min read

Achieving Least Privilege Model on SaaS Applications

In today’s business reality of increasingly distributed workflows that allow employees to work remotely and facilitate external collaboration with contractors, partners, customers, and others, software-as-a-service (SaaS) solutions are steadily gaining traction in nearly every industry and all phases of business operations. SaaS solutions make work more efficient. But there’s a downside, too. This growing dependence on cloud-based software means data is being stored outside the corporate perimeter, increasing company exposure to a growing cyber threat that many executives either don’t recognize or don’t know how to address.

Those who understand the SaaS marketplace are undoubtedly familiar with Gartner’s prediction for market growth: Spending on SaaS solutions is projected to rise from just over $100 billion in 2019 to more than $138 billion by 2022. So the problem of unmanageable data access due to the pervasiveness of SaaS applications is just getting bigger over time. 

Illustrating the Unmanaged Data Access Problem Due to SaaS Applications

Consider a hypothetical wherein Acme Enterprise hires Top Tech, a technical services provider, to perform a custom integration of Acme’s infrastructure stack. The project goes as planned, but afterward, Acme neglects to turn off Top Tech’s access to its systems and doesn’t even know exactly what access Top Tech has. Acme is running a risk that someone at Top Tech will take advantage of this opening and secretly exploit it. 

Alternatively, even if Top Tech’s integrity is beyond question, Acme is still vulnerable to exploitation of Top Tech by bad actors. If a single Top Tech endpoint is breached, the takeover of that Top Tech account can serve as a springboard for the attacker to make the jump over to Acme’s networks and data. Acme has no influence over Top Tech's security program, which may or may not meet Acme's requirements. By allowing Top Tech's access to Acme's company data to persist, Acme is subject to potential data breaches suffered by Top Tech's employees.

With all the external collaboration that is commonplace today, once a project is delivered, it’s not unusual for the company to fail to return to the SaaS applications employed in the project and remove company data that’s been shared or shut down access privileges for external parties. Or when a SaaS application has an ongoing use beyond the project lifecycle, it’s often still accessible to ex-employees, contractors no longer working for the company, former partners and others who have no legitimate reason to access the data. So the apps become a point of vulnerability, both externally and internally.

The SaaS applications security issue is not unique, of course. It’s part of the larger data protection discussion that has been the source of ongoing tension between those responsible for security and those focused on business enablement. While those on the business side want to go about their jobs without being stalled by security precautions, the security team knows that vulnerabilities can undermine the entire corporation with just one major breach. So how does the security team combat this?

Restricting Access Through Least Privilege Model

One of the basic tenets of corporate security has been the least privilege standard – that is, an employee, contractor, vendor or third-party partner should be given only the essential access privileges necessary to fulfill their assigned duties. Embracing the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application that has unwarranted permissions assigned to it. By limiting access through least privilege, attackers successfully breaching corporate security will be able to make fewer lateral moves within the corporate IT environment, reducing the likelihood that they will be able to have free reign within the corporate perimeter.  

Least privilege is a logical and valuable approach, but as workflows become ever more distributed and the number of parties needing access to essential systems has exploded, it’s become an administrative nightmare to handle manually. Requesting permission from the security team for access results in a bottleneck for the business side, and the security team doesn’t have an easy way of determining what access should be granted, what sources are relevant, for how long the access should be allowed, etc. And once access is no longer needed, shutting it off can be a cumbersome manual process that often goes neglected.

Without automation, there is no way to scale a least privilege model, which means that as the company’s SaaS portfolio and reliance on external resources grow, least privilege devolves from a policy to little more than an aspiration. This is the point at which IT and security teams should be saying, “There’s got to be a better way.” To which we respond, “There most certainly is!” 

The Elegant, Simple Way of Executing Least Privilege Standards

 DoControl offers automated, self-service tools to quickly establish and terminate least privilege parameters at scale. The three components of the DoControl platform empower IT and security teams to boost security throughout the organization without limiting business enablement:

  • SaaS asset management: All SaaS users, external collaborators, third-party apps, as well as all assets are mapped and consolidated in a unified, continually updated inventory.
  • Automated security workflows: Organizations can readily build powerful, automated workflows that enforce security policies across SaaS applications (which typically don’t offer such features).
  • Self-service remediation path for end-users: Instead of contacting end-users themselves, DoBot (DoControl’s Slack/Teams bot) alerts employees to issues, such as external sharing with private accounts and mass sharing.

Now companies can avoid the manual processes they’ve struggled with in the past to manage data access and use one platform to identify and remediate vulnerabilities arising from growing reliance on SaaS applications. 

DoControl reduces the workload and SaaS security complexity for the security and IT teams, but it also encourages everyone in the organization to protect vulnerable data. All employees become part of the security equation, driving business enablement and encouraging a collaborative and frictionless security culture.

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news