Combating Toxic Combinations of SaaS-Identity Risk

As organizations look to streamline operations and reduce costs, many turn to SaaS (software as a service) apps to provide the needed services without investing heavily in infrastructure. While these solutions are easy to set up and use, many organizations overlook critical steps in securing them using the same diligence they do with other apps.  This can lead to what is know in SaaS as, “toxic combinations” that occur when minor identity-related risks combine to create an unacceptable level of risk. This involves scenarios such as an employee reusing the same weak password across multiple critical apps combined with the absence of multi-factor authentication (MFA). It creates the perfect situation for attackers to exploit these security missteps to gain access and escalate their privileges within the system.

Unexpected Compromises

While this sounds easy on paper, taking control of every SaaS solution in your organization is easier said than done. This is why even organizations with vast resources still fall prey to these attacks. According to the CISA (Cybersecurity and Infrastructure Security Agency), a U.S. government agency was recently compromised through the administrative credentials of a former employee. A threat actor used these credentials to authenticate to a virtual private network (VPN), navigate the internal environment, and execute directory queries. It allowed the attackers to gain unauthorized access to sensitive data and internal systems.

Like many similar breaches, this attack could have been averted had the agency taken appropriate steps to secure their accounts. It started with the former employee’s account being left enabled well after they had terminated employment, which could have been caught by a rigorous offboarding process. MFA would have also thwarted such an attack as an additional layer, preventing compromise and protecting sensitive data.

Understanding Toxic Combinations

Attacks like the one highlighted are hazardous because they exploit common bad practices that allow for rapid escalation. In this case, the organization left administrative access active and failed to implement MFA, making it significantly easier for attackers to use stolen credentials. Additionally, users often face challenges with weak, easily guessable passwords or the reuse of complex credentials across multiple accounts due to the difficulty in managing numerous login details.

However, many organizations suffer from this problem and are unaware they are vulnerable. They have numerous SaaS and other IT assets that are not tracked or managed by their IT procurement processes. In many cases, these assets store sensitive data with security controls that are not sufficient for the data they are to protect.

Easy Exploitation

The lack of friction for threat actors makes attacks like these particularly effective. The primary goal of MFA is to add layers of security, making it harder for cybercriminals to succeed with password-based attacks. Without MFA, obtaining and using credentials is relatively easy; attackers can acquire them through phishing, malware, or by exploiting weak security on other sites and then using those stolen credentials in credential stuffing attacks. This lack of additional security measures means attackers can simply replay stolen credentials across multiple sites, services, and SaaS tools with little resistance, leading to widespread access and potential damage.

Raising Security Bars

While it is inevitable that organizations will become targets for cybercriminals, it does not have to be unavoidable that they will be breached. Eliminating toxic combinations of risk can make it significantly harder for attackers to compromise SaaS systems. Organizations can improve their security posture by addressing security gaps and vulnerabilities before attackers can exploit them.

Knowing Where to Protect

Before organizations can take steps to secure their infrastructure, SaaS or otherwise, they need to understand what they have. To effectively prioritize security measures, conducting a thorough assessment to identify critical data and applications within the SaaS environment is essential. This process may require specialized security tools to locate and evaluate all SaaS assets accurately, especially since many organizations have adopted SaaS solutions outside standard IT procurement pipelines. Consequently, there are often numerous unknown applications where sensitive data may reside. 

Once these SaaS products and their uses or stored data are identified, organizations can make informed decisions about adjusting their security. This may require changes to access management processes or oversight and monitoring of the environment.

Hardening SaaS

Implementing robust security controls is essential in hardening SaaS applications against potential attacks. One critical measure is deploying MFA across all user accounts, adding a layer of security beyond passwords. Implementing Single Sign-On (SSO) with organizational authentication streamlines access while enhancing security. Additionally, integrating role-based access controls (RBAC) can ensure that users only have the necessary access to perform their duties, minimizing security risks. Regularly auditing and overseeing access ensures it is centrally managed and any unauthorized attempts are quickly identified and mitigated.

It’s important to note that protections need to extend beyond access management. Monitoring is another vital control, as it helps detect suspicious activities in real time, allowing swift responses to potential threats and reducing the risk of breaches. An effective incident response plan is also crucial for a robust SaaS security strategy. This plan should outline precise procedures for detecting, responding to, and recovering from security incidents. Regular drills and updates to the incident response plan ensure that all team members are prepared to act swiftly during a breach, minimizing potential damage and ensuring rapid recovery.

Savvy Defends Against Dangerous Practices

Savvy employs an advanced, identity-first strategy to provide organizations with comprehensive visibility into their SaaS environments. This approach enables businesses to analyze and understand their SaaS landscape and operational practices thoroughly. With Savvy, companies can identify and rectify toxic risk combinations to maintain control over their SaaS ecosystems and bolster overall security.

Take charge of SaaS security, making it part of your overall IT organization rather than an exception. Schedule a demo to see Savvy in action.