Multi-factor authentication (MFA) has become widely embraced as a method of prohibiting unwarranted access to applications and networks. From internal corporate communications platforms to online banking to some of the most popular email providers, MFA is seen as a security fundamental in 2021.
Unfortunately for corporations using SaaS apps, MFA is about as effective a defense tool as the Maginot Line was at protecting France at the onset of World War II. (Hint: It wasn’t.) You might think you’re keeping your territory safe, but the defenses are easily circumvented through other means. Here’s how:
The true security MFA offers, and the false sense that it’s absolute
As you know, authenticating identity with two or more factors is a feature of most SaaS applications these days. Users prove their identity with not just a password but an answer to a question they’ve set up in advance, through a code they are sent to their email or phone, or via random tokens provided in a separate confirmation application.
Enabling MFA in individual applications is a good thing to do, but that can be a bit tedious for the end user looking to access multiple apps. An identity provider such as Okta can help by reinforcing these MFA practices through a centralized system and enabling single sign-on (SSO) to control and streamline access across most of an enterprise’s SaaS apps.
So far, so good.
But look at what can happen next. Your employees share company data with external collaborators and perhaps to their own Gmail accounts. (A no-no: Never let employees share from their personal accounts nor let them share to others’ personal accounts.) They may have legitimate business purposes for doing so, but the minute access is granted to external entities, your company has just expanded its vulnerability tremendously.
If these external domains and private email accounts do not adhere to the same stringent security practices like MFA, they’re vulnerable to account takeovers -- and that’s a serious problem. More than 22 percent of American adults -- 24 million households -- have been victims of account takeovers, according to a recent report. Such takeovers often are attributable to a lack of MFA. The security risks to your enterprise are obvious.
Another issue: Data access is typically granted to external users without an expiration date. Even when the need to share the data has ended (the project completed or the vendor no longer part of your team) the access remains. The shared files can linger indefinitely, not reviewed again by anyone in your company. Yet the file may be passed along to a third party, who in turn shares it with someone else, and so on.
How is MFA helping you now?
It’s not. All those other users were able to log into their systems without going through yours. Whatever protections you’ve set up to guard your turf through MFA-controlled access have no effect on users who’ve been given passage to your valued data from an application outside of your control. And you may not even know they’re digging deep into your own backyard while it’s happening.
Is it hopeless? No.
DoControl provides the security that your MFA systems can’t
The answer isn’t to make it harder for your users to access your SaaS applications with more layers of identification. The key is to anticipate the unwanted sharing of data through SaaS apps before it’s shared, while it’s actively being used by your team, and after it’s no longer part of ongoing operations.
DoControl orchestrates this control with a centralized platform that keeps watch on ALL your SaaS applications, regardless of the presence or absence of MFA. You can establish restrictions that prevent files containing sensitive data from being shared externally or being shared to specific external domains (like gmail or other personal accounts). You can establish policies that shut down access after a set time period. You can identify abandoned files and remove sharing permissions by anyone and everyone, no matter the SaaS app in which the files reside. You can monitor for anomalous activity by users and automatically shut off access when someone starts to download an inordinate number of files, too.
DoControl ensures that external collaborators do not have access to your company data forever.
Today’s cyber warfare advances at a rapid pace, and it takes sophisticated defense mechanisms to properly anticipate and thwart assaults before the damage is done. Contact us to get a demonstration of how DoControl can arm you against unwanted data access.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks.
In this blog we are going to focus on three of the most widely adopted SaaS applications, based on revenue and growth, as well as just general popularity. We will highlight the pitfalls and security gaps (note: these apps are not inherently insecure!), and how DoControl can help deliver a single, unified strategy to SaaS application security and reduce the risk of both data exfiltration and cyberattacks.