13 Essential Steps to a Secure Salesforce Environment

Salesforce has been so successful that we tend to forget what a breakthrough it was when it debuted 25 years ago. At the time, people were skeptical that they could get enterprise-grade functionality on a browser. They were mistaken. 

As the leading customer relationship management (CRM) platform, Salesforce is a testament to the innovation and agility SaaS apps bring to businesses. However, there are still risks, particularly when it comes to security. 

39% of companies that use SaaS have experienced data breaches. Salesforce’s extensive integration capabilities, massive partner marketplace, and customization through purpose-built programming languages further exacerbate its cyber vulnerabilities. 

Why you need to invest in Salesforce security 

Salesforce is a highly professional organization that takes security seriously. However, the platform embodies several vulnerabilities, some of which are standard for SaaS and some particular to Salesforce. CRM apps like Salesforce hold sensitive data such as customers’ personally identifiable information (PII), financial details, and geolocation. Failure to secure SaaS data increases the risk of it being compromised by malicious actors and insiders. 

This problem is not different from what happens with other SaaS apps, but Salesforce’s deployment is usually so broad and interconnected in an organization that it amplifies the risk. Likely, every sales, marketing, and customer support person and their respective managers have access to Salesforce. That’s a large number of accounts that attackers can hijack. Plus, any extra person accessing this data increases the risk of insider threats.

Salesforce security should, at a minimum, be part of your SaaS security best practices. However, Salesforce deserves extra attention because of the potential business impact of a security incident in this app. 

Salesforce customers like Ohio’s Huntington Bank and the State of Vermont are dealing with the reputational fallout and expense of data leakage from the Salesforce Communities they set up. Securing your Salesforce app can prevent large-scale data breaches that often result in reputational damage, financial loss, and legal consequences. 

The most common security risks of Salesforce

Custom code vulnerabilities

Salesforce customers can create custom-coded functions with its Java-like Apex programming language. Apex enables developers to build apps that call on the Salesforce backend database. While useful, Apex classes potentially expose sensitive Salesforce data to unauthorized database calls through its application programming interface (API). This is of particular concern if Apex is configured “without sharing,” a setting that ignores the user’s permissions, allows access to records, and offers the ability to change them. 

Configuration weaknesses

You can configure Salesforce in ways that expose data to overly broad access. For example, the Salesforce Community module, which enables customers to set up public sites for their customers, can be configured to allow database access for guest users. Done wrong, this can easily lead to serious security misconfiguration vulnerabilities that facilitate data leakage.  

Integration risks with third-party applications

Salesforce is usually integrated with email systems, enterprise resource planning (ERP) platforms, and accounting systems, making it a gateway for attacks. The platform integrates with thousands of applications, many created using Salesforce developer tools and APIs. As a result, the potential for improper access and malicious activities on the platform is extremely high.

Social engineering attacks

This threat is not unique to Salesforce. However, the breadth and scope of the app in most organizations makes it vulnerable to hackers who impersonate work colleagues to pry loose access credentials, commit account takeover and other data from unsuspecting users. 

API vulnerabilities

Salesforce publishes numerous APIs that give other applications access to data and functionality on the Salesforce platform. While beneficial in business terms, the APIs create risk. One example is problems with object and file level security, where developers might generate an API call that does not consider the specific fields accessible, updatable, or deletable on the object invoked by the API. Significant risks also arise with the creation of third-party applications that invoke the Salesforce API but are themselves security deficient.

13 Essential Steps to a Secure Salesforce Environment

User Management & Permissions

1. Adopt the principle of “Least Privilege”

A Salesforce user should have the fewest possible access privileges. Applying this principle requires thinking and planning about user roles and what each role can access and clearly defining this in an Identity Governance framework. The “Least Privilege” principle should apply to system admins and developers working on custom Salesforce apps. 

