Shadow Applications: A Significant Risk Hidden in Plain Sight
SaaS Security

Shadow Applications: A Significant Risk Hidden in Plain Sight

It is well understood that Software as a Service (SaaS) applications are a necessary tool for the modern business. One of the most common use cases for these nimble apps is to help drive business enablement. However, it is imperative that security be one step ahead in the proliferation of application adoption and utilization by users.

The threat is certainly not limited to the traditional “flesh-and-blood” users. The risk imposed by non-human (or machine) identities is real, and is progressively worsening overtime. When you consider application-to-application connectivity, the threat vector becomes inflated through the introduction of machine identities that are commonly over privileged, unsanctioned, and not within the Security team’s visibility.  

Without the right controls in place, machine identities can easily become compromised; providing unauthorized access to sensitive data within the application that it is connected to. These “non-human” identities can gain permissions to read, write, and delete sensitive data – which can negatively impact an organization's security, business, and compliance risk

This issue is wide ranging and certainly became elevated after the pandemic, when an influx of applications were brought into the fold to support remote and hybrid working environments. Security teams take the position of being an enabler, and the aim is to never get in the way of the business. However, business users can easily open up the doors for unknown threats to enter for the sake of business enablement; and when Security teams lack the visibility to assess the risks that become imposed, they cannot respond effectively. There needs to be a perfect balance of security and business enablement.

Supply-chain based attacks involving machine identities and their associated credentials are more common now than ever before. This past April, GitHub publicly announced they’d uncovered evidence of an attacker abusing stolen OAuth user tokenswhich were issued to two third-party OAuth integrators – to download data from dozens of their customers. The applications maintained by these two platform service providers were used by GitHub users, which added to the growing list of recent attacks that utilized unauthorized access to business-critical targets.

Organizations today need to prevent the compromise of interconnected apps in order to protect business-critical applications and data with the SaaS estate. That is why we are excited to announce the latest module within the DoControl SaaS Security Platform to provide end-to-end governance across shadow applications. DoControl now provides organizations with the ability to establish full visibility into all sanctioned and unsanctioned SaaS applications, and enforce strong governance controls that automatically close compliance gaps and remediate the risk supply chain-based attacks.

How it works in five simple steps:

Step 1: The DoControl Platform will discover all interconnected SaaS applications within the estate, and expose a full mapping and inventory of 1st, 2nd and 3rd party applications. Organizations have hundreds to thousands of applications in use that need to be managed and monitored. DoControl will scan the applications that are a part of these SaaS ecosystem platforms. Next, the solution will actively monitor OAuth application tokens across the organization to identify and expose potentially malicious apps. 

Step 2: Extracting the business-context is crucial in attempting to identify indicators of compromise or high-risk activity. DoControl will uncover the usage, risk, company data, users departments, and more – allowing Security teams to triage security events, and get closer to the events that present material risk to the business. For example, permissions and scopes, application activity metrics, and more.

Step 3: DoControl will fuse dozens of risk factors into a cohesive exposure score to accelerate handling and decision making as to whether or not applications should be approved or denied. Risk scoring will help Security teams prioritize and deprioritize their work based on risk. Application classification can then be performed for sanctioned vs. unsanctioned apps, to help manage which applications should be allowed (or not!) based on organizational policy. 

Step 4: Next, application reviews with business users can be performed through ongoing interaction and engagement (i.e. via a Slack notification). End users can approve certain applications through a business justification, or have applications that might pose certain levels of risk to be either manually or automatically remediated (i.e. unsanctioned, over privileged, vulnerable). Notifications can be fully automated and triggered by configuring this aspect into a Security Workflow – which is a great segway into Step 5.

Step 5: Last but not least, DoControl will provide automated remediation which is powered by our Security Workflows. Our customers can now automate security policy enforcement across the SaaS application stack to prevent unsanctioned application usage, and remediate the risk those applications have the potential to expose (i.e. invalid tokens, extensive or unused permissions, listed vs. not listed apps etc.). 

One Platform. Complete Protection.

DoControl provides a unified, automated and risk-aware SaaS Security Platform that secures business-critical applications and data, drives operational efficiencies, and enables business productivity. DoControl’s core competency is focused on protecting business-critical SaaS applications and data through automated remediation. This is achieved through preventive data access controls, SaaS service misconfiguration detection, service mesh discovery, and shadow application governance. DoControl provides SaaS security that works for the modern business, so they can drive their business forward in a secure way.

Attend our upcoming webinar to learn more about DoControl’s Shadow Application Governance.

Did you know that, on average, companies that allow external sharing of SaaS data assets have data that has been exposed to 42 4th-party domains?
Did you know that, on average, companies that allow external sharing of SaaS data assets have data that has been exposed to 42 4th-party domains?

This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.

Get updates to your inbox
Our latest tips, insights, and news
Follow DoControl on social media
DoControl - SaaS data access control - Linkedin logoDoControl - SaaS data access control - Twitter logo
Related Posts