Why SaaS Security Posture Management (SSPM) is Not the Biggest Attack Surface in SaaS

Why SaaS Security Posture Management (SSPM) is Not the Biggest Attack Surface in SaaS

There is a lot of talk in the market about SaaS Security Posture Management (SSPM), and how it protects the purported “largest attack surface” in SaaS: misconfigurations – be they accidental or intentional – by SaaS administrators. 

Misconfiguration can certainly lead to exposure in SaaS, and a full SaaS Security Platform (SSP) will address SSPM as part of the comprehensive set of tools to address all areas of the SaaS security shared responsibility model. 

So let’s think about what SaaS is, and how it’s used. First, SaaS is not IaaS. The amount of damage a compromised, rogue, or careless administrator can do in SaaS is limited by the scope of the administrator’s control. In SaaS, the administrator cannot impact Infrastructure or Platform level security, and is only sharing responsibility for the application level. While not trivial, the administrator misconfiguration surface in SaaS is much smaller than in Infrastructure as a Service (IaaS). 

However, in SaaS we have data that is:

  • Owned and access-controlled by each user in the SaaS tenant (which is likely all users in the organization for Microsoft 365/Teams or Google Workspace/Slack) 
  • Accessible by external users (contractors, vendors, partners, future and former employees, etc.), often without passing through authentication (IdP) or conditional access policies
  • Accessible from unmanaged devices by both internal and external users
  • Easily and inadvertently shared inappropriately – e.g. a user puts a file in Team or Slack channel, making it accessible to everyone in that Team or Slack workspace, and in some cases this action will make that data publically accessible

Given the challenges with classifying data in SaaS (e.g. false positives, establishing policies, keeping up with constantly changing content), much less in a timely manner to prevent unauthorized access or oversharing, the potential – and often the reality – of data exposure is by far largest attack surface for SaaS platforms organizations face today. This is especially true of file sharing and collaboration applications, like Teams, Slack, Box, Google Drive, Sharepoint, OneDrive, etc. – applications that almost every organization has one or more of universally deployed.  

At the end of the day, the data is what attackers are ultimately after. Organization’s place a big effort in shoring up other areas within the IT/Cloud estate (i.e. SSPM, service mesh, SaaS-to-SaaS, etc.) without taking a closer look at protecting the lifeblood of the organization: its data. From an attacker’s perspective, data is the best target since you can ask a ransom for it. Data needs to be protected throughout its lifecycle – when it’s created, accessed, shared, edited, etc. This is obviously a challenge at scale which demands automation be built into the tools that are trying to protect sensitive SaaS data.

Another challenge in SaaS data protection has always been how to keep data from leaving the confines of the business without ruining user experience and productivity. Proxies can keep data in or out, but only for uploads and downloads from managed endpoints by internal users. Traditional API-based Cloud Access Security Broker (CASB) tools are too slow to respond to actually stop data from leaving, besides being prone to false positives and limited in its approach to prevention and remediation. 

DoControl takes a unique approach to solving critical SaaS data protection use cases. We provide  a unified, automated and risk-aware SSP that secures business critical data, drives operational efficiencies, and enables business productivity. Our core competency is focused on protecting business-critical SaaS applications and data through automated remediation; this way organization’s can consume SaaS applications and services at scale without imposing unnecessary risk to the business. Take the SaaS Data Access Risk Assessment to better understand your organization’s risk. 

No items found.
The SaaS Security Threat Landscape Report

Research-based benchmarks to assess risk across critical threat model

Read now
DoControl - SaaS data access control - open blog button
Learn more about DoControl.
Get a demo today.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Follow DoControl on social media
DoControl - SaaS data access control - Linkedin logoDoControl - SaaS data access control - Twitter logo
Related Posts