SaaS continues to represent an ever-expanding component of an organization’s attack surface. Lately, we’ve seen a spike in interest in SaaS management and SaaS security products largely driven by a significant increase in data breaches originating from SaaS applications. As yet another example of the complexities caused by SaaS, 2023 kicked off with Slack announcing it detected a “security issue involving unauthorized access to a subset of Slack’s code repositories.” Slack said an unknown threat actor stole Slack employee tokens and used them to access its external GitHub repository and download some of the company’s code.
Okta and Dropbox each experienced similar security incidents in 2022, in which code repositories were accessed and copied.
The increasing number and scope of GitHub-related security breaches on widely adopted SaaS applications prove how vulnerable confidential intellectual property or sensitive data can be.
The emerging market of SaaS Management solutions aims to tackle not only operational but also security challenges of SaaS around specific applications like GitHub.
Let’s take a deep dive into the best practices and specific areas those solutions may help address.
Our recommendations on keeping your organization safe
What practices can you implement right now to improve your SaaS security posture and minimize your vulnerability to this type of threat? We identified a few valuable initiatives worth putting in place:
- Off-boarding users: Properly off-board users by reviewing and closing gaps in business-critical apps and conducting a quarterly review of users who left the company. This will ensure that users can’t access sensitive data after they left, and that potential attackers won’t be able to target the off-boarded user accounts.
- Token management: Review tokens that were created for specific apps and remove all tokens that you deem unnecessary, expired, or misconfigured. Removing these tokens reduces your organization's supply chain risk and protects your data from being compromised in the event of a breach in a given SaaS application. For example, you may want to check that all tokens can only be used by accepted IP addresses.
- Monitoring logs: Download audit logs and analyze for unusual activities (like, browsing from unusual locations) at least every six months. This ensures that your organization meets compliance standards for SaaS security. It also allows you to run a sanity test of sorts on your environment to ensure that there’s no clearly suspicious activity occurring.
Taking control of the SaaS attack surface with Axonius
By adopting the new approach to SaaS, Axonius lets customers address both the security risk and operational challenges of SaaS.
Axonius SaaS Management enables customers to effectively put these best practices into action by:
- Providing a detailed view of SaaS application settings configurations, and helping security personnel to quickly identify misconfigured ones.
- Ensuring visibility into user behavior within SaaS applications over time to identify suspicious behavior, account takeovers, and compromised accounts. It allows organizations to review the audit logs for events and incidents, and filter the data by date, location, application, and more. Such events can include admins that log into their accounts very shortly after the accounts are created or the addition of admin permissions to user accounts in a given SaaS application.
- Allowing detection of local, unused, and inactive service accounts and other types of user accounts.
- Giving full view of active tokens and their access to company data.
- Supporting remediation efforts, like the suspension of suspicious or inactive user accounts, removal of discovered app-to-app connections with access to sensitive company data, and more.
