Enterprises depend on SaaS applications for countless functions, like collaboration, marketing, file sharing, and more. But problematically, they often lack the resources to configure those apps to prevent cyberattacks, data exfiltration, and other risks.
Catastrophic and costly data breaches result from SaaS security configuration errors. The Verizon 2020 Data Breach Investigations Report found that errors are the second largest cause of data breaches, accounting for about one in three breaches.
Of those, misconfigurations are by far the most common, often resulting in the exposure of databases or file system contents directly on a cloud service.
Businesses tend to be as vulnerable as the weakest security settings they have enabled for their SaaS applications. To illustrate, Adaptive Shield’s team has discovered SaaS setting errors that leave companies open to one-click corporate espionage, exposing their entire cloud, along with massive amounts of video conferencing data in this new WFH era.
IT security teams must do more to protect their organizations from risks caused by poorly configured SaaS apps. Here are five SaaS configuration errors we see all the time that you should be checking on and correcting as needed:
1) Make sure your SaaS system admins use MFA, even if SSO is enabled.
SSO has become a key feature in securing access for SaaS apps; however, there are still some users that can, by design, bypass this control. For maintenance reasons, most SaaS vendors enable system owners to login with their username and password even though SSO is turned on. Make sure mandatory multi-factor authentication is enabled for these super users. If your admins rely on username and passwords, and an admin’ credentials become compromised, attackers will be able to access the account.
2) Shared mailboxes are sitting ducks, prized by hackers. Fix yours.
Many companies use shared mailboxes for financial, customer, and other types of sensitive information. We’ve found that organizations have one shared mailbox for every 20 employees on average. These present issues because they have no clear owner, and every user has a password, which is static because no one changes them. The problems are so acute that Microsoft even recommends blocking sign-in for shared mailbox accounts.
3) Manage external users with access to internal information.
Many businesses today exchange information using collaboration tools. While external sharing is a great way to extend your organization to your suppliers and partners, it comes with a risk of losing control over your data. Make sure to define a collaboration policy with external users and set proper limitations across all SaaS apps.
4) You don’t know what you can’t see; turn on auditing to maximize visibility and control.
As a security expert, you must be aware of the information you are missing. While the default audited actions are sufficient for some organizations, for others, it may be a major security gap. Make sure you understand what you’re not seeing and optimize if gaps exist.
5) Make sure no data entities are anonymously accessible without your knowledge.
Maintaining complete control over your corporate data is not an easy task. And it only gets harder as you add SaaS apps. Identify which resources are publicly exposed, such as dashboards, forms, discussions, or any other data entities, and act now to fix them.
|Image credit: Adaptive Shield|
How to Finally Take Control of SaaS Security
Although SaaS platforms have dozens or even hundreds of built-in security configuration controls, it is the responsibility of the client to set them correctly. Security teams are overwhelmed, trying to manage thousands of settings across all their apps.
Adaptive Shield analyzes, identifies, and prioritizes SaaS applications’ weaknesses and provides ongoing monitoring, to enable continuous security for all global settings and user privileges. Adaptive Shield solves SaaS misconfiguration challenges like those listed above and thousands more by providing automated, complete control of SaaS application security.
The mission is to give security teams one common platform to manage their SaaS app security effortlessly. Want to learn more about what we do and how we can help your organization use SaaS applications with greater confidence? Visit www.adaptive-shield.com