SaaS Supply Chain Risks: Biggest Threat to Your Data

SaaS supply chain attacks pose the greatest risk to your data.

Attackers exploit vulnerabilities in SaaS applications, which serve as entry points into your enterprise. This might be something as basic as stale API tokens or user accounts. Shadow IT is also a major concern.

According to Check Point, on average, IT teams are only aware of 20% of the SaaS applications being used within their organization. This limited visibility can lead to the exposure of sensitive data and escalate into a full SaaS breach.

ZTAA is Not Enough to Secure Risky SaaS-to-SaaS Connections

Traditional Zero Trust Application Access (ZTAA) enforces the principle of least privilege, continuously authenticating and authorizing users and devices, regardless of location. ZTAA secures user-to-SaaS access and incorporates MFA to verify users’ identities before granting access to applications, however, it does not address SaaS-to-SaaS zero trust access.

A few points to consider for securing SaaS apps if you have an existing ZTAA solution

  • Permissions unused by SaaS apps should be removed. This includes read/write privileges for your emails, cloud services, calendars, etc.
  • If an application doesn’t need to read your emails, it shouldn’t have access to them
  • Remove abandoned, legacy, and deprecated applications. They are no longer maintained, do not receive patches to keep them secure and they pose a serious risk to your organization

Existing security solutions such as SSEs, CASBs, and traditional SSPMs do not do this. These

solutions all lack visibility into SaaS-to-SaaS connections.

SSEs and CASBs: CASBs, which comprise a key component of SSE solutions, are primarily designed to monitor sanctioned SaaS connections, as well as observe a long tail of shadow SaaS apps. However, they often examine these connections in isolation, lacking a focus on SaaS-to-SaaS connections. 

SSPM: SSPMs are pre-integrated via APIs into major SaaS platforms. They do not perform discovery of all SaaS applications in your ecosystem and cannot detect if a rogue or deprecated app is connected. This places your applications at high risk of exploitation to serve as an entry point into your organization.

You cannot protect what you cannot see.

Security Upgrade: Adopting Zero Trust for App-to-App Access

Adopting a Zero Trust approach for App-to-App access is the most effective way to prevent SaaS supply chain attacks.

The table below highlights how zero trust principles from user access can be adapted to the world of SaaS-to-SaaS connections.

User to app Access SaaS-to-SaaS Access
Strong Authentication for user-to-app Access

 

MFA is required for user-to-app access. MFA adds an extra security layer for verifying user identities and ensuring that access is granted only to authorized individuals.

Strong Authentication for app-to-app Access

Modern authentication is required for app-to-app access.

  • App-to-app access is part of the IT ecosystem, but legacy authentication protocols should be avoided, including ASPs, service accounts, and others
  • An example of bad practice is providing your email exchange credentials to your printer so that employees can send themselves the scanned documents. Instead, use OAuth and modern API keys to authenticate and authorize user access
Principle of least Privilege for User-to-App Access

Role-based Access Control or permissions are defined to grant users the appropriate level of access, distinguishing between privileged (read/write) and standard (e.g., read-only) access levels

Principle of least Privilege for App-to-App access

  • Ensure apps have the correct level of permissions. They should only be able to read or modify emails, PPTs, calendars, etc to perform their defined functions
  • If the app is overly scoped with no option to reduce privilege, then it should be removed
Remove stale user accounts

Remove or update permissions for users who have left the organization or changed roles.

Remove stale API tokens

  • Remove or update permissions for apps that are no longer in use or are not being used the same way as before
  • Find stale API tokens and stale users in unused SaaS services and revoke them
  • Identify weak settings, risky services, configuration drifts, and credentials that might serve as potential entry points for attackers
Remove compromised users

Compromised users should be removed or their passwords immediately changed

  • Monitor and audit user activity with UEBA, which provides alerts on anomalies and suspicious behavior, enabling you to take immediate action and block the threats automatically
  • These alerts include high-risk attempts to upload or download files, as well as suspicious access attempts from unfamiliar geolocations or during unusual hours
Remove compromised apps

Conventional solutions cannot distinguish if an app is compromised.

  • Identify the services connected to the breached app and assess the associated risk level to take appropriate action, such as revoking API tokens or adjusting security settings to mitigate risks effectively
  • Monitor and audit app activity and follow up on high-risk activity sessions
  • Identify anomalies based on previous behavior, such as accessing an API from an unusual location, at a different time of day, or using an uncommon API calling method

Prevent the Next SaaS Supply Chain Attack with Harmony SaaS

Many organizations have already begun adopting a Zero Trust approach and enforcing the principle of least privilege to secure user access to sensitive data and company resources.

Harmony SaaS applies a zero trust App-to-App access approach to give you full visibility into your entire SaaS ecosystem, eliminating risky SaaS-to-SaaS connections and safeguarding you from threats such as data exfiltration, account takeover, and supply chain attacks.

Harmony SaaS goes beyond traditional SSPMs by automating SaaS threat prevention using machine learning to detect anomalous behavior. Discover risky apps in your SaaS ecosystem with single-click remediation.

Visit Harmony SaaS to learn more or sign up for a demo today.

You may also like