What AWS AppFabric Means For SaaS Security?

On June 27, 2023, Amazon Web Services (AWS) announced the launch of AppFabric with the goal of improving Application Observability for SaaS Applications. The purpose of this blog post is to provide more details on AppFabric, and what it means for both SaaS security and security teams.

What is AWS AppFabric?

According to AWS: “AppFabric quickly connects SaaS applications across your organization. IT and security teams can then easily manage and secure applications using a standard schema, and employees can complete everyday tasks faster using generative AI.”

AppFabric integrates multiple SaaS applications to streamline SaaS activity events, create a unified events schema/database, offer analytics, and interconnectivity with other AWS Security products, such as Security Data Lake, Security Hub, etc.

What SaaS applications are supported?

AppFabric launches with an impressive list of SaaS integrations, each with its specific constraints and limitations:

What data is now available?

AWS AppFabric pulls two main data points:

1. Audit logs ingestions

SaaS applications generate Audit Log events representing any administrative access by SaaS administrators. AWS AppFabric pulls these audit logs from multiple SaaS applications so you can monitor them all in one centralized location. AWS AppFabric pulls audit log data every two minutes and customers cannot change this frequency. 

A few examples:

• New user provisioning
• Multi-Factor Authentication (MFA) setting changes
• User permission role changes
• Password policy changes

2. User information

SaaS application user information contains data around users themselves (email, name, etc), their permission roles (admin, read-only, etc), and their activity events (view, create, share, etc). 

‍

What are the main use cases?

Taken from AWS:

• Connect your SaaS applications quickly

• AppFabric natively connects top SaaS productivity and security applications to each other, providing a fully managed SaaS interoperability solution.

• Elevate your security posture

• Application data is automatically normalized, enabling administrators to set common policies, standardize security alerts, and easily manage user access across multiple applications.

• Reimagine productivity

• With a common generative AI assistant, AppFabric empowers employees to get answers quickly, automate task management, and generate insights across their SaaS productivity applications.
  ‍

What is out of scope?

While AWS AppFabric is exciting and puts SaaS security “on the map”, it is still very limited when it comes to offering a comprehensive SaaS security solution. It plays smoothly with the broader AWS ecosystem, but with very limited data points covering a small fraction of the SaaS Security threat landscape.

Even though AWS AppFabric helps monitor Audit Logs and query for user information, it lacks critical capabilities completing the picture for security teams:

1. Near real-time events - subscribing to webhook events to benefit from near real-time events instead of the current hardcoded 2 minute frequency.
2. Data inventory - full discovery of all the data you store in SaaS applications, who owns it, across what departments, how exposed is it internally, externally, and publicly, etc.
3. OAuth apps inventory - full discovery of all the 3rd party OAuth tokens granted by employees installing 3rd party tools - now having programmatic access to your corporate data.
4. Business context enrichments (HRIS, IDP, EDR) - activity events and user information alone lack critical business context to speed up mitigation paths. HRIS, IDP, and EDR integrations provide robust enrichments used to infer decision making and automations.
5. DLP scanning - AppFabric offers this through a 3rd party vendor integration, meaning that you need to purchase another tool to benefit from PII/PHI/sensitive data scanning.
6. Remediation - the holy grail of enterprise security (unlike IaaS Security) is the ability to remediate and solve security incidents right away. For example, removing a permission, changing ownership, deleting files, and running approvals.
7. Workflow automations - the only way to reduce total cost of ownership (TCO) is to embed workflow automations between activity events, business context, and remediation paths.
8. Anomaly detection - using ML/AI models to identify anomalies across activity events, data sets, permission sets, 3rd party apps, etc.
9. Custom downstream integrations - the ability to streamline information to any custom endpoint using simple, generic HTTPs requests.

‍

What does it mean for SaaS security and security teams?

AWS AppFabric is a very important validation for the importance of SaaS Security in 2023. Historically, AWS launches products associated with massive total addressable markets, critical customer pain points, and available budgets. Security teams now have a robust SaaS security solution to compare against all other solutions in the market, and make the best decision for their specific organizational needs/requirements. Security teams now look at the bigger picture and prioritize SaaS Security in their 2023/2024 budgets. 

SaaS applications partnering with AWS on AppFabric validates that native SaaS Security capabilities are not enough to truly protect data at the speed of modern collaboration, data complexity, and rising threats.

As SaaS Security Platforms (SSPs) are on the rise, customers’ expectations are to purchase solutions that offer up comprehensive coverage of SaaS security threat models – all from a single vendor. Securing SaaS is a challenge at scale, given the application and data sprawl that is ultimately created for organizations of all shapes and sizes. 

While this validation from AWS reaffirms the criticality of securing SaaS applications and data, what AppFabric lacks at this current moment in time is the combination of your SaaS attack surface, business context, and automated remediation. This combo is absolutely necessary in order to scale SaaS utilization and drive business enablement simultaneously. 

‍