SaaS Adoption Soaring, Apple and Hulk Hogan
Today, Software as a Service (SaaS) applications are the cornerstone in driving the business forward. The adoption rates have continued to soar so much that software vendors have had to adjust the way their solutions are consumed and deployed. Analysts predicted that by the end of last year 80% of historical vendors would offer subscription-based business models, regardless of where the software resides.
Businesses wanted more SaaS and subscription-based offerings and the market responded.
The old Apple slogan of “there’s an app for that” rings true in the world of SaaS. There’s an app for almost every aspect of doing business for organizations of all sizes and types. The genesis of the SaaS application was to help streamline productivity, allowing the organization to focus on growing the business more easily.
Like Hulk Hogan in the 80’s, SaaS is “running wild.” But “whatcha gonna do” when each application has dramatically different (and insufficient) security capabilities in terms of access controls, and there’s no realistic way to enforce consistent policy across all of the applications that are being utilized?
Potential Pitfalls and Security Gaps
In this blog we are going to focus on three of the most widely adopted SaaS applications, based on revenue and growth, as well as just general popularity. We will highlight the pitfalls and security gaps (note: these apps are not inherently insecure!), and how DoControl can help deliver a single, unified strategy to SaaS application security and reduce the risk of both data exfiltration and cyberattacks.
1. Google Workspace
Google Workspace enables teams of all sizes to connect, create, collaborate and be productive. From Gmail to Google docs, slides, sheets and more, Workspace provides the foundational tools to do business.
Most everyone is familiar with Google Workspace so let’s dive right into the security gaps and pitfalls:
Lack of visibility: It is extremely challenging to keep track of what’s been shared and with whom, and ultimately who has access to specific files and folders. Due to the sheer number of users and assets, this challenge quickly becomes unmanageable, even for smaller organizations. At the enterprise level it's more challenging when you think about standard organic company growth, the increased reliance on 3rd party vendors or when a strategic acquisition of another company takes place. There's a long list of users and entities who have access to your SaaS app data.
Moreover, in some cases employees might inadvertently share data outside of the organization. For example a link that’s been provided to the entire organization can actually (depending on the org’s settings) be easily changed to make a file or a folder public. Another example is sharing files with private accounts which often happens when opening and sharing files from mobile devices.
Gaps in Enforcement: Google’s administrator console surprisingly does not feature a great UX for admins. Trying to locate the information you need requires a decent amount of manual work, and removing permissions is not intuitive and requires more time and effort than it should. For example, removing permissions for an external collaborator can only be achieved by going to each individual asset and removing them. The combination of this experience with the limited visibility mentioned above makes it harder for administrators to act in a timely manner.
Departing Employees: When an employee is leaving an organization, their users and credentials are revoked as part of the offboarding process. However, what is not revoked or decommissioned is everything that was shared by that user throughout their time at the company. That data remains accessible to those who it was shared with, and requiring the IT team to go into each individual user’s account and remove all shared files is not a feasible option. The longer the employee’s tenure, the more sensitive files are likely floating out there in the ether. This introduces the risk of data exfiltration as well as account takeover attacks.
3rd Party Access: In terms of securing 3rd party workflows, there’s no current way to enforce the prevention of sharing a google doc, on a shared drive from an approved 3rd party, to other vendors (i.e 4th party vendor). This downstream effect of file sharing to potentially unapproved vendors creates the risk of data leakage.
Slack - or for the uninformed “Searchable Log of All Conversation and Knowledge” - reigns supreme as one of the most popular communication tools out there. Slack is loved by pretty much all users both non-technical and technical, and is a great way to communicate and stay engaged (especially throughout the pandemic).
...and now, the security gaps and pitfalls of Slack:
Channels Shared Externally: Slack enables an organization to create a shared channel with any other organization of its choosing. This is obviously invaluable in trying to increase productivity and communication with external organizations, but it also means that data in these channels - files in particular - is exposed to those external actors who are members of the channel. In addition you have no control over who gets access to the channel from the external organization (i.e. there’s no control over the channel’s visibility and who can join it on behalf of the other organization).
Files: Slack is a very convenient way to share needed information across teams and departments. More often than not, this means sharing files in public channels (i.e. channels that are open for the entire organization). The issue is that once files become uploaded, they remain accessible to anyone unless they are actively deleted (which in the case of Slack is even more cumbersome and inconvenient compared to other apps, especially at scale). This is especially true for sensitive information such as files that contain encryption keys, which people tend to share for legitimate business purposes but often neglect to remove.
Everyone Can be a Member: Inclusivity is not always a good thing. There’s currently no pre-requisite or requirement for Slack members to register with the company’s domain and private emails may very well be used. This is potentially problematic as private emails do not necessarily have the required policies a company would demand (i.e. Multi-Factor Authentication (MFA)), which may put them at higher risk for a cyberattack.
Keeping in line with the theme of collaboration, the average company needs to interact with a number of different entities from teammates to customers to partners and vendors. Box enables everyone to get on the same page with one place to work together easily on business-critical content.
Sharing is caring, until it's not.
...and now, the security gaps and pitfalls of Box:
Visibility: The same problem exists with Box as highlighted above with Google, there is a big lack of visibility tools provided out-of -Box (pun 100% intended). Having a strong understanding of each identity/entity and what they have access to does not exist for this application. What elevates the problem of visibility is the fact that most organizations use a number of applications that have this exact issue. So not only does the problem exist, it becomes compounded with each application that is being leveraged that has this challenge with visibility.
Gaps in Enforcement: While there’s an ability to enforce certain policies organization-wide, these policies tend to be limited to generic CRUD (create, read, update and delete), and lack the necessary granularity to provide strong security. Moreover, enforcing an action after the fact (e.g. remove external sharing) is not a trivial thing.
One Hand to Shake for Consistent SaaS App Security
In both the Google and Box instances, DoControl provides the ability to slice and dice the data at a very granular level. We provide full visibility and asset management within the SaaS estate, with advanced filtering and search capabilities that allow the ability to drill down deep into the data and corresponding files. For example, with DoControl you can filter to show only specific assets that are shared externally and owned by any given group or domain, such as the Human Resources team - or some other entity that has access to privileged datasets.
Not only do we provide the visibility security teams need, we also provide granular means to enforce company policy across Slack, Google, Box, Microsoft O365 (Sharepoint, OneDrive, Teams, etc,) and many other popular SaaS apps. For instance removing specific external collaborators (or all of them) as well as removing public sharing, or changing the owners of assets. We can identify high risk users and behaviors at the application level, which otherwise wouldn’t be captured. The DoControl solution centralizes all of the required capabilities that are lacking from each application provider, and enforces consistent data access control policies to mitigate the risk of data exfiltration and cyberattacks.
Saas applications are meant to streamline productivity and enable the business. Let DoControl ensure that is achieved in a secure way.
Get started today and request a demo.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks.
We started 2021 by unveiling our first initial MVP which was designed and built based on feedback from multiple design partners and friendly customers. This initial cluster of customers truly helped us validate and shape the first product value proposition. If you’re reading this, thank you so much for all the support, feedback, and time. We generally believe it’s never early enough to go outside of the building and show your product to your target market, in our case Security and IT practitioners.