Employees may find themselves putting their employers at risk by unintentionally subverting their company IT policies, taking advantage of the interconnected APIs of SaaS applications. While SaaS benefits organisations around the globe, it has also created a new set of challenges for security professionals. Despite security leaders undertaking extensive research on vendors before storing sensitive data such as trade secrets and PII on cloud-based applications like Salesforce, there are still vulnerabilities associated with this type of software.
Take, for example, James, an Account Executive at a fictitious company in the financial sector. James’ CIO provided him with access to their secure, vetted, cloud-based CRM, configured with single-sign-on and IP restrictions in place on the SSO and the CRM vendor, to ensure James can only log in from the company network.
While the CIO of the fictitious company did their best to ensure the CRM had all of the necessary capabilities, James – after spending time in the application – thought best to implement a better forecasting tool. Costing $99 per month, the forecasting tool has a built-in integration with their CRM. In just five minutes with his corporate credit card, James signed up for an account and connected the forecasting tool to his CRM account.
Although the company in this story is fictitious, the security concern is real, and this very scenario plays out thousands of times per day across even the most secure of companies. This unvetted, third-party tool now has access via API to James’ account, while remaining outside the purview of the SSO policies or corporate firewall of the company. The IP restrictions aren’t enforced, and if this third party suffered a security breach, the attackers would now have access to the company’s trade secrets and customer data.
To add insult to injury – with increasing scrutiny on PII storage by third parties – if any data in the CRM contains PII, James’ company may now be in violation of GDPR and consequently subject to a penalty of up to 4 per cent of their annual global gross revenue.
Firewalls, CASBs, PC-based agents and company policies don’t prevent or solve the problem of employee-purchased SaaS. Further, because of the growth of BYOD and the fact that more than 80 per cent of employees admit to accessing work applications from their home computer, even the most rigorous browser-based monitoring won’t catch these new applications.
According to a US study conducted by Intermedia Rogue, 89 per cent of former employees surveyed retained access to Salesforce, PayPal, email, SharePoint or other sensitive corporate apps after leaving their employer. Additionally, 45 per cent retained access to confidential data, and a further 49 per cent actually logged into ex-employer accounts after leaving the company.
While SSO provides a front-end solution to the problem of retained access, the vast majority of SaaS vendors permit SSO and native vendor accounts to co-exist side by side. Native accounts allow a user to log in to the application with only a username and password, never being prompted for SSO verification.
At most companies, some SaaS apps need to be carefully managed by hand, as not every application is guarded by SSO due to the amount of time it takes to implement. Even when SSO is implemented, a product administrator may still need to grant access to a fellow employee or contractor’s account, but lacks the time or patience to wait for IT to provision those credentials. This is another example of where time is the primary reason that employees bypass policy.
So, what’s the solution? Wherever there’s a question, technology finds an answer! In the last two years, a new category of products have sprung up to address these, and other problems related to SaaS management.
Instead of sniffing network traffic, these tools connect via API to ERPs and expense report providers, such as Concur, to ingest credit card transactions. By looking at credit card transactions, these tools are able to identify SaaS that has been purchased by employees and alert IT administrators who can then remediate by vetting the application and bringing it under management. These tools provide near real-time insight into new SaaS applications that employees may be self-provisioning, outside of permitted IT policy.
With initiatives allowing employees to work from home, bring their own devices and self-provisioned software, IT security professionals need to manage threats associated with SaaS, highlighting the need for the emerging category of SaaS management tools. Training and company policies play a vital role in securing the enterprise; however, modern IT security still requires teams to adapt to the way that employees behave and implement relevant management tools.
By Hugh Darvall, Flexera