or third party vendor?

Yoni Shohet:

Usually you just don't.

Demi Ben-Ari:

It's hard.

Demi Ben-Ari:

It really depends on the depth of ... And again, the comprehensiveness of your PPSRM.

Sounil:

This is where I think Ryan's comment from earlier is really appropriate, which is we ... And the privacy laws have now driven better design for how we handle individual PII. Well, we should definitely learn from that as we build out SaaS tools that help the organization. And what are the techniques that we use on the individual privacy side that actually can be applied to the organizational privacy?

Yoni Shohet:

Interesting.

Ryan Gurney:

I would also add this idea of over-privileged tokens is a real problem, too. And I think we can get a lot more granular with what access we're giving our integrators to be able to do their job and not much more. And so that's on the SaaS applications to figure out, okay, what level of tokens do we want to provide and training the customer on what to use? There's also a problem space here as well with potential OEM integrations that the customer may not even know exist out there, where their data is being shared, and potentially through tokens. And that this can be a real problem.

Ryan Gurney:

And so when you think about the SAS vendors that you're doing business with, you need to ask them very targeted questions around API usage, monitoring of misuse, how they're going to communicate to you if they see something. Are they going to revoke and then communicate, and then how you can empower your own business with this SaaS mesh that you have to not over privilege everything. And so I think this design is very interesting, and coming back to the discovery processes that exist out there, it's a struggle for CISOs.

Ryan Gurney:

I also think the media gets this often wrong. So GitHub had a pretty good response I think, and they had good tooling in place, but they're going to be the ones that are tagged in the media as the breach location. And you can make an argument that they're not really the cause of it. And so this becomes a brand recognition issue that SaaS companies need to go to the board and the CEO with and say how critical it is in their product design that they ensure they're doing everything they can to help their customers do it right.

Yoni Shohet:

Interesting.

Demi Ben-Ari:

It becomes the end party risk right now and not the third party.

Yoni Shohet:

Yeah. Because you have to take into consideration the fourth and fifth, and all the third parties of your third parties, and eventually it becomes an endless game of zero trust. And how do you actually understand what's the appropriate way to manage this type of risk and to understand how do you address it properly?

Yoni Shohet:

And speaking of that, any kind of last thoughts about recommendations for security teams and how to address these types of problems, and what are best practices that you saw that work well, don't work well within organizations, big and small? So Ryan, you kind of alluded to that in your last comment, but anything else you would like to add?

Ryan Gurney:

Yeah. I think the report highlights the fact that there's some low hanging fruit there on just revoking unused tokens. If you can go and chase that first right away, that's very helpful. I would say make your TPRM questions just very targeted. There's so much pork in some of the questions that exist. Let's just go after where the breaches could occur, and then go down the path of figuring out, "Okay, I got to have some discovery capability, and then I need to chase this, but I'm resource constrained. So what's the highest risk with the most over-privileged tokens that I can go chase and start seeing if I can revoke there to start with?" So there is some low hanging fruit, but it is certainly something that takes a lot of effort to go chase.

Yoni Shohet:

Interesting. Sounil?

Sounil:

As I mentioned, I have a view that is oftentimes counter to how we typically do security. But that's it. There are a couple things that I wish I could get more from our SaaS vendors, and it's not for what you may think it is. I would love to get, from SaaS vendors, their isolation architecture. How do you isolate information so that there's not cross tenant pollution? And it's not actually because I want to understand whether they're securing my data properly. It's because I think there's an opportunity for us to learn from each other, and to come up with better architectures. So this is something that I think is just a basic safety practice, and the better we can share these safety practices is similar to, again, what Ryan mentioned earlier in terms of, hey, good safety practice is not forcing everyone to use the same API for everything. What are other safety practices that we can share across the SaaS community? Because we need to learn from those, and make it much easier for those who have to manage the predicament that we've put ourselves in.

Yoni Shohet:

To have an open architecture of best practices of SaaS architecture for companies to have from the get go.

Sounil:

That's right.

Yoni Shohet:

Demi?

Demi Ben-Ari:

I think Sounil articulated it really well. Understanding first of all, your attack surface right now is among all of your third parties, because eventually you're passing away information to them. There are the new data processors, and this is your new attack surface. It's not all your data center.

Demi Ben-Ari:

The next phase would be what kind of security controls you might want to implement to make all of these security measurements to kind of avoid things and minimize your tax surfaces as much as possible. If it's revoking access, then that is unauthorized or maybe even different kinds of things that you might not want to open. And the next thing would be when something will happen, and again I'm saying when and not if, the blast radius will be minimized also. Because you minimize that tax surface and the amount of entities that you're interacting with. And again, it's a continuous struggle. It's not something that is a one off.

Yoni Shohet:

Perfect. So just with a few, probably, final words from our side. So we spoke about the different first [inaudible 00:37:50] that are associated with the supply chain of staff to sales integrations, and that's the source of what we're talking about is the report that we released. You're more than welcome, everybody, to go through it and go online and find it on our website. And there's more information about both the risks and how to contextualize it and how to think about it in terms of the organization.

Yoni Shohet:

And of course for us as Valence, one of the things that we focus on besides awareness for the industry and the thought leadership in terms of the content that we're trying to create, we also build different processes that will help organizations do this type of an assessment on their own, and get to their own reality and to understand their own situation within their organization. And it's something that we're offering as free of charges service, just to help raise awareness and help organizations figure out that type of discovery step, I think like especially Ryan highlighted, which is very critical for organizations just to understand how big of a risk they have before they understand how big of a priority, and where does it fit within their overall organization's risk surface?

Yoni Shohet:

So with that, I'd like to thank our panelists. So thank you very much for joining us. And of course we're more than happy to also answer questions offline. Wish you all a rest of a good day. Thank you very much.

On-Demand Webcast – SaaS Security Insights for CISOs: Valence's Shadow SaaS Integration Report

There’s more to see

Assess Your SaaS Supply Chain

What Risks Are Lurking in Your Shadow Third-party SaaS Integrations?
Free SaaS Security Assessment