Last June, Amazon Web Services (AWS) announced the launch of AWS AppFabric with the goal of improving Application Observability for SaaS Applications.
Exactly what SaaS security issues was AWS AppFabric intended to solve? Has the past year seen it make good on its promise? And where is AppFabric headed in the future?
We take a close look at all of this - and more - in the following blog post.
What is AWS AppFabric?
According to AWS: “AppFabric quickly connects SaaS applications across your organization. IT and security teams can then easily manage and secure applications using a standard schema, and employees can complete everyday tasks faster using generative AI.”
AppFabric integrates multiple SaaS applications to streamline SaaS activity events, create a unified events schema/database, offer analytics, and interconnectivity with other AWS Security products, such as Security Data Lake, Security Hub, etc.
Why is this important? What preempted the creation of AppFabric?
Tamar Heyman, an AppFabric Principal Product Manager, explains that the variation between SaaS data models and frameworks was a major obstacle to SaaS app security.
One problem it created was the burden of normalization. Just as you can’t compare texts written in different languages until you translate some or all of them, a SIEM (security information and events management) solution can’t integrate and analyze SaaS app event logs based on different data frameworks until they are normalized.
Slack, for example, has a data framework based on channels and messages. Dropbox uses files and folders. Asana’s data model is based around tasks, projects and goals. Without knowing what each of those categories means, and what is equivalent between apps, a SIEM cannot effectively identify and alert to problems across the SaaS environment.
Additionally, even normalized data requires enrichment in order to give a complete, helpful security picture. This is especially true when it comes to user identity and identity security. Every SaaS app will assign a user a specific alphanumeric identifier. But if your Slack instance identifies employee John Doe as user hy7ste9m0ab and Google Workspace identifies him as user nc84w3l1n, how will your SIEM be able to assess John Doe’s user risk?
Enter AWS AppFabric. It normalizes and enriches log data so your SIEM can compare and analyze with ease. Let’s take a look at its scope.
What SaaS applications are supported?
AppFabric launched with 12 supported SaaS integrations,each with its specific constraints and limitations. Over the past year this list has more than doubled, for a current total of 26 supported SaaS integrations:
- 1Password
- Asana
- Azure Monitor
- Atlassian Confluence
- Atlassian Jira suite
- Box
- Cisco Duo
- Dropbox
- Genesys Cloud
- GitHub
- Google Analytics
- Google Workspace
- HubSpot
- IBM Security® Verify
- JumpCloud
- Microsoft 365
- Miro
- Okta
- OneLogin by One Identity
- PagerDuty
- Ping Identity
- Salesforce
- ServiceNow
- Singularity Cloud
- Slack
- Smartsheet
- Terraform Cloud
- Webex by Cisco
- Zendesk
- Zoom
What data is now available?
AWS AppFabric pulls two main data points:
- Audit logs ingestions
SaaS applications generate Audit Log events representing any administrative access by SaaS administrators. AWS AppFabric pulls these audit logs from multiple SaaS applications so you can monitor them all in one centralized location. AWS AppFabric pulls audit log data every two minutes and customers cannot change this frequency.
A few examples:
- New user provisioning
- Multi-Factor Authentication (MFA) setting changes
- User permission role changes
- Password policy changes
- User information
Audit logs
SaaS applications generate audit log events representing activity by SaaS users and administrators. AWS AppFabric pulls these audit logs from multiple SaaS applications and “normalizes” them into the OCSF (Open Cybersecurity Schema Framework) format.
OCSF was developed by working backward from the MITRE ATT&CK® framework, adapted to reflect SaaS apps and their unique security priorities. The goal was to have logs that security analysts could immediately use for threat detection.
AWS AppFabric uses the following OCSF event categories, classes and events:
How frequently does AWS AppFabric pull audit log data from its connected SaaS apps? Every two minutes. Customers cannot change this frequency.
User information
SaaS application user information contains data around users themselves (email, name, etc), their permission roles (admin, read-only, etc), and their activity events (as in the “Web Resources Activity” class in the table above).
AWS AppFabric enriches this data to gain more helpful insight about users, their identities and their behavior. For example, AppFabric uses the user’s corporate email as an identifier to associate their user identities across SaaS apps.
What SIEM tools can work together with AppFabric?
AWS AppFabric’s integrations with security tools, when combined with its normalization and enrichment of SaaS audit logs, means that security teams don’t have to create point-to-point integrations or pre-process data. This streamlines threat monitoring and incident response processes.
AppFabric currently has integrations with 10 security tools, and is adding more all the time.
