This article was originally published on Built In by Aner Gelman.
Text notifications about new messages on Slack. Linking Trello boards to Microsoft Teams. Using Boomerang to control a busy inbox. These apps and platforms — and their connections with each other — are all part of daily life in many companies today. They not only help make remote and hybrid work possible, but are key to building and scaling companies and products.
But the communications between thousands of SaaS platforms are also an emerging threat to corporate cybersecurity. Most existing cybersecurity solutions still do not offer adequate protection or a convenient way to monitor the communications between these apps and platforms, leaving companies vulnerable to cyberattacks and unable to effectively know or control which parties have access to sensitive corporate or personal data.
A handful of high-profile attacks — including a data breach at cybersecurity provider Imperva Security, in which attackers stole an API key that allowed the software to work on Amazon’s cloud, which ultimately permitted the attackers to gain access to sensitive customer data — have resulted from taking advantage of how SaaS platforms communicate with each other. In order to effectively protect themselves, companies need to understand how SaaS platforms are becoming increasingly vulnerable, what’s at stake, and what steps to take.
Current Cloud Security Options Don’t Protect SaaS-to-SaaS Communications
Cloud-based SaaS platforms have been growing rapidly for two decades, as they provide a convenient and affordable way to get tech services for both work and personal use. By now, most modern consumers are familiar with popular platforms, many of which can be customized, like Gmail and Salesforce.
Because SaaS is cloud-based, traditional cybersecurity measures, like firewalls that protected on-premise networks, data, and software, are no longer effective. So the market soon developed CASBs, or cloud-access security brokers, which are intermediaries between cloud-based services and their users or on-premise services. These can be software or hardware-based. But ultimately, they only protect connections between SaaS products and their users. This was fine — until more SaaS products started communicating with each other, doing things like sending a Slack message when a customer opens a support ticket.
More recently, SSPMs, or SaaS Security Posture Management solutions emerged. These have become popular, with research and consulting company Gartner naming them as a top tool in the future of cloud and SaaS security. While these do monitor more aspects than CASBs, they are only available for certain services, and even though they take a cloud-first approach, they are missing additional features, like overseeing the ubiquitous SaaS-to-SaaS communications.
Interconnected Apps Mean More Opportunities for Hackers
Slack popularized the notion of connecting different platforms to work together, and now most SaaS apps are communicating with each other. Each action a user takes, whether it’s sending a message or updating a calendar, may result in several other automatic actions and notifications in connected platforms, and other add-ons and apps for SaaS platforms require access to even more data on the platforms.
This means that if a hacker gains access to one platform, they potentially have access to all of that users’ different SaaS platforms and connected applications. In an age of increased cyberattacks, like recent supply chain attacks that often target organizations in order to gain access to more numerous or valuable targets — like what happened with the well-known SolarWinds attack — this leaves a lot of information extremely vulnerable.
What Can Companies Do to Protect Their Information?
- Invest in SaaS security tools
- Inventory apps currently in use by employees
- Don’t neglect service accounts
- Revoke all access from former employees’ linked accounts
- Consider establishing an SaaS Operations department
- Establish clear policies regarding use of third-party SaaS platforms
Companies need to invest more not just in SaaS security tools, but also in figuring out how many apps their employees are using, and what is being shared on them so that their cybersecurity departments have an accurate and comprehensive understanding of the potential threat landscape.
Organizations are becoming more aware of this, with 55 percent of information security professionals saying the top SaaS security challenge is a lack of visibility into SaaS usage and data. Once gained, they should use this intelligence to write clear policies regarding the use of third-party SaaS apps and platforms that takes into account their employees’ workflows.
Companies should be careful about things like service accounts being neglected, resulting in vulnerabilities like non-used API tokens that can be stolen and used to access privileged information. In addition to the threat of cyberattacks, the web of SaaS products also potentially leaves companies vulnerable to non-authorized users, or former employees, who may, through continuing email or message notifications and add-ons to platforms, have access to sensitive information.
While some automated solutions are emerging to address management of SaaS platforms, one immediate step companies can take is to dedicate a department to SaaS Operations, which oversees the purchase, security, and management of SaaS products a company uses. A recent survey found that 40 percent of IT professionals now see SaaS Operations as a critical new role.