2. Implement strong passwords & MFA

The ability for Salesforce users to log in from anywhere, on virtually any device, is great for productivity but disastrous for security. Requiring strong passwords and multi-factor authentication (MFA) can help reduce the risk of malicious actors gaining access by guessing passwords or using stolen login credentials. Salesforce has its own native MFA feature, but customers can also use third-party solutions like Okta and Duo for this purpose. 

3. Disable inactive users

Inactive user accounts are ripe for takeover by attackers. It’s wise to purge former employees or people who no longer need access to Salesforce from their user rolls. This should not be a manual process but take place automatically through integration with identity management solutions that manage the provision/de-provision of all system access for employees.

4. Integrate Salesforce with IAM solutions

Salesforce has its self-contained user management system. However, you shouldn’t let Salesforce be an identity silo, with a Salesforce admin taking care of provisioning/deprovisioning access. 

Instead, integrate Salesforce with your organization’s identity and access management (IAM) solution, such as Microsoft Active Directory. This integration lets you switch Salesforce access on or off centrally when employees join or leave the company or change roles. 

Allowing single sign-on (SSO) is a variant of this approach, enabling users to log in once and then automatically be signed in to Salesforce and other apps. Salesforce enables SSO through integrations with Okta, Duo, and many other SSO solutions. 

5. Map organizational structure and roles to Salesforce access rules

Salesforce functionality and access privileges are hierarchical. For example, a Sales Manager can see the activities of her direct reports. It is a good practice to map your organizational structure carefully to Salesforce role definitions and privileges. 

Data and Application Security

6. Implement field-level security

If you are using Apex code or Salesforce APIs, it’s wise to implement field-level security. This control forces you to decide which fields are exposed to access by the API or Apex classes. It is a countermeasure against exposing sensitive data to breaches.

7. Implement Data Loss Prevention (DLP)

Data Loss Prevention (DLP) for Salesforce can take various forms. Still, it mainly involves policies and processes like role-based access control (RBAC) and regular backups, which you can do using tools like Veeam. You should also implement data encryption as part of your DLP plan. Salesforce offers the Shield Platform Encryption feature, which encrypts data at rest on the Salesforce platform.

8. Mitigate third-party application risk

Third-party apps pose a significant threat to Salesforce, partly because it has little control over the quality of development and security of the third-party integration plugins that connect to its platform. SaaS security solutions like Suridata can scan for third-party plugins and flag integrations that may create risk in the Salesforce environment.

9. Engage in secure app development

If you’re developing applications for Salesforce using Apex or other developer tools, you should use secure development practices by leveraging approaches like the DevSecOps methodology. You should also review any AppExchange app for security before allowing anyone to implement it in your Salesforce environment. 

10. Build an IP allowlist

Salesforce enables IP allowlisting natively. This countermeasure allows you to restrict the range of Internet Protocol (IP) addresses that can access Salesforce, e.g., only IP addresses in North America. 

11. Focus on API security

APIs are a significant attack surface for Salesforce, so you should define and enforce security policies that reduce API-based vulnerabilities. This process may align with your organization’s existing API security and governance programs, so it may not be necessary to spin up API security just for Salesforce. 

Possible countermeasures include:

  • Scanning for “rogue” or abandoned Salesforce API integrations.
  • Managing API access.
  • Using IAM and privileged access management (PAM) solutions.
  • Using API security tools to discover APIs vulnerable to injection attacks. 

Monitoring & Logging

12. Create audit trails

Audit trails may not be a priority if you’re a small to medium company. However, generally, it’s helpful to create audit trails for review by stakeholders that range from executives to internal auditors and external regulators. Salesforce enables this capability natively in its Audit Trail Tab. 

13. Develop and test incident response processes

Salesforce security incidents are not that uncommon, so it pays to be prepared. An incident response process for Salesforce might be the same as you have for other SaaS apps. SaaS security solutions like Suridata offer SaaS detection and response (SSDR) capabilities, so you can leverage those to automate your incident response workflows and solve vulnerabilities promptly. 

