Macro trends such as the shift to cloud services, a growing remote (or hybrid) workforce, and heavy reliance on third-party partners and contractors mean organizations are working with more software-as-a-service (SaaS) applications than ever. It also means that attackers are taking advantage of the ubiquity of SaaS as they target insecure default configurations and weakly secured identities.
Over the past year, attackers have attempted to intercept OAuth tokens, bypass multifactor authentication schemes, and exploit misconfigured systems and applications to gain unauthorized access to business-critical applications, such as GitHub, Microsoft 365, Google Workspace, Slack, and Okta — to name a few.
In the new “2023 State of SaaS Security” report, researchers from Valence Threat Labs identified various ways SaaS usage exposes organizations to attack. The report findings are based on organizations that have deployed Valence Security’s SaaS security platform.
The upshot? Organizations have to do a better job of tracking abandoned applications, files, and user accounts.
More SaaS = More Risk
SaaS has also evolved to be an ecosystem of interconnected applications sharing data and identities; they are no longer standalone single-function applications. But all of that integration is a problem because applications have too many privileges, and data sharing is out of control.
SaaS has its benefits, but abandoned SaaS integrations and idle data sharing introduce risk to the enterprise. Organizations should regularly remove unused integrations and revoke sharing to reduce the attack surface. Data shares should be automatically revoked after a certain time period (such as 30 days), and user accounts should be deactivated when they leave the company. Life cycle management is critical to ensure that existing business processes are not impacted when an employee leaves the company and that their account gets deactivated, the report states.