Organizations of all types have fallen in love with the convenience of software as a service (SaaS) apps. They offer a cost-effective, scalable, and reliable way for companies to quickly optimize business operations.
But SaaS application use is also posing some security challenges, many of which relate to configurations — or more accurately, misconfigurations that, if left unchecked, leave IT ecosystems open to security risks.
Misconfigurations can occur in any SaaS application, regardless of how prominent or well-known the SaaS provider may be. By 2019, SaaS application use was in full swing with countless businesses migrating to Office 365 to improve their business operations. Little did these new SaaS customers understand just how complex the configuration and permission settings were, and just how vulnerable those misconfigured settings could leave them. The concern over misconfigurations was so alarming that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report (AR19-133A) recommending best practices in hopes of mitigating risk during migration.
Fast forward to today, and prominent SaaS and PaaS applications still pose security challenges that put their users and their users’ end customers at risk. For example, misconfigured portal settings on Microsoft Power Apps, a low-code app development platform, exposed 38 million end customer records in August 2021. And while the shared responsibility model holds SaaS vendors responsible for some aspects of SaaS in the cloud, user access, identity, and data accountability rest with SaaS users.
To say that SaaS configurations matter understates their importance. Some experts estimate that misconfigurations account for the majority of cloud breaches, and with SaaS usage on the rise, minimizing misconfiguration issues has become a top priority for IT and security teams.
Let’s look at the top misconfiguration issues and how to resolve them.
SaaS Misconfigurations
A recent study by identity and access management firm Okta revealed that their single sign-on authentication customers average 88 SaaS applications per unique user, with larger companies of 2,000 and more employees averaging 175 applications per user, and smaller firms under 1,999 employees averaging 73 applications per user. That’s a lot of settings with a lot of potential misconfigurations.
Configuration settings are unique to each SaaS application. They allow the user to modify the app with predefined options to best integrate with their internal systems and preferences.
How many configuration settings exist for an individual SaaS application? That number varies depending on the app itself but can easily include tens or hundreds of settings each.
With potentially hundreds of SaaS applications and configuration settings for each, and with thousands of users, misconfigurations are inevitable. Configuration management can easily become an extensive effort necessitating countless person-hours to configure and maintain settings. Frequent updates inherent in SaaS platforms compounds this challenge.
The more SaaS applications that IT and security teams manage, the less likely ongoing configuration maintenance will happen – admins just don’t have enough time to individually check and update potential issues. The resulting misconfigurations can make apps publicly accessible, and attackers can leverage weak configuration settings to access sensitive data.
Configuration Drift
With so many moving parts, it’s easy to understand that drift happens. Configuration drift is when SaaS application configurations fall out of alignment with the originally defined configuration. Although not uncommon, when unresolved, drift can lead to security gaps that pose threats.
Configuration drift happens when software or hardware changes are made to infrastructure but not adjusted in the configuration settings of an app. Although configuration drift is unavoidable, regular configuration review minimizes drift, ensuring configuration settings remain in alignment with the originally defined configuration.
Excessive Permissions and Identity and Access Management
As SaaS adoption continues to rise, controlling who’s granted access to which applications becomes increasingly important. Identity and access controls make up a large percentage of settings that security teams need to manage. SaaS users may have admin rights or excessive privileges, which pose data security risks, including insider threats.
Orphaned or unused accounts also put organizations at risk. Independent research suggests that up to 36% of employees have continued to have access to systems or data from an employer after they have left a job. And while it’s estimated that only 9% of former employees use that access, it clearly represents a considerable risk to businesses.
Curbing SaaS Misconfiguration Challenges
Getting deeper visibility into SaaS apps and their interconnectivity within the organization, understanding security coverage and configuration, and controlling SaaS spend is more important than ever. Axonius SaaS Management solves the SaaS challenge for IT, security, risk, and finance teams and gives a single source of truth into the organization’s SaaS application landscape.
With its comprehensive approach to SaaS management, Axonius discovers both known and unknown SaaS applications, providing complete and actionable visibility into all data types and interconnectivity flows. It uncovers various security risks that put sensitive customer and business data at risk — including identifying misconfigured SaaS settings. And it uncovers data security risks and delivers actionable insights for better IT management and cost optimization.
Axonius SaaS Management enables security teams to gain full control and combat complexity and risk across their entire SaaS applications environment.