Making Salesforce Secure

In a perfect world, your SaaS security measures would cover all risks affecting your Salesforce environment. However, the reality is that Salesforce is so far-reaching in the average organization and so profoundly interconnected that it embodies a unique level of risk. For this reason, you should review your Salesforce security, taking concrete steps to manage user access and permissions, protect data, and monitor Salesforce for signs of attack.

Suridata’s SaaS security solution can help you here. Suridata monitors user activities, checks for insecure configurations across all systems layers, and conducts granular vulnerability assessments. Plus, you get real-time alerts and in-depth vulnerability information to activate the correct workflows. Learn more here.

Haviv Ohayon

Co-Founder & COO

Back to list

The InfoSec Guide to the 10 Types of Information Security Controls

Have you ever managed to extract a file folder from a locked filing cabinet? Most likely not. That lock is a simple example of an information security control. Computers are no different, except that information security controls today are significantly more sophisticated. 

And they need to be, as cyber threats are causing massive disruptions worldwide. Ransomware incidents increased by a staggering 60% from 2022 to 2023. There was also a 49% jump in overall cybercrime losses, from $6.9 billion in 2021 to $10.3 billion in 2022.

Information security controls help detect cyber threats, prevent them from damaging information assets, and correct damage if it occurs. 

The 3 Principles of Information Security 

Understanding information security controls must begin with understanding the purpose of information security. The term “Information Security” (InfoSec) dates back to old-school nerdiness in the era of crewcuts and pocket protectors. As prehistoric as these people may have been, they had a clear and still extremely useful way to define the purpose of InfoSec.

They came up with three core goals for information security:

  • Confidentiality—Information security efforts should endeavor to keep information private, ensuring that only those with permission can access a given data set.
  • Integrity—The information in computer systems should have integrity, meaning that users can be confident that it has not been modified or selectively deleted by accident or malicious act.
  • Availability—Information should be available to users to the greatest extent possible, ideally 100% of the time. 

The three goals are known as the “CIA Triad.” They underpin nearly every aspect of cybersecurity and form the foundation for information security controls. Today, the CIA Triad applies to software, data storage, networks, cloud-based systems, SaaS security, and virtually any other digital asset in cyberspace. 

What are Information Security Controls

Information security control is a safeguard that realizes some aspects of the CIA Triad. For confidentiality, for example, you might implement a control that uses an identity and access management (IAM) system to block unauthorized users from data you want to keep confidential. 

Some organizations set up their controls under a control framework, such as the National Institute of Standards (NIST) Cybersecurity Framework (NIST CSF) or ISO 27001. These frameworks suggest dozens of controls, and consultancies and auditors work with organizations in their implementation. 

Each information security control has a “Control Objective,” which states the purpose of the control. For example, NIST CSF has a control for “Identity Management and Access Control (PR.AC),” whose objective holds that “Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.”

Following the control objective, each control has a set of control activities that realize the objective. PR:AC, for instance, has six sub-categories of control activity that support fulfilling the control objective. One of these sub-categories is PR.AC-1, which requires an organization to deploy a solution so that “Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes.” In practice, this means some sort of IAM system.

It may seem overly elaborate to require a control objective and a list of control activities to operationalize the CIA Triad. A small organization might not need to go through the whole hassle. However, working off an information security controls framework is beneficial for most organizations. The framework provides a coherent and complete approach to implementing controls that make the CIA Triad do its job of protecting your data. 

Without the coherence and thoroughness of a framework and its associated objectives and activities, you’ll likely have control gaps that create risk exposure. 

10 Types of Information Security Controls

Getting more granular, there are three categories of control functions: Preventive, detective, and corrective. These control functions deal with preventing attacks on information assets, detecting attacks, and correcting the effects of attacks, respectively. Controls also vary by type, with some controls being physical, such as locks; technical, such as web application firewalls; and administrative, such as data access policies. 

