[BreachExchange] The 3 Scariest Security Blind Spots in SaaS Environments and Why They Exist
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Mar 20 19:00:06 EDT 2018
https://www.cio.com/article/3263710/it-industry/the-3-
scariest-security-blind-spots-in-saas-environments-and-why-they-exist.html
Software-as-a-Service (SaaS) is transforming the modern workplace as we
know it.
But as SaaS adoption continues to rise and empower collaboration, it also
creates hard-to-see threats and unforeseen challenges for IT.
Recent news headlines (like Hundreds of Companies Expose PII, Private
Emails Through Google Groups Error, or Why Slack, Chatbots, And Freelance
Workers Have Your IT Department Freaking Out) are indicative of these
threats looming in the modern workplace. And with limited visibility into
their SaaS environments, many IT professionals aren’t sure where these
security threats reside or how to mitigate them—or that they’re even at
risk.
As the adage goes, “You don’t know what you don’t know.” IT is essentially
flying blind, but it’s not their fault. It’s nobody’s fault, as a matter of
fact. We have not yet arrived at a time when we have official
certifications or industry best practices in SaaS management.
IT has no way to get visibility into these hidden threats—aka blind spots,
something they didn’t even know existed—until a security incident happens.
Here are three of the most prevalent security blind spots in SaaS
environments and why they exist:
Number of super admins (it’s more than you think)
Here’s a question for you: On average, how many super admins do you have in
each SaaS app?
Most IT professionals believe they have one to three. However, we guarantee
that you have more than you think. We’ve seen that most IT teams in reality
have closer to 13-19 super admins.
Why does this happen? Employees often request elevated access to do a task
or project. Because SaaS apps lack granular admin roles, IT is forced to
assign super admin rights. However, these permissions are frequently left
open and never revoked, even when the task or project is completed. There
is no easy way to track or automate this process. As a result, you end up
with a glut of super admins—multiple people with the “nuclear codes” to the
missiles, so to speak. One of the most important security best practices is
the least privilege model, but SaaS admins can’t implement it.
Admin permissions is a universal blind spot, and a critical one at that.
Regulations like GDPR require you to control privileged access and minimize
them as much as possible. Super admins have tremendous amounts of access
and power. Do you really want 20+ people to have the “nuclear codes”? Each
additional admin is an additional endpoint to hack and only increases your
attack surface.
Number of ex-employees who still have access to data
Here’s another question for you: Are there any ex-employees who still have
access to your organization’s data? How would you go about finding out?
Would you know if they were continuing to log in? This is our second blind
spot.
76% of IT professionals believe that former employees still have access to
their organization’s data.
This high number speaks to the importance of proper offboarding. If
employees aren’t offboarded thoroughly and completely, then they retain
data access. And there’s a lot of damage ex-employees can do, particularly
if they’re disgruntled (see: Fired IT Guy Puts Porn in Ex-Boss' PowerPoint,
Gets Sweet Revenge).
This blind spot exists because offboarding is a very manual, time-consuming
process. Completely offboarding an employee (e.g., resetting sign-in
cookies, wiping their device, transferring group ownership) is cumbersome.
People put it off, much like chores or taxes, or they just forget to do
certain steps altogether. This is a critical blind spot because it’s
difficult for IT to know which ex-employees still have access, what level
of access they have, which apps they have access to, etc.
Amount of exposed confidential or sensitive data
There are multiple places (more than you might think) for data to be
exposed in SaaS environments.
In fact, 86% of IT professionals think (or aren’t sure if) they have
confidential or sensitive data exposed. Many IT professionals readily admit
or suspect their data is exposed, but they struggle with finding it. What
kind of data is exposed, and who is it exposed to? IT teams have little
visibility into these questions.
First, it’s important to point out that data exposure doesn’t just mean
files—this is a common misconception. Data exposure can occur through
emails, groups, calendars, and more in SaaS environments. Corporate data
has slipped out via Google Calendar; PII via Google Groups; proprietary
information via Slack.
Why does data exposure happen? Because the biggest advantage of SaaS is
also its biggest risk. The whole point of collaboration platforms is to
share data and, well, collaborate with others (both inside and outside your
organization). For example, you can invite external guests, like
contractors, into Slack channels or add them to an email distribution list.
But this is where the security risks lie. If external users retain access
after their contracts end, they’ll still remain privy to confidential
information for weeks, months, or even years.
Data exposure can be malicious, but it can also be purely accidental. Often
the difference between private and public default sharing settings is one
simple radio button in the admin console. All it takes is one wrong
click—and data can be exposed.
If documents are accidentally shared publicly by default, that’s a security
risk. If an employee innocently forwards corporate emails to (and shares
files with) his personal Gmail account, that’s a security risk. Your
exposure points have just multiplied—but how would you know any of this
happened? IT has little visibility into data exposure, which is why it’s a
major blind spot in SaaS environments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180320/65ff6b8d/attachment.html>
More information about the BreachExchange
mailing list