SaaS Identity and Employees: the Keys to Productivity and Breaches

There’s a lot of focus in cybersecurity on vulnerabilities, exploits, and assets. We focus on the data that was stolen, the device that was hacked, or the malware deployed. At the center of all these incidents, however, are identities.?

Identity Challenges

Protecting identities has always been a challenge. Every time new protections are introduced and implemented, attackers seem to find a way around them.?

Multi-factor authentication (MFA) initially seemed like a silver bullet for solving authentication woes, but there are now a variety of techniques for defeating them. Another option is to simply go around additional authentication factors by stealing auth tokens. Once an attacker steals an auth token, they can simply log in as that user - no additional factors required!

To get more examples of MFA bypasses and token theft, read the blog More SaaS Adoption → More SaaS Breaches.

Enforcing login through corporate SSO, SAML, or IdP such as Okta, Ping Identity, Microsoft Entra ID (fka Azure AD), OneLogin, and others, is also typically not enough. Many organizations assume they enforce corporate SSO across all identities and accounts in the organization, but there are nearly always exceptions. Edge cases such as shared accounts, service accounts, and external contractors break the holistic protection that a centrally governed login mechanism might promise.

Other identity challenges are related to the distributed nature of SaaS applications and platforms. If an employee leaves the organization, or is being investigated, it’s impractical to log into every SaaS application to understand the breadth of their access, and to properly offboard or disable their access.

Correlating Identities Across Platforms & Apps

The obvious solution is what the Valence Platform does today: build a profile for each identity - regardless of whether that identity is an employee, a machine, or an automated process. Context is key to understanding an environment. Regardless of whether an incident responder or someone in procurement is trying to understand a situation, the context surrounding the identity will help.

Identity and the context surrounding it can provide a lot of insight into employee activity and is also at the center of many important questions. For example:

• Who shared this file and why??
• What do these 23 accounts with MFA disabled have in common?
• Why do we have 47 global M365 admins, and do we really need that many?
• What portion of these email forwarding rules belong to contractors, versus full-time employees??
• Who gave administrative rights to these third-party integrations?
• Why do some employees have dozens of external data shares, while a few have thousands?
• Why are some GitHub users not tied to the corporate SSO??
• Why is this exec’s account still active, 3 months after they left??
• And has there been any activity since their final day as an employee?

The answers are stories that can’t be told without linking to an identity. Without normalizing and correlating identity information across disparate SaaS platforms and applications, answering these questions is a manual mess. Not only would it be time-consuming to correlate this information manually, it would require contacting the SaaS administrators of each app and platform in question - potentially dozens of different individuals.

Report Findings?

The State of SaaS Security report from Valence Threat Labs made a few things clear. For example, employee and account lifecycle management is tricky and often poorly managed - particularly when employees leave the organization. On average, 10% of all of an organization’s external data sharing and SaaS integrations remain tied to ex-employees long after they’ve left.?

100% of organizations have dormant accounts that haven’t been deactivated. In one case, 1 in 3 accounts within an organization were dormant.

None of the organizations we analyzed had MFA enabled across all active employee accounts. There are always exceptions, which raises other questions and challenges. Are there cases where it’s acceptable and necessary for an employee account to have MFA disabled? Are contractor accounts handled differently from employee accounts, especially where MFA and other authentication protections are concerned?

Finally, it was clear that no two organizations were the same. Each had unique challenges and exceptions that required compromises when it came to managing identities. All the more reason to closely monitor and automate policy management across SaaS platforms!

Check out the 2023 State of SaaS Security Report

These are just a few highlights from this year’s State of SaaS Security report from Valence Threat Labs! Check out the full report for more details and real-world examples of SaaS breaches now!