- Barracuda XDR
- Dynatrace
- Logz.io
- Netskope
- NetWitness
- Amazon QuickSight
- Rapid7
- Amazon Security Lake
- Singularity Cloud
- Splunk
What are the main use cases?
As stated by AWS, the main use cases of AppFabric are to:
Connect your SaaS applications quickly
AppFabric natively connects top SaaS productivity and security applications to each other, providing a fully managed SaaS interoperability solution.
Elevate your security posture
Application data is automatically normalized, enabling administrators to set common policies, standardize security alerts, and easily manage user access across multiple applications.
Reimagine productivity
With a common generative AI assistant, AppFabric empowers employees to get answers quickly, automate task management, and generate insights across their SaaS productivity applications. (Note: this use case is focused on productivity, not security, and in fact AWS distinguishes between their “AppFabric for security” and “AppFabric for productivity” offerings, even though the product is the same.)
What is out of scope?
When it launched in 2023, AWS AppFabric was exciting because it “put SaaS security on the map.” But now, as then, it is still limited when it comes to offering a comprehensive SaaS security solution. It plays smoothly with the broader AWS ecosystem, but with very limited data points covering a small fraction of the SaaS Security threat landscape.
Even though AWS AppFabric helps monitor SaaS app audit logs and query for user information, it lacks these critical capabilities that are needed to complete the picture for security teams:
- Near real-time events
- Data inventory
- OAuth apps inventory
- Business context enrichments (HRIS, IDP, EDR)
- DLP scanning
- Remediation
- Workflow automations
- Anomaly detection
- Custom downstream integrations
Near real-time events
SaaS moves at an astonishing pace. An effective SaaS security solution hould subscribe to webhook events to benefit from near real-time events instead of AppFabric’s current hardcoded 2 minute frequency.
Data inventory
You can’t protect what you don’t know about. Complete SaaS security entails complete discovery of all the data you store in SaaS applications, who owns it, across what departments, how exposed is it internally, externally, and publicly, etc.
OAuth apps inventory
26 supported SaaS apps are great, but they’re just the tip of the iceberg when it comes to most organization’s SaaS stacks. Full SaaS security requires full discovery of all the 3rd party OAuth tokens granted by employees installing 3rd party tools - now having programmatic access to your corporate data.
Business context enrichments (HRIS, IDP, EDR)
The user enrichments that AWS AppFabric performs are very important for understanding activity event context. But activity events and user information alone lack critical business context to speed up mitigation paths. HRIS, IDP, and EDR integrations provide robust enrichments used to infer decision making and automations.
DLP scanning
AppFabric offers this through a 3rd party vendor integration, meaning that you need to purchase another tool to benefit from PII/PHI/sensitive data scanning.
Remediation
The holy grail of enterprise SaaS security (unlike SaaS Security) is the ability to remediate and solve security incidents right away. In the SaaS environment, data can be shared, copied and moved on in a minute or less. Remediation (for example, removing permissions) must be able to match this pace, or you won’t catch the exposure risk and mitigate in time.
Workflow automations
The only way to reduce total cost of ownership (TCO) is to embed workflow automations between activity events, business context and remediation paths.
Anomaly detection
In the SaaS environment where users wear their identity as a mask and connected apps are given permissions without thinking too much about it, effective threat detection necessitates using ML/AI models to identify anomalies across activity events, data sets, permission sets, 3rd party apps, etc.
Custom downstream integrations
Integrations with 10 major security tools is great, but even better would be the ability to streamline information to any custom endpoint using simple, generic HTTPs requests.
What does it mean for SaaS security and security teams?
Historically, AWS launches products associated with massive total addressable markets, critical customer pain points, and available budgets. So when AWS launched AppFabric in 2023, it was a very important validation for the importance of SaaS Security. Security teams then had a robust SaaS security solution to compare against all other solutions in the market, and make the best decision for their specific organizational needs/requirements.
SaaS applications partnering with AWS on AppFabric validated that native SaaS Security capabilities are not enough to truly protect data at the speed of modern collaboration, data complexity, and rising threats.
The situation is not much different today.
As SaaS Security Platforms (SSPs) are on the rise, customers’ expectations are to purchase solutions that offer up comprehensive coverage of SaaS security threat models – all from a single vendor. Securing SaaS is a challenge at scale, given the application and data sprawl that is ultimately created for organizations of all shapes and sizes.
Even though AWS reaffirmed the criticality of securing SaaS applications and data, what AppFabric lacked - and continued to lack - is the coverage of your complete SaaS attack surface, business context, and automated remediation. This combo is absolutely necessary in order to scale SaaS utilization and drive business enablement simultaneously.
