In today’s hybrid work environment, SaaS security has never been more important. Understanding your existing risks is a critical step to choosing the right security tool, but few SaaS apps provide the visibility necessary to perform a proper assessment. Many organizations turn to expensive consultants and a lengthy process in order to identify gaps, while others remain blissfully unaware of their exposure until there is a costly breach.
To establish an effective security program, you need to be able to answer the following questions on an ongoing basis:
Can your organization answer these questions across all of your SaaS applications? It takes a good deal of effort to uncover issues in a file sharing app such as OneDrive or Google Drive, but what about communication apps like Slack or Teams? Files are often shared there as well, with the intent of short-lived sharing, but in practice those files remain accessible. Visibility into your SaaS application activity is equally important if your organization has responded by disallowing external collaboration, as it would allow you to ease restrictive policies that can slow down the business.
DoControl’s approach to answering the questions above is the inventory, built automatically from your SaaS applications and continuously updated by user activity. The DoControl inventory provides comprehensive visibility regarding:
The inventory can be easily sorted and filtered within the DoControl user interface to surface issues that aren’t apparent in native SaaS tooling. Additionally, the inventory data can be imported into other applications via REST API or export to CSV, allowing you to monitor your security posture with a SIEM or report on it using pivot tables in a spreadsheet.
Two broad categories of individuals may have access to data stored in your SaaS applications: internal users and external collaborators. External collaborators may include vendors and contractors, customers and prospects, third party applications, and anonymous users in the case where a public link is created.
One issue occurs when a partnership agreement with a vendor is terminated. If the vendor has accounts in your SaaS applications, the logins can be deactivated easily. However, if employees have shared files with the vendor’s external accounts, that sharing remains until it’s removed. Determining whether this problem exists in your SaaS is simple in DoControl with the DoControl inventory:
First, we’ll check the domain inventory to find out if there are any domains we no longer wish to collaborate with. In this case, we’ve determined that our agreement with Gilgamesh (a fictitious vendor) has been terminated and the two users within that domain should no longer have access to our files.
Navigating to the Users screen, we filter for all users where the email contains “gilgamesh.” Selecting all users and then clicking Remove permission (and confirming) automatically revokes access for these users.
Finding groups in your connected SaaS applications is simple with DoControl. You can sort, filter by group name, and view members of each group. Additionally, custom groups can be created in DoControl to contain internal and external users as well as domains. DoControl uses groups imported from your applications to segment users based on their roles and responsibilities.
Determining which groups are sharing resources externally is simple using DoControl’s filters. Use the Owner is in group filter to select the target group(s) and then use the Sharing status filter to select the type(s) of sharing to view. You can further customize the view by including additional filters, such as filename or drive name.
To identify the collaborators, click on the filename and view the collaborators section:
Once you’ve identified files that should not be exposed externally, you can remove external collaborators using the Quick Actions menu:
A common example of a sensitive file is a private encryption key. Best practice dictates that encryption keys be managed in a secure digital vault. Whether you’re using a digital vault or not, confirming that keys are not present in less secure SaaS applications is important. Take an example of an administrator sharing a key with an applications engineer in Slack, which likely violates the company’s data security policies. Once the key is shared, it remains accessible in Slack unless deleted by the sender. The longer the key remains in a public or shared channel, the greater chance it’s exposed to a malicious actor.
While an encryption key can reside within any file, typically the filenames end with extensions such as .pem or .ppk. With DoControl, you can search for these files and delete them instantly using the Quick Actions menu:
Finding publicly-accessible content is as simple as using filters. For instance, to display all files that are shared publicly from Salesforce, filter by sharing status:
To verify that a file is indeed publicly accessible, click on the filename and then the Open asset in a new window link in the Asset page:
Removing the public sharing can be accomplished using the Quick Actions menu:
DoControl’s inventory is designed to provide visibility across multiple SaaS applications, enabling organizations to surface and remediate risks. Having visibility into your SaaS estate is a critical first step. From there, being able to enforce consistent data access control policies throughout all the disparate SaaS applications your organization leverages will help close up the SaaS application risks we’ve outlined in this blog. To uncover the true scope of your organization’s SaaS application risk and exposure, sign up for a free Risk Assessment today.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
DoControl is named as a Representative Vendor in 2022 Gartner® Market Guide for Insider Risk Management Solutions. Gartner recently published the market guide which assists in understanding and implementing a comprehensive insider risk management program. Gartner describes how “the increase in a hybrid or remote workforce, compounded with additional vendor integration, has prioritized insider risk management as a focus area for security and risk management leaders.”
On April 12th, GitHub announced they had uncovered evidence of an attacker abusing stolen OAuth user tokens to download data from dozens of their customers. The applications maintained by the compromised platform service providers, Heroku and Travis-CI, were used by GitHub users, which makes this breach a new addition to the growing list of recent attacks that utilized unauthorized access to target suppliers' systems.