Effective cybersecurity posture comes from deploying a well-thought-through and balanced mix of these functions and types. Controls may be layered, supporting a “defense in depth” security strategy. With that in mind, here are ten types of information security controls that are common across the three control functions:

Preventative Controls 

1. Access controls

Access controls prevent the wrong people from accessing data, networks, SaaS apps, and other system components. They are crucial because unauthorized access is one of the most common cyber risks. Many IAM tools can help you build a robust identity governance framework and implement comprehensive access controls such as multi-factor authentication (MFA) or behavior analytics.

2. SaaS security controls

SaaS apps are new territory for information security controls, mainly because traditional controls don’t cover SaaS well. For example, you can have a practical set of access controls for your network, but they won’t do much to prevent a malicious actor from logging into a SaaS app. 

SaaS apps have their own built-in access management features. These apps will remain vulnerable unless you deploy specialized SaaS security tools that map the established access control list to SaaS. 

Other preventive cyber security controls specific to SaaS include monitoring and remediating misconfigured SaaS apps exposed to threats and policy-based controls that govern who has administrative back-end access to SaaS apps.

3. Data protection controls

Cyber attackers tend to be after data to steal, spy on, or ransom it. Data protection controls like data monitoring and data encryption are, therefore, among the more critical information security controls in force at an organization. Data encryption, for instance, makes data unusable to attackers, preventing the worst outcome of a data breach. 

Ransomware protections, such as immutable backups and logical air gaps, are preventive data protection controls. They make it harder for a ransomware attacker to achieve his objective of encrypting data and ransoming it.

4. Patch management

Some of the worst cyber attacks exploit vulnerabilities that could have been fixed with software patches but weren’t. A patch management regimen is a preventive policy-based control to reduce the likelihood of this outcome. It is usually implemented through a combination of processes and tools. For example, the policy may require you to apply all software patches as they are announced. In practice, this encompasses patch testing and patching prioritization. 

Detective Controls

5. Intrusion detection controls

Intrusion detection controls aim to discover when an attacker is trying to gain unauthorized entry into a system—and then alert the right people or even mitigate the threat automatically. Many intrusion detection systems (IDSs) can fulfill the control objective, though some suffer from false positives and excessive alerting. The new generation of IDSs uses AI to improve accuracy by flagging only actual intrusion attempts.

6. Anomalies and events detection controls

It may be possible to detect an attack by analyzing events occurring in the IT estate and flagging anomalies for investigation. For example, suppose a user located in the United States appears to be logging into a SaaS app from Europe. In that case, that anomaly might indicate that an attack is underway. 

Detective controls in this category may monitor device logs (think of network firewalls or endpoints) and flag suspicious activities for security analysts to examine. Some advanced threat detection tools will automatically mitigate the threats they detect, such as quarantining a device.

7. Vulnerability and misconfiguration scanning

Devices and applications must be configured for security. For example, you can “harden” a server by limiting who can install new software. It is very possible, unfortunately, for a device or application to be misconfigured, making it vulnerable to threats. 

This is a particular concern with SaaS because each SaaS app has its security configurations, and in many cases, individual end users can change these configurations. They can, for example, make data accessible to anyone, not just employees of the organization. 

SaaS security platforms like Suridata can facilitate the implementation of this control by enabling system owners to scan multiple SaaS apps and detect security misconfiguration vulnerabilities that expose the apps to risk. 

Corrective Controls 

8. Incident response plans

An incident response plan is a corrective control that counteracts the impact of a cybersecurity incident. Like most corrective controls, it works in tandem with a detective control. When a detective control signals that an incident has occurred, that triggers the incident response plan, which corrects the incident by quarantining compromised endpoints, reinstalling infected software, or notifying key stakeholders. 

9. Disaster recovery plans

Disaster recovery plans are a vital part of any cyber threat intelligence framework. The control objective of disaster recovery (DR) plans is to support the availability of systems and data. A good DR plan restores data and system functionality in a cyberattack or any other event that causes an outage.

10. Data backups

A data backup serves as a corrective control in case of a data breach or outage affecting data availability. By backing up data and providing the ability to restore it in the wake of an attack, the control mitigates the effect of the breach and realizes the control objective of data availability. 

