It’s no big deal to say that SaaS applications have changed the way we operate, both in our personal and professional lives. We routinely rely on cloud-based and remote applications to perform our basic functions, and as a result, the only real perimeter of our networks has become the identities we use to log into these services.

Unfortunately—as is so often the case—our hunger for better workflows, collaboration, and communication outpaced our willingness to ensure these tools and processes were secure when we connected them to our environments and handed over our control over the security of our data. Each of these applications requests varying degrees of permissions to our data, often relying on the services of other vendors, creating not a network but a tangle of interdependent intricacies so complex that most security and IT teams don’t even know how many SaaS applications are connected, let alone what they are or what their access permissions are.

Our collective – and understandable – temptation for flexibility and scalability has led us to where we are today: most of us can no longer function in modern businesses without SaaS applications, as they have become so essential to our business operations, yet they remain vulnerable to attacks on these cloud-based services and applications.

Threat actors understand the “as-a-service” model as well as anyone, often selling Ransomware-as-a-Service on the dark web to their partners. They understand that attacks on these third-party SaaS application vendors don’t just lead to the crown jewels of one company, but many. We’ve seen a 68% increase in third-party app attacks in 2023, and researchers all agree that this number will only increase as SaaS adoption continues to grow.

Fortunately, there are steps that can be taken to untangle this tangle of SaaS yarn that IT and security teams worldwide must deal with.

Learn how to gain insight into the files shared publicly across your SaaS apps

Understand your SaaS environment and shadow IT

It seems so simple: if you want to secure something, you first have to know it’s there. But as we know, it’s never simple when it comes to SaaS.

Shadow IT – any tools or programs that are installed and have access to company data without the knowledge of the IT and/or security teams – is rampant. Think about this: when someone in marketing needs a new design tool that is available as a SaaS application, they log in, give them access to your shared files for easy uploads and/or downloads, and don’t want to go through IT for approval for any number of reasons (it takes too long, the application might be rejected, they have a tight deadline, etc.). These applications often have immense amounts of visibility and permissions into company data without anyone on the security side even knowing they exist or looking out for suspicious behavior.

To understand the scope of the problem and get a complete picture of your SaaS environment, we need to do some rough calculations.

• Most companies have an average of ~500 business applications connected to their environment.
• Of these, approximately 49% are approved by IT/security and ~51% are unapproved applications.
• Each application usually has 9 users per app
• If we multiply the number of users per application (9) by the number of unapproved apps (~255), this comes to an average of 2,295 potentially unique attack vectors that IT and security teams have no insight into and that malicious actors are only too happy to abuse.

Therefore, understanding how many applications are connected to your environment, what they do, what their permissions are and their activity is the most important step. This permissioning and monitoring also needs to happen continuously: you never know when someone will bypass IT and add a new app or service and grant it full access to your data.

Discover all applications connected to your data, including shadow apps

Close the open paths to your data

Once you have a handle on your applications, it’s time to model your permissions and ensure that these applications and users don’t have too many permissions. This also requires constant monitoring: often these applications change their permission structures to require more access without making it clear.

Recently, a series of high-profile breaches all linked to cloud storage provider Snowflake have highlighted just how vulnerable organizations often are in this regard. Ticketmaster, Santander Bank, and Advance Auto Parts all fell victim to the same attack, which was the result of previously stolen credentials, a third-party storage provider (Snowflake) allowing these cloud storage vaults to be set up without an IDP or MFA, and companies bypassing best practices to protect their vast amounts of data with passwords only.

To take the first step in securing their SaaS ecosystem, companies essentially need to map it: understand all the connected apps, associated identities, and actions. This can be labor-intensive, and it’s just the tip of the iceberg. There’s also hope that guilty employees will tell the truth about using an unsanctioned app.

To prevent a breach, companies must:

• Know everything about all SaaS applications in use (both known and unknown), especially those with deep access needs or containing proprietary/customer data
• Ensure risky applications are protected with IDP, MFA, etc.
• Make sure that users of those applications do not have too many privileges
• Be alerted and take quick action when the applications and/or data are accessed and/or moved through them in suspicious ways

This type of access, permissions, and usage monitoring has the added benefit of helping your business comply with a wide range of agencies and/or regulators. If your data is breached by a third party breach, it won’t be well received if you don’t know what the application and access to the data is. This type of monitoring also shouldn’t come at the expense of usability, as we see in our current situation of rampant shadow IT.

Learn how to notify users without MFA enabled in your SaaS apps

Finally, secure the way your business operates

It’s clear that SaaS applications are here to stay, from sales enablement to database management to AI tools. It’s exciting and has given us opportunities to work in new, innovative ways and places. Now that we recognize this, it’s also time to untangle the SaaS ball of yarn that has become our environment.

As threat actors find more of these nodes of failure and dependency in this tangle, they will become better at exploiting them with bigger – and more devastating – breaches. The more we prioritize securing the way we actually work, the more we can achieve.

Remark: This article was expertly written and contributed by Dvir Sasson, Director of Security Research at Reco.