Recent data breaches at CircleCI, LastPass, and Okta underscore a common theme: Enterprise SaaS stacks connected to these industry-leading applications may be at serious risk of compromise.
CircleCI, for example, plays a comprehensive SaaS-to-SaaS role for SaaS application development. Similarly, tens of thousands of organizations rely on Okta and LastPass security roles for SaaS identity and access management. Both enterprise and niche SaaS applications have effectively introduced multitudes of unmonitored endpoints to organizations of all sizes.
While SaaS security spending is trending upward, it lags behind in categories such as cloud infrastructure protection and network security. According to Statista, the average organization employs more than 100 SaaS applications, many of which are not sanctioned by IT, creating a glaring gap in SaaS security.
Why users flock to SaaS applications, and often bypass IT in the process
As productivity tools for tasks like marketing automation, document signing, and sales forecasting have moved from installed software to SaaS, so have end-user behaviors. Employees are finding SaaS solutions to help them accomplish more in less time, especially with the increasing decentralization of the IT function.
Employees will always look for ways to increase their productivity with the tools of their choice. This behavior is by no means new or malicious in itself, but it carries significant security risks. In the age of installed software, organizations added endpoint security to work machines and devices to ensure that their employees could not download malicious software or fall victim to malware-based attacks. This approach remains a key facet of global endpoint security, but it doesn’t reflect the evolution of how people work now: outside the realm of corporate networks and often on personal devices.
Rather than approach Security or IT to understand the policies for onboarding new SaaS solutions, and face the likelihood of red tape, delays, or denials of their requests, they whip out their credit card or opt for a 30-day free trial of SaaS applications. . Workers rarely consider the security implications of the shadow computing they’ve introduced into the ecosystem as they authorize the connection of their new applications to enterprise SaaS systems like Microsoft 365, Salesforce, Workday, or ServiceNow.
These connections, along with legacy user permission settings, could touch the organization’s most sensitive data, without being able to monitor or control this attack surface risk. And it happens every day.
How SaaS applications inherit permissions using OAuth tokens
In many organizations, SaaS applications (and SaaS-to-SaaS connections) leverage OAuth access tokens both at the initial connection point and throughout their lifecycle. The process usually follows these steps:
- A user has authenticated to an enterprise SaaS application using either simple authentication or zero-trust strong authentication. They are now in the SaaS cloud.
- This user wants to save time by switching between their project management tool and documents, spreadsheets, and emails. Consequently, they look for ways to streamline their work. This search leads to a popular project management SaaS plugin, perhaps with a free trial, and the user decides to give it a try.
- The user starts the installation and clicks “Yes” to a prompt that authorizes read and write access to data in a major SaaS platform, such as an office productivity suite, and the data associated with it. There are no different permission rights levels for the user to select.
- The office productivity suite creates an OAuth token. This token allows the project management application and office productivity suite to maintain API-based cloud-to-cloud communication without requiring the user to log in and authenticate regularly.
From this point on, the project management application continuously connects after the initial strong authentication. CASBs and SWGs will no detect this SaaS to SaaS connectivity.
 |
| Figure 1: A breakdown of how a SaaS-to-SaaS connection interacts with an OAuth token. |
These application tokens are valuable because they make the project management application easily accessible to the user. Unfortunately, they are just as valuable, if not more so, to attackers looking for an easily exploitable entry point into an enterprise SaaS system.
The scope and risk are SaaS applications and SaaS-to-SaaS connections
If threat actors can successfully hijack OAuth tokens, they can gain access to CRM, code repositories, and more. A committed SaaS-to-SaaS connection can provide valid and authorized API access to a multitude of different production SaaS environments and data.
Security and IT teams are overburdened with monitoring and maintaining the configuration and growth of their enterprise SaaS platforms, let alone unauthorized SaaS applications. Without any security checks, SaaS-to-SaaS connections create potentially vulnerable endpoints.
The prevalence of these SaaS-to-SaaS connections is substantial and often underestimated by IT organizations. According to the SaaS security provider AppOmni:
- The average enterprise organization has more than 42 different SaaS-to-SaaS applications connected to live SaaS environments within an enterprise. Almost 50 percent of these applications were connected directly by end users, not by IT equipment.
- About half of these 42 connected apps have not been used in the past six months. Whether active or inactive, connected SaaS-to-SaaS applications retain their data access rights.
- Many of these organizations have reached a total of nearly 900 user-to-application connections.
 |
| Figure 2: SaaS environments contain many entry points outside the traditional network and CASB protection. |
As this research demonstrates, the number of “authorized” applications in contact with potentially sensitive data is unfeasible to assess and monitor without the right SaaS security tools.
Practical steps to monitor and secure SaaS connections
Most security teams lack the right tools to gain visibility into SaaS connectivity and associated user activity. SaaS Security Posture Management (SSPM) solutions address these concerns by providing visibility and control over SaaS assets.
A security or IT professional can, for example, use SSPM to discover everything running in Salesforce, along with the SaaS applications connected to it. The same goes for many other SaaS applications used by the organization.
This added visibility and control into continuous monitoring of SaaS applications and SaaS-to-SaaS connections reduces attack surface risk and enables proactive security control. If a vulnerability is discovered, the security team can take action, such as identifying unsanctioned, insecure, and overauthorized SaaS applications.
Thanks to the continuous monitoring capabilities of an SSPM solution, the security team is able to determine a baseline of SaaS activity to use as a time-to-point reference frame. While the potential for SaaS-related breaches can never be completely eliminated, using SSPM greatly reduces this risk.
As the technological landscape continues to evolve and new software-as-a-service (SaaS) applications enter the market, businesses must learn to uncover and understand the hidden risks associated with these apps. By scrutinizing the benefits and risks of a solution, businesses can ensure that their investment is worth it and that the app can meet their needs.
Moreover, it is also important for businesses to understand that there are a variety of risks associated with SaaS apps that are not always readily apparent. While the benefits of these applications are quickly evident, the hidden risks found in SaaS apps can sometimes be a more difficult challenge to uncover and understand.
Ikaroa, a full stack tech company, can provide the cognitive support and reliable services needed to help businesses overcome this challenge of uncovering hidden risks associated with SaaS apps. We use a variety of innovative methods to identify potential risks and provide our clients with the necessary information to make informed decisions. Our experts have a wealth of knowledge and experience in the software security field, so you can be certain that our services will help your business remain safe and sound.
We can provide our clients with a comprehensive risk assessment and management service, which will give them the peace of mind of knowing that they are using SaaS apps that are secure. Our team of experts will systematically identify, analyze and explain the various hidden risks that may be present in a SaaS application. We will also develop a detailed a plan for mitigating these risks, so that the app can be used with full confidence.
At Ikaroa, we understand the unique challenges that businesses face when it comes to SaaS apps. We use the most up-to-date techniques and technologies to provide our clients with the most effective way to uncover and understand the hidden risks associated with any software-as-a-service application. Our team of experts are here to help businesses make informed decisions and to ensure that their investments will yield the desired results.
