Identity crisis = turmoil caused by issues with your sense of self
SaaS identity crisis = turmoil caused by issues with your SaaS user accounts and credentials
SaaS identity risk management is the process for preventing a SaaS identity crisis. (It won’t do anything for your personal identity crisis, though; for that we recommend a good friend or therapist.)
In order to be effective, SaaS identity risk management must address three major SaaS identity-oriented issues:
- Identity sprawl (including what happens when your Identity and Access Management solution is itself a problem!)
- Risky retained access
- Susceptibility to weak credentials (it’s an oldie but baddie)
Let’s dive into each issue, highlight the risks it poses to your SaaS ecosystem, and define how SaaS identity risk management should mitigate the danger.
Identity sprawl
Identity sprawl, similar to urban sprawl, is ugly.
It looks something like this:
Ugh.
But it’s not just aesthetically challenging; it’s also a security risk.
SaaS identity security problems created by identity sprawl include:
- Greater surface area for potential security breaches (plus, once you have multiple logins you need to remember, you may end up using the same, similar, or weaker passwords, further increasing the risk of a breach)
- Difficulty monitoring and tracking user activities across SaaS platforms, which can complicate regulatory compliance and decrease the chances of your detecting suspicious activity in time to mitigate
- Challenges enforcing consistent security policies regarding, for example, session timeout, MFA and password complexity settings
- Complexity of managing user permissions because each application will necessitate the use of a different interface to set per-user access permissions
- Higher likelihood that departing users will not be offboarded properly, and lingering access will remain (see Risky retained access section below for more details)
A common solution for identity sprawl is the implementation of Identity and Access Management (IAM) solutions and Single-Sign On (SSO) systems. These SaaS identity management systems centralize the management of user access and/or user authentication across multiple SaaS applications, reducing the SaaS security problems described above.
When the IAM solution IS the problem
But IAM and SSO solutions aren’t a magic cure-all for SaaS identity risk management. As Forrester VP and research director Merritt Maxim said in an interview with InformationWeek,
“Any identity and access management-related system is a very tempting target for hackers, because those systems contain credentials and other types of information hackers can use.”
This interview followed on the heels of a major breach of IAM provider Okta’s customer support system. All 18,400 Okta customers had data exposed, and that data was subsequently used for identity-based attacks on a number of those customers.
Content delivery network provider Cloudflare was one such customer, with threat actors accessing Cloudflare systems and exfiltrating data multiple times in November of last year using credentials and tokens they had gotten from the Okta breach.
How can you gain the benefits of IAM and SSO systems while avoiding the pitfalls? This balance calls for another set of SaaS identity risk management tools: Identity Threat Detection & Response (ITDR).
ITDR encompasses threat intelligence, behavioral analysis and anomaly detection to check for suspicious actions and potential compromise of any given identity. If a SaaS identity has been compromised through stolen credentials or any other means, a strong ITDR solution can still detect a threat based on how the user identity is acting within your SaaS environment. Identity Threat Detection & Response is therefore a critical part of SaaS identity risk management, encompassing not only external bad actors but insider risks as well.
Risky retained access
Keeping anything longer than its expiration date can cause problems. The expiration date for an identity’s access to your SaaS systems or assets is whenever they no longer need that access for their job function.
If an employee departs your company, the access of all their user identities should be immediately revoked. This is especially the case if they’ve shared SaaS assets with personal accounts and identities. You really, really don’t want an ex-employee using their Gmail account (to which they gave access when they were still an employee and never revoked) to look at corporate assets.
The same goes for any third-parties that you brought in to work on a specific project. It’s not uncommon for your third-party contractors to share an asset with their sub-contractors, who share it with their sub-contractors… and no one remembers to revoke access, even when the project is complete.
Ignore stale or “unused” accounts at your own peril! In the Cloudflare attack mentioned above, the threat actor was able to get access using one access token and three service account credentials that had been compromised in the Okta breach, but not rotated as recommended after the breach.
Why weren’t these four identity credentials dealt with when Cloudflare took care of rotating its other thousands of credentials? Because, as Cloudflare explained, “it was mistakenly believed they were unused.”
Big mistake.
With these “unused” credentials, threat actors gained access to:
- The company’s Atlassian server, which the threat actor searched to access Jira tickets about vulnerability management, secrets rotation, multifactor authentication bypass, network access and Cloudflare’s response to the Okta incident.
- Cloudflare’s source code management system in Atlassian Bitbucket, including 120 code repositories, of which 76 were exfiltrated.
- The company’s internal wiki on Atlassian Confluence.
- An AWS environment used to power the Cloudflare Apps marketplace
Oops.
SaaS identity risk management necessitates discovery of every identity that has any level of access to your SaaS environment. And as soon as that identity no longer needs its level of access, it should be changed or removed.
Susceptibility to weak credentials
Remediating weak credentials is the low-hanging fruit of SaaS identity risk management.
Using strong credentials should be obvious; everyone knows you’re supposed to. But it always bears mentioning.
Why? Because so many people use weak credentials anyway. In a survey conducted by LastPass, 62% of respondents always or mostly use the same password or a variation.
Whether this weakness for weak credentials is due to laziness, bad memory, or refusal to believe that “it could happen here”: it doesn’t really matter. What matters is that you don’t want your organization’s user identities using weak credentials. So don’t let them.
Almost every SaaS system worth its salt (at least the ones that tend to be mission-critical) let you require MFA for user sign-in. Do so. Often they also let you set password complexity requirements. Do so.
If you want to use Single Sign-On (SSO) to reduce the potential of weak credentials, go for it. Just remember - as explained in the Identity sprawl section above - to mitigate the potential risks that SSO introduces by also having a strong Identity Threat Detection & Response solution.
Avoid a SaaS identity crisis
Make sure your SaaS identity risk management covers all three of the above areas of risk, and you’ll be able to breathe easier during the day and sleep easier at night. A strong corporate identity should be a point of pride - and so should strong corporate SaaS identity risk management.
