min read
6/5/2024

Will Your SSPM Security Prevent Configuration Drift?

SSPM security

Most organizations operating in the digital sphere today are keenly aware of the importance of SaaS security. However, the significance of your SaaS configurations, and how they can impact your company’s overall security level, often flies under the radar.

The high-level settings that determine how applications operate, your SaaS configurations can mean the difference between safeguarding your company’s critical systems and sensitive data, and a disastrous breach that leaves your organization reeling.

Some examples of SaaS configurations include:

  • User access controls
  • Data handling policies
  • Network settings
  • Security protocols

Preventing misconfigurations, both during the initial set-up of your SaaS application and throughout its lifecycle, is crucial for your organizational security. 

Governmental organizations are highly aware of the risk posed by misconfigurations. CISA and CMS both offer in-depth guides for businesses regarding misconfigurations and best practices to avoid them.

CMS, which specifically deals with MediCare, is particularly interested in ensuring that companies operating in the healthcare space don’t fall victim to bad actors, who could potentially exploit vulnerabilities caused by misconfigurations.

Proper configurations for your SaaS applications are an essential part of a robust SSPM security strategy that ensures your company’s data is safe.

Danger of SaaS misconfigurations

What’s the worst that can happen if you simply use default settings for your apps, and don’t set your SaaS configurations to an appropriate security level for your business?

Catastrophic data breaches and public embarrassment are just a few of the possible outcomes of leaving your SaaS configurations insecure.

Misconfigurations create an opening for bad actors, which is ripe for exploitation. They can directly lead to data breaches, as cyber criminals download and share a company’s internal data. 

If usernames and credentials are exposed by misconfigurations, this can create the perfect starting point for a devastating cyber attack.

That’s not to mention that companies that don’t perform due diligence regarding their SaaS configurations may be setting themselves up for serious legal consequences and punitive fines. 

This is especially true for companies operating in industries such as healthcare, which have especially strict data protection regulations. 

A data breach could lead to an investigation that determines a company was out of compliance, paving the way for huge fines and other legal penalties.

SSPM security failures: Real-world examples

The U.S. The Federal Reserve was recently forced to cancel an online conference after it was repeatedly interrupted by porn-bombing. The event’s organizers had left default settings on Zoom, which it was using to host the call. 

Because Zoom’s default settings allow anyone to join a meeting, the perpetrator was able to infiltrate an official government event and stream graphic images. 

One of the conference organizers said they believed that configurations which would mute participants and prevent them from sharing their screens were not in place at the time of the call.

In an earlier incident in 2021, 38 million sensitive records containing personally identifying information, including those from governmental entities, were discovered to have been exposed to the public.

The source of the data exposure turned out to be the default configurations within Microsoft Power Apps, a solution used by all of the agencies and businesses affected. 

The default settings in the app allow information within a database to be fetched by Open Data Protocol (OData) APIs, and Microsoft recommends that companies adjust their configurations accordingly to ensure that sensitive data isn’t accessed. It was clear, however, that many governmental bodies and private organizations never bothered to adjust the configurations to safe levels, creating easy access for cybercriminals to access critical information.

Configuration management isn’t a one-time SSPM security task

When you initially set-up a new SaaS application, it’s essential that you:

  • Compare default configurations to app provider-recommended settings or industry best practices.some text
    • This will likely vary by industry. For example, a government body will have different configuration requirements than a marketing agency in the private sector. 
  • Evaluate configuration risk levels.
  • Implement recommendations to remediate misconfigurations.

But the choices you make when first setting up your app aren’t the end of the story. Continuously monitoring for configuration drift, and correcting errors along the way, is equally important.

The fluid, dynamic nature of SaaS applications mean that new users and new information are constantly being added, with tweaks and adjustments being made on a regular basis.

Just as your SaaS apps aren’t static, the configurations within them are often subject to change. It’s crucial that you keep your finger on the pulse of your configurations, as they may end up being adjusted to less secure settings without your knowledge.

What causes configuration drift?

Configuration changes can be traced back to multiple sources, including:

SaaS administrators making manual changes

This could look like a trusted employee adjusting configurations in order to streamline workflows and help their teams access information. 

For example, an administrator looking to speed up the hiring process could grant broad access rights to all of their company’s managers within a human resources management SaaS app used by the organization.

However, that change in permissions could give managers access to view all the information within the app, such as payroll and other data that should be kept on a strictly need-to-know basis.

Although the widened access was meant to make managers’ lives easier, it also inadvertently gave them the ability to view, download, and even share sensitive data.

An SSPM security solution continuously scans for manual changes made by administrators to your SaaS settings, notifying you in the event that broad access has been granted to users without your advance knowledge.

Automated processes and scripts incorrectly modifying access settings

IT and Dev teams often write scripts that are necessary for specific use cases, but may end up creating over-permissions for unrelated tasks or users. 

An example of this could be the Dev team creating a script that allows users to access an internal knowledge base, but that automation could also give those users viewing permissions to all files within the system.

While the intention of the script was to permit users to access data they need within the knowledge base, the script did not provide access according to users’ roles. 

Instead, it granted blanket permissions for viewing, without distinguishing whether a user needs the level of access.

A strong SSPM security solution would prevent this by informing you about the creation of new scripts, automations or processes that make changes to your SaaS configurations.

Armed with that knowledge, you can make a decision regarding whether these new scripts or automations are worth the risk, or change them to prevent broad access.

SaaS provider updates and patches that alter configurations

SaaS providers are constantly tweaking their solutions, releasing new versions (including bug fixes) of their apps several times a year. 

It’s considered part of SaaS best practices to update accordingly, but beyond better user experience or interfaces, there may be backend changes to these apps that you may not know about.

For example, a SaaS sales solution could release an update that appears minor, but that new version of the app includes new configurations that allow all of a company’s users to view the entirety of data within the app.

That means that an employee with a totally different role, such as a product manager, could view sensitive information within a sales app, like customer payment information and private sales figures.

SSPM security solutions ensure that organizations are aware of SaaS patches and updates that create changes to an app’s configurations. These solutions send notifications to IT and Security teams so that they’re constantly in the loop regarding altered settings within SaaS apps.

Third-party plugins and integrations altering settings

There are thousands of third-party plugins and integrations that companies use in order to make the most of their SaaS solutions. These plugins, which aren’t created or endorsed by the provider of the app, often help the solution run more smoothly or help businesses perform additional tasks using the apps.

For example, auto-provisioning modules are often integrated within a business’ SSO solutions. Auto-provisioning helps companies extend and revoke employee permissions during the on-boarding and off-boarding processes.

Notably, many times these auto-provisioning systems aren’t able to distinguish between varying permissions. Instead, they simply create or rescind permissions through a zero-sum game, without fine-tuning regarding the level of permissions appropriate for a user in a specific role.

That could look like automatically granting a new employee full access permissions to all SaaS applications in the company. A strong SSPM will notify companies when this happens, giving them a chance to correct misconfigurations before they jeopardize data security.

Misconfiguration management: a key component of an SSPM security tool

Your SaaS configurations are a critical element within your organization’s overall cyber security. Ensuring that you’re continuously monitoring and correcting for misconfigurations is an important part of safeguarding your company’s data and internal systems.

It’s critical to remember that configuration management is an ongoing part of your security posture, rather than a one-time event. Due to changes made by administrators, third-party integrations, and SaaS solution updates, even configurations that were initially set correctly may be compromising your business data.

To mitigate the dangers posed by configuration drift, you should adopt a strong SSPM solution that provides continuous notifications around altered configurations, no matter where they originate.

Get updates to your inbox

Our latest tips, insights, and news