Uncovering Risks in SaaS Applications
SaaS Security

Uncovering Risks in SaaS Applications

In today’s hybrid work environment, SaaS security has never been more important. Understanding your existing risks is a critical step to choosing the right security tool, but few SaaS apps provide the visibility necessary to perform a proper assessment.

In today’s hybrid work environment, SaaS security has never been more important. Understanding your existing risks is a critical step to choosing the right security tool, but few SaaS apps provide the visibility necessary to perform a proper assessment. Many organizations turn to expensive consultants and a lengthy process in order to identify gaps, while others remain blissfully unaware of their exposure until there is a costly breach.

To establish an effective security program, you need to be able to answer the following questions on an ongoing basis:

  1. Who has access to our data?
  2. What groups within our organization are sharing data externally and what is the business purpose?
  3. What sensitive files exist in my infrastructure?
  4. Is any sensitive data publicly accessible?

Can your organization answer these questions across all of your SaaS applications? It takes a good deal of effort to uncover issues in a file sharing app such as OneDrive or Google Drive, but what about communication apps like Slack or Teams? Files are often shared there as well, with the intent of short-lived sharing, but in practice those files remain accessible. Visibility into your SaaS application activity is equally important if your organization has responded by disallowing external collaboration, as it would allow you to ease restrictive policies that can slow down the business.

The Inventory Approach

DoControl’s approach to answering the questions above is the inventory, built automatically from your SaaS applications and continuously updated by user activity. The DoControl inventory provides comprehensive visibility regarding:

  1. Users: All internal and external users who can access, share, and manipulate data stored in your SaaS apps
  2. Assets: The files contained in your SaaS applications, including attributes such as filename and location, owners, collaborators and sharing status
  3. Groups: Groupings of internal users imported from your SaaS applications, and custom groups which can contain internal and/or external users and domains
  4. Domains: 1) External: All external domains with access to assets in the organization, 2) Internal: Organization internal domains, imported from your SaaS applications, and 3) Trusted: A subset of internal and external domains considered safe for sharing, as designated by the organization

The inventory can be easily sorted and filtered within the DoControl user interface to surface issues that aren’t apparent in native SaaS tooling. Additionally, the inventory data can be imported into other applications via REST API or export to CSV, allowing you to monitor your security posture with a SIEM or report on it using pivot tables in a spreadsheet.

Who has access to our data?

Two broad categories of individuals may have access to data stored in your SaaS applications: internal users and external collaborators. External collaborators may include vendors and contractors, customers and prospects, third party applications, and anonymous users in the case where a public link is created.

One issue occurs when a partnership agreement with a vendor is terminated. If the vendor has accounts in your SaaS applications, the logins can be deactivated easily. However, if employees have shared files with the vendor’s external accounts, that sharing remains until it’s removed. Determining whether this problem exists in your SaaS is simple in DoControl with the DoControl inventory:

Domain Inventory

First, we’ll check the domain inventory to find out if there are any domains we no longer wish to collaborate with. In this case, we’ve determined that our agreement with Gilgamesh (a fictitious vendor) has been terminated and the two users within that domain should no longer have access to our files.

User Inventory

Navigating to the Users screen, we filter for all users where the email contains “gilgamesh.” Selecting all users and then clicking Remove permission (and confirming) automatically revokes access for these users.

What groups within our organization are sharing data externally?

Group Inventory

Finding groups in your connected SaaS applications is simple with DoControl. You can sort, filter by group name, and view members of each group. Additionally, custom groups can be created in DoControl to contain internal and external users as well as domains. DoControl uses groups imported from your applications to segment users based on their roles and responsibilities.

Asset Inventory

Determining which groups are sharing resources externally is simple using DoControl’s filters. Use the Owner is in group filter to select the target group(s) and then use the Sharing status filter to select the type(s) of sharing to view. You can further customize the view by including additional filters, such as filename or drive name.

To identify the collaborators, click on the filename and view the collaborators section:

Once you’ve identified files that should not be exposed externally, you can remove external collaborators using the Quick Actions menu:

What sensitive files exist in my infrastructure?

A common example of a sensitive file is a private encryption key. Best practice dictates that encryption keys be managed in a secure digital vault. Whether you’re using a digital vault or not, confirming that keys are not present in less secure SaaS applications is important. Take an example of an administrator sharing a key with an applications engineer in Slack, which likely violates the company’s data security policies. Once the key is shared, it remains accessible in Slack unless deleted by the sender. The longer the key remains in a public or shared channel, the greater chance it’s exposed to a malicious actor.

While an encryption key can reside within any file, typically the filenames end with extensions such as .pem or .ppk. With DoControl, you can search for these files and delete them instantly using the Quick Actions menu:

Is any sensitive data publicly accessible?

Finding publicly-accessible content is as simple as using filters. For instance, to display all files that are shared publicly from Salesforce, filter by sharing status:

To verify that a file is indeed publicly accessible, click on the filename and then the Open asset in a new window link in the Asset page:

Removing the public sharing can be accomplished using the Quick Actions menu:

DoControl’s inventory is designed to provide visibility across multiple SaaS applications, enabling organizations to surface and remediate risks. Having visibility into your SaaS estate is a critical first step. From there, being able to enforce consistent data access control policies throughout all the disparate SaaS applications your organization leverages will help close up the SaaS application risks we’ve outlined in this blog. To uncover the true scope of your organization’s SaaS application risk and exposure, sign up for a free Risk Assessment today.

Related Posts