Getting The CIA Triad Under Control, Everywhere

Information security controls are essential for preventing, detecting, and correcting security incidents that adversely affect data and systems’ confidentiality, integrity, and availability. Whether you implement them ad hoc or endeavor to operationalize a large-scale controls framework like NIST CSF, you will always be dealing with the same issues: What is the control objective, and what activities will it take to attain it?

SaaS can be a challenging environment for information security controls. Apps are freestanding and delivered by external entities. Individual end users may be able to set their controls—often at odds with organizational security policy and even common sense. 

New SaaS security solutions like Suridata can improve this risky setup.  By monitoring the entire SaaS environment and flagging data at risk and insecure misconfigurations, they provide the basis for defining and implementing information security controls for SaaS apps. Learn more about Suridata.

Haviv Ohayon

Co-Founder & COO

Back to list

7 Essential SaaS Security Best Practices

If your organization is like most, you probably use over a hundred SaaS applications. SaaS apps offer convenience, instant access to pre-built and easily deployable features, and flexibility to meet changing business needs. However, the more SaaS apps you connect to, the bigger your security gaps.  

58% of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications. Even if you have robust controls and cybersecurity technologies on-premises and in the cloud, they are unlikely to cover the usage of your SaaS apps. 

What is SaaS security?

SaaS security comprises a collection of controls, policies, and practices to protect SaaS data and systems. Each SaaS app typically has its own security controls, many of which end users can configure. This flexibility opens the door to various security gaps and misconfigurations, which can be used to launch cyberattacks. This challenge is exacerbated by the fact that users can access SaaS apps from devices anywhere in the world.

Until recently, companies have been able to live with the SaaS tradeoff: you get the benefits of SaaS, but security can be a troubling afterthought. However, rising SaaS threats like ransomware, Cross-Site Scripting (XSS), and Man-in-the-Middle (MitM) attacks are pressuring IT managers to improve their SaaS security strategy.

SaaS security in 2024: The top challenges

1. Shadow SaaS

Shadow SaaS, a subsegment of Shadow IT, refers to employees using SaaS apps without IT approval or awareness. For example, employees may set up a SaaS account using a credit card and add corporate data to that app without notifying the IT department or security team. 

It’s a highly problematic occurrence, as it can lead to data breaches, loss of confidential data, and exposure to cyber-attacks. Plus, because the relevant teams are unaware of the usage of this app, response to potential vulnerabilities may be delayed. 

Risks from Shadow IT

2. Insecure SaaS configurations

Each SaaS app is hosted and managed by a separate company, so it can be configured separately. The end user can often choose how to configure their security settings. Without appropriate security training, employees may unintentionally set up the wrong configurations and open doors to data exposure or unauthorized access. Other misconfiguration risks include not updating the app’s default settings, permitting easy-to-guess passwords, and not requiring Multi-Factor Authentication (MFA). 

3. Lack of visibility into third-party risks

SaaS apps are often integrated with third-party systems, including other SaaS apps. These integrations, typically done with plugins, are a significant source of SaaS risk. Malicious actors can use vulnerable plugins to penetrate SaaS apps, steal data, or damage the system. 

Gaining complete visibility into your vendor’s systems and other connected third parties is challenging. However, companies can remediate this lack of transparency by implementing robust third-party risk management. This strategy ensures vendors have the tools and processes to restrict user access, protect user data, and comply with relevant regulations such as GDPR, SOX, HIPAA, or CCPA. 

4. Insider threats

Employees can pose a threat to your SaaS security as they can to other digital assets. The difference is that with SaaS, it can be much harder to track who is doing what, and insiders can exfiltrate data before anyone finds out. Sometimes, the threat is accidental, such as when an employee moves data to a SaaS app without realizing it’s against the company’s policy. In more extreme and infrequent cases, disgruntled employees may misuse their access to seek revenge and sabotage systems. 

