Unmanaged SaaS Data Brings Supply Chain Risks

When access to software-as-a-service (SaaS) data goes unmanaged, the likelihood of both insider and external threats increases.

That’s why a new report from DoControl Inc. is so troubling. After assessing companies with an average of 1,000 employees and data stores with between 500,000 to 10 million assets, the SaaS company found that 40% of all SaaS data access is unmanaged. That means that as many as 200,000 of the assets might be shared publicly.

“This should be an immediate wake-up call for the industry. As enterprises move their data to the cloud, the potential exposure of that data mushrooms by orders of magnitude as insiders, partners and other pieces of the supply chain get access to that data,” said Howard Ting, CEO at Cyberhaven. “It is essential that enterprises start holding their SaaS vendors accountable and have auditable ways to know exactly who has access to their data and how it is protected.”

An average of 400 encryption keys are shared internally to anyone with a link, DoControl researchers noted, with 20% of SaaS assets “shared internally with a link, exposing many employees to data points they are not authorized to view.”

Even after more than a year of almost exclusively remote work, companies don’t seem to have driven home to employees the importance of keeping personal and professional assets separate – “8% of employees share their corporate account assets with their personal account, exposing company data to employees on an ongoing basis,” according to DoControl.

External SaaS Vulnerabilities

Internal threats were not the only risks. The report found that organizations’ SaaS access practices make them vulnerable to outside forces, as well: They gave access to company data to between 1,000 and 15,000 external collaborators. And “between 200 and 3,000 external (specifically third-party) companies have access to company assets,” the report found.

If that’s not problematic enough, consider that “18% of SaaS application assets are shared externally and remain shared externally even after deleting users.”

“Unmanaged SaaS usage means that sensitive corporate data may proliferate to locations that were never envisioned to house that type of data,” said Sounil Yu, CISO and head of research at JupiterOne. In addition, “SaaS applications often integrate with other SaaS applications. If those integrations are also not managed, then organizations risk granting overly permissive and continuous access to their corporate data through multiple SaaS channels.”

SaaS applications, of course, are meant for collaboration, and it’s expected that they expand a company’s attack surface. But as DoControl CEO and co-founder Adam Gavish points out, organizations’ practices around managing access must shift to protect data assets. “To date, security practitioners have focused on enabling SaaS access in a secure manner, but now is the time to prioritize the relevancy of this data access internally and externally,” Gavish said in a statement. “Unmanageable data access poses a significant risk to any organization and increases the likelihood of a data breach.”

Noting that “SaaS has become the go-to technology solution in the enterprise over the past decade and is now increasingly important in day-to-day business operations,” Tim Bach, vice president of engineering at AppOmni, said applications such as Salesforce, ServiceNow, Workday, Microsoft365, GSuite, Box and Slack have grown in importance, supporting “the vital activities of every line of business” within organizations.

Securing Multi-Cloud Environments

But the SaaS multi-cloud environment is notoriously hard to secure. “There are production data stores (SQL, NoSQL, caches, queues, …), analytics data lakes, etc… that contain sensitive data and talk to the internet,” explained Mohit Tiwari, co-founder and CEO at Symmetry Systems. “And each data store exposes a different set of knobs—encryption, access control, etc.—that are hard to set up and keep synchronized.”

The ubiquity and convenience that makes the apps nearly invisible to users “creates a paradox,” said Bach. “By almost any objective criteria—sensitivity of data, importance to business operations, need for data integrity, etc.—these applications and the data they contain are part of the critical IT infrastructure stack. But they receive little attention from administrators responsible for managing and securing critical enterprise IT.”

SaaS, he said, doesn’t typically receive the “same level of due diligence as IaaS, bare metal and other elements of the IT infrastructure stack.”

Organizations, then, become “vulnerable to leaks and breaches that can compromise the integrity of sensitive information, disrupt operations and damage reputation and market value,” said Bach. “We, as security practitioners, need to treat SaaS as critical infrastructure and invest accordingly to secure it.”

To address these challenges, “organizations first need visibility into what SaaS applications are being used,” said Yu. “Furthermore, organizations should explicitly review the permission scope of SaaS applications and approve them before they are allowed to authenticate through their identity provider.”

Additionally, Yu said, “organizations will need to be attentive to those SaaS applications that are accessed outside of using SSO.”

Companies, it seems, need to heed Tiwari’s advice to “fundamentally rethink how to monitor where their sensitive data is, how it is protected, and how it is being used.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 213 posts and counting.See all posts by teri-robinson