With lots of the extremely publicized 2023 cyber assaults revolving round a number of SaaS purposes, SaaS has change into a trigger for real concern in lots of boardroom discussions. Extra so than ever, contemplating that GenAI purposes are, in truth, SaaS purposes.
Wing Safety (Wing), a SaaS security firm, carried out an evaluation of 493 SaaS-using firms in This fall of 2023. Their research reveals how firms use SaaS right now, and the big variety of threats that consequence from that utilization. This distinctive evaluation supplies uncommon and necessary insights into the breadth and depth of SaaS-related dangers, but additionally supplies sensible tricks to mitigate them and guarantee SaaS could be broadly used with out compromising security posture.
The TL;DR Model Of SaaS Safety
2023 introduced some now notorious examples of malicious gamers leveraging or immediately concentrating on SaaS, together with the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which focused well-known organizations reminiscent of JumpCloud, MGM Resorts, and Microsoft (respectively), and doubtless many others that usually go unannounced.
The primary perception from this analysis cements the idea that SaaS is the brand new provide chain, offering an virtually intuitive framework to the significance of securing SaaS utilization. These purposes are clearly an integral a part of the fashionable group’s set of instruments and distributors. That stated, lengthy gone are the times when each third occasion with entry to firm information needed to undergo security or IT approval. Even in probably the most rigorous firms, when a diligent worker wants a fast and environment friendly answer, they will look it up and use it to get their jobs’ completed sooner and higher. Once more, consider the widespread use of GenAI, and the image is obvious.
As such, any group involved in regards to the security of its provide chain should undertake SaaS security measures. In response to the MITRE ATT&CK method ‘Trusted Relationships’ (T1199), a provide chain assault happens when an attacker targets a vendor to take advantage of it as a method to infiltrate a broader community of firms. By entrusting delicate information to exterior SaaS distributors, organizations topic themselves to produce chain dangers that attain past speedy security issues.
4 Widespread SaaS Dangers
There are numerous causes and methods through which SaaS is being focused. The excellent news is that many of the dangers could be considerably mitigated when monitored and managed. Fundamental SaaS security capabilities are even free, suited to organizations which are simply starting to develop their SaaS security posture or want to match it to their present answer.
1) Shadow SaaS
The primary drawback with SaaS utilization is the truth that it typically goes utterly unnoticed: The variety of purposes utilized by organizations is usually 250% bigger than what a primary and often-used question of the workspace reveals.
Amongst the businesses analyzed:
- 41% of purposes have been utilized by just one particular person, leading to a really lengthy tail of unsanctioned purposes.
- 1 out of 5 customers have been using purposes not utilized by anybody else inside their group, creating security and useful resource strains.
- 63% of single-user purposes weren’t even accessed inside a 3-month interval, begging the query – why preserve them linked to firm information?
- 96.7% of organizations used no less than one software that had a security incident within the earlier 12 months, solidifying the continual danger and want for correct mitigation.
2) MFA Bypassing
Wing’s analysis signifies a development the place customers choose to make use of a username/password to entry the companies they want, bypassing the security measures in place (see picture 1).
 |
| Picture 1: From Wing Safety’s analysis, bypassing MFA. |
3) Forgotten tokens
Customers grant the purposes they want tokens; that is mandatory for the SaaS purposes to serve their goal. The issue is that these tokens are sometimes forgotten about after a couple of or only one use. Wing’s analysis revealed a big presence of unused tokens over a interval of three months, creating an unnecessarily massive assault floor for a lot of clients (Picture 2).
4) The brand new danger of Shadow AI
At first of 2023, security groups primarily targeting a choose few famend companies providing entry to AI-based fashions. Nevertheless, because the 12 months progressed, 1000’s of typical SaaS purposes adopted AI fashions. The analysis exhibits that 99.7% of firms have been utilizing purposes with built-in AI capabilities.
Organizations have been required to conform to up to date phrases and circumstances allowing these purposes to make the most of and refine their fashions utilizing the organizations’ most confidential information. Usually, these revised phrases and circumstances slipped beneath the radar, together with the utilization of AI itself.
There are alternative ways through which AI purposes could use your information for his or her coaching fashions. This could come within the type of studying your information, storing your information and even having a human manually go over your information to enhance the AI mannequin. In response to Wing, this functionality is usually configurable and completely avoidable, supplied it’s not missed.
Fixing SaaS Safety Challenges In 2024
The report ends on a optimistic observe, itemizing 8 methods through which firms can mitigate the rising menace of the SaaS provide chain. Together with:
- Ongoing shadow IT discovery and administration.
- Prioritize the remediation of SaaS misconfigurations
- Optimize anomaly detection with predefined frameworks, automate when doable.
- Uncover and monitor all AI-using SaaS purposes, and consistently monitor your SaaS for updates of their T&C pertaining to AI utilization.
For the complete listing of findings, recommendations on guaranteeing protected SaaS utilization and a 2024 SaaS security forecast, obtain the complete report right here.