Insider threat consequences

5. Potential compliance violations

If your organization doesn’t have visibility into corporate data stored on SaaS apps, it risks violating regulations and industry frameworks that protect consumer privacy. Some of the most notable regulations, like GDPR, CPPA, and PIPEDA, require proof that you have the security tools and systems to protect user data. 

6. Poor access control management (IAM)

Without centralized identity and access management (IAM), SaaS users log into each app’s separate access control system independently. You can quickly have a situation where a hundred SaaS apps comprise a hundred different access management systems, and it becomes impossible to know who has access to what. One of many risks inherent in this scenario is unintentionally enabling former employees to still log in to your apps and get their hands on confidential data. 

7 Essential SaaS Security Best Practices

1. Implement Centralized User Authentication and Access Controls

Your SaaS security posture will improve dramatically if you can control who has access to each SaaS app and what privileges they have once logged into it. Integrating your IAM solution into each SaaS app will enable you to build a unified identity governance framework and centrally define access rights and privileges. For example, you could integrate Microsoft Active Directory with Salesforce.com, Workday, or HubSpot. Alternatively, you could deploy a purpose-built solution.

Centralized User Authentication and Access Controls

2. Scan (and train) for Shadow SaaS

Shadow SaaS creates risk exposure across multiple dimensions. Employees may place sensitive data on SaaS apps without proper controls, or they may not set up adequate security protections, like MFA and data encryption. Worst of all, no one in IT or security knows about it. 

Training can help reduce the potential for Shadow SaaS to occur. While it isn’t a bulletproof solution, it is wise to make employees aware that setting up their own SaaS accounts is a bad practice. Continuously scanning for Shadow SaaS is an even better solution. Using specialized tools like the Suridata SaaS security platform, you can monitor endpoints for activities that reveal the presence of Shadow SaaS accounts. The platform can then alert the right people and recommend remediations.

3. Include SaaS in Your Security Incident Response and Recovery Plans

Suridata’s research revealed that 88% of organizations have had a SaaS security incident. Even if you’re part of the lucky 12%, you should still adopt preventative cybersecurity controls and ensure you can respond and recover from a security incident should it occur. 

The Security Operations Center (SOC) team should create an incident response playbook for a SaaS security incident. The playbook, which could be entered into a Security Orchestration Automation and Response (SOAR) solution, might include steps like isolating affected endpoints, contacting the SaaS provider to determine the cause of the incident, tracking the vendor’s recovery efforts, and notifying internal stakeholders like your legal department. 

Incident Response and Recovery Plan

4. Conduct SaaS Vendor Security Assessments

Subscribing to a SaaS app is more than just a technology integration- it’s a business relationship. You’re working minute by minute with another company, often with your most critical information assets at stake. You want to work with the right SaaS vendors and trust them to protect your assets. 

For this reason, it’s a best practice to conduct a SaaS vendor security assessment as part of the procurement process. You could ask the vendor for specifics on securing their data centers and infrastructure, encryption and MFA options, or whether they have passed a SOC2 audit and other key certifications. 

5. Vet Your Third-Party SaaS Integration Plugins

Third-party integration plugins are a potential source of vulnerability, so it’s wise to vet these plugins for security. You will want to look at factors like the level of support, security features like data encryption, and data storage and retention practices. 

Sometimes, a software company releases a SaaS plugin but then abandons it. Eventually, this plugin will get outdated and insecure. Even just looking at a plugin’s age may inform your decision on whether or not you should integrate it into your software. If a new version of this plugin hasn’t come out in about three years, it may be best to raise some questions and consider your decision further. 

6. Continuously Monitor Your Entire SaaS Environment

One of the biggest problems in SaaS security is a lack of visibility into what’s happening across multiple SaaS apps. A vital best practice is to implement continuous monitoring of the entire SaaS environment. This might mean monitoring user sessions to detect suspicious activities and verifying that third-party integration plugins are secure or that security configurations are not creating risk exposure. 

