A recent review by Wing Security, a SaaS security company that analyzes data from more than 500 companies, revealed some worrying information. According to this review, 84% of companies had employees using an average of 3.5 breached SaaS applications in the previous 3 months. While this is concerning, it is not particularly surprising. The exponential growth in SaaS usage is leaving security and IT teams struggling to keep up with which SaaS applications to use and how. This is not to say that SaaS should be avoided or blocked; instead, SaaS applications should be used to ensure business growth. But using them should be done with a certain degree of caution.
Determining which SaaS applications are at risk
The most intuitive risk factor for determining if an application is at risk is to look for it and see if it has been breached. SaaS applications are clearly being targeted as we are seeing more and more attacks related to SaaS. Breach is a clear indication to stay away, at least until the SaaS vendor actually fixes and restores (which can take some time…). But there are other criteria to consider when determining whether a SaaS application is safe to use. Here are two more to consider:
- Obedience – The security and privacy compliances that the app vendor has or doesn’t have, is a good indication of its security. Securing SOC, HIPAA, ISO (list on…) requires a long and meticulous process in which companies must adhere to strict rules and regulations. Knowing a company’s compliance is critical to understanding its level of security.
- Market presence – Checking whether an app is present in a well-known and reckoned market is also a helpful step when determining its integrity, which can be linked to its security measures. In a respected market, apps have to go through a vetting process, not to mention they receive user reviews which is arguably one of the most important indicators of an app’s legitimacy.
While understanding which apps are potentially risky is important, it is not an easy task. And that’s not the first step either. According to Wing Security, the companies they reviewed all had a high triple-digit number of SaaS applications in use. So the first and basic question a security team should ask is:
How many SaaS apps are employees using?
Obviously, it is impossible to determine whether SaaS is being used safely without first knowing how many SaaS applications are being used and which ones. It’s basic, but not simple. SaaS is used by any and all employees, and while enforcing SSO and using IAM systems is important and useful, the decentralized, accessible, and often self-served nature of SaaS applications means employees can start using almost any SaaS they need by simply looking to go online and connecting them to their corporate workspace, easily circumventing IAM. This is especially true when considering the many SaaS applications that provide free tools or their free versions.
That’s in mind, SaaS application discovery is also provided as a free self-service tool so answering the question mentioned above should be pretty easy. After a clear mapping of SaaS usage has been carried out, the next step is to determine which SaaS applications are at risk. Once risky apps are classified as such, it is important to revoke the tokens they receive from users who connected them to the organization. This can be a long and complicated process without the right tools (Wing offers risky app removal as another capability in its free version, but with some limitations lifted in its premium offering).
Ensuring SaaS use is safe requires asking and answering two more questions:
1. What permissions are granted for the SaaS application?
It probably goes without saying that not all applications pose a risk every time. It’s also worth adding that even if a SaaS application is breached, the risks it poses depend heavily on the permissions granted. Nearly all SaaS applications require some level of permission to access company data in order to provide the services they are designed for. Permissions range from read-only permissions to write permissions that allow SaaS applications to act on the user’s behalf, such as sending email on the user’s behalf. Proper management of SaaS security posture means monitoring the permissions granted by a user to an application and ensuring it is only granted the necessary permissions.
2. What data flows within and between these applications?
In the end, what’s most important is protecting critical company data, whether it’s business information, Pii, or code. Data takes many formats, and flows in many ways. The unique way SaaS is used across business units and teams and by everyone in the organization creates data sharing risks using SaaS applications that are not designed for secure data sharing. This also introduces the risk of data being shared between SaaS applications. Today, many SaaS applications are connected, and one onboard application can provide access to a subset of many others. It is a giant network of interconnectivity and data sharing.
Start with the basics – Get to know your SaaS layers
SaaS security can be overwhelming. This is a powerful new frontier that is constantly evolving. This is also another risk in the long list of risks security teams have to deal with. The key to overcoming SaaS security is knowing which application is being used. This basic first step highlights the challenges of SaaS shadow IT and allows security teams to properly assess the urgency and magnitude of their SaaS security risks. Knowing exactly the amount and nature of SaaS being used shouldn’t be complicated or expensive. There are lots of tools out there that can solve this, and you can try the wings. security free solution to get an idea of what you’re dealing with.