How to Control (Maneuver) the Post-IdP Wasteland
SaaS Security

How to Control (Maneuver) the Post-IdP Wasteland

What is the Post-IdP Wasteland, Why does it matter? Most enterprises focus on securing data access via their IdP but have a significant gap once an employee bypasses their IdP system. 

In a world where digital transformation is the new normal and employees are more mobile than ever, organizations are inundated with managing often highly sensitive Software as a Service (SaaS) application data. To meet these demands, businesses have turned to Identity Provider (IdP) solutions to help them manage user permissions and data access. 

Once an employee accesses their IdP they are now able to get into the applications they need to perform their job function. In this piece we’ll explore what enterprises have to lose by defaulting to an IdP provider to secure SaaS application data. This becomes a single point of failure in the case of insider threats and account takeover attacks. In fact, a significant number of Fortune 5000 companies have suffered from major data leaks in the past couple of years. 

What is the Post-IdP Wasteland and Why Does it Matter? 

Most modern enterprises secure SaaS data at two focus points. The first is their IdP. In its most basic form, IdP is the system used to control user access to data within an organization. IdP is designed to integrate with other corporate applications such as Zoom, Google Drive, OneDrive, and Slack. As great as the IdP solutions are at providing data access, they are not focused on monitoring (or controlling) SaaS data. 

The second is the SaaS application file permissions. These sharing permissions are often accessible by anyone with a link which could include past employees, former partners, or even competitors. Enforcing file permissions manually is beyond an insurmountable task. On average, companies have 10k files per 50 employees. Securing SaaS data which could contain IP and employee PII must be done with precision and care. 

Common methods to secure SaaS data include company rules and sharing policies, Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions. All of these post-IdP solutions act retroactively in order to exfiltrate exposure in SaaS files. With this, modern enterprises are at high risk of a data leak as once a file is exposed it is difficult to remediate. 

How to Control the Post-IdP Wasteland

Protecting against these blind spot attacks requires a shift of focus. Existing solutions ask the following questions at the two choke points referenced above. At the IdP, solutions ask, “Are you who you say you are” and “do you have the right credentials?” On document permissions solutions ask, “Would you like to share this information with someone internally, anyone with a link or a specific person?” The question they need to ask is “should you have access to this data?” By applying this framework to defending SaaS data, organizations can more effectively secure sensitive data and files within business-critical SaaS applications.

The key to solving this challenge is to better analyze document permissions with automated, self-service tools for SaaS application data access monitoring, orchestration, and remediation. In addition, IT security teams should adopt a more comprehensive view of all SaaS users, 3rd party collaborators, assets/metadata, OAuth apps, groups, events and activities. 

This in turn will assist enterprises to understand how much data is exposed, remediate it quickly, and automatically remediate over time through granular, no-code workflows. In doing so, it will reduce risk, prevent data breaches, and mitigate insider risk without slowing down business enablement.

This approach can help to identify a spike in file exports and additional party sharing. It will recognize behavior that is high risk or anomalous, and enforce policies that protect sensitive internal data – the life blood for most modern businesses

Change The Focus to Adapt for the Future

Answering the question of “should you have access to this file?” is a business critical challenge for organizations. In doing so, companies can provide a strong compliment to their existing IdP solutions and internal document sharing policies. From there, security teams can create granular data access control policies to reduce the risk of data overexposure and exfiltration. This approach enables enterprises to be more nimble and deter vulnerability. 

Here at DoControl, we take a unique, customer-focused approach to the challenge of labor-intensive security risk management and DLP in SaaS. DoControl has no agents, no inline redirections, and no slow response times as commonly found in CASB solutions. In addition, DoControl integrates with Okta to automatically sync all of your Okta groups and enrich the overall experience. From there, DoControl customers can define different security workflows applied on different Okta groups and understand their level of risk. After all, defense-in-depth and taking a multi-layered approach to securing data is paramount. Incorporating DoControl’s foundational data access controls to your IdP solution provides defense-in-depth and will help drive your business forward in a secure way.

Related Posts