Due to the extensibility of your SaaS apps, it’s virtually impossible to monitor this activity manually. Therefore, you should consider using a comprehensive SSPM platform or equivalent.

Suridata

7. Map SaaS to Your Compliance Programs

SaaS must be part of any compliance process involving financial transactions, health information, and privacy. Compliance teams should know where SaaS apps store data relevant to regulations and industry compliance frameworks like PCI-DSS. 

SaaS system owners also need to understand where their apps intersect with compliance. For example, a SaaS-based Enterprise Resource Planning (ERP) application may be subject to rules regarding financial controls, which prevent the same user from issuing a purchase order and approving a payment to that vendor. In that case, the SaaS owner must show that user permissions on the app adhere to such controls.

Getting Started in Securing Your SaaS Apps 

The risks of a data breach or comparably bad incident are too high for SaaS security to be neglected. Centralizing user authentication and access controls, continuously monitoring the entire SaaS environment, and protecting your SaaS data through encryption are just some of the steps you can take today to fortify your SaaS security posture. 

Tools like Suridata can help you gain visibility across all your SaaS apps, enabling you to spot hidden misconfigurations and vulnerabilities and address these in real-time. By automating SaaS monitoring, threat detection, and response, you can take a proactive approach to SaaS security and develop a sustainable and efficient remediation plan. Request a demo here. 

Haviv Ohayon

Co-Founder & COO

Back to list

A Step-by-Step Guide to Spotting a Security Misconfiguration Vulnerability

Hackers are all diabolical geniuses, clad in hoodies, who sneak past our best defenses like ninjas… or not. Their job is actually a bit dull. Most hacking involves automated software looking for easy break-ins enabled by security misconfigurations.

11% of successful breaches result from cloud misconfigurations. These mishaps are not just widespread but deceptively dangerous. Based on OWASP’s Top 10, “security misconfiguration” is the 5th most critical vulnerability worldwide, having moved up from 6th place in the previous edition. 

It’s not just about spotting misconfigurations but being quick at spotting them. With hackers taking as little as one minute to exploit a weakness, your team can’t afford to take weeks to discover and respond to it (if it ever discovers it at all). 

Source

What is a security misconfiguration vulnerability?

A security misconfiguration vulnerability is any system setting that causes exposure to cyber threats. It often originates from a lack of security controls and processes. For instance, it may be caused by not switching on recommended app security settings, enabling unnecessary features like legacy encryption protocols, incomplete hardening of servers, or allowing default passwords.  These vulnerabilities can affect operating systems, web servers, databases, applications, and cloud services. 

SaaS applications present a distinct challenge when it comes to misconfiguration risks. For example, a SaaS system user might be granted temporary privileged (administrative) access, but the person who added the privilege forgets to revoke it. If a malicious actor compromises that user’s account, he now has administrative access. The average company uses over a hundred SaaS apps, so the attack surface is vast. 

The impact of security misconfiguration vulnerability attacks

Attacks that exploit security misconfiguration vulnerabilities can take many forms. Ransomware, data breaches and exfiltration, impersonation of employees, and phishing attacks are among the most impactful. 

Source

Compliance problems are also a related risk. If a malicious actor can access and exfiltrate consumers’ Personal Identifiable Information (PII), that could result in penalties and legal liability for violating privacy laws such as GDPR and CCPA. 

Common challenges in spotting security misconfigurations 

Spotting security misconfigurations is inherently challenging because these are often easy-to-miss errors. Vulnerabilities may emerge from seemingly minor lapses like failing to require periodic password changes or allowing anonymous file shares. 

Then there’s the extra complexity we’re all dealing with today—a high level of interconnectivity between apps and systems. With SaaS, this takes the form of third-party integration plugins that link SaaS apps to one another, creating risk exposure.

Configurations also tend to be dynamic, and as the landscape continually changes, it is increasingly difficult to keep up with new integrations and settings. If detailed documentation is unavailable, it becomes all the more challenging to see misconfigurations because you don’t know what the configurations should look like. 

A step-by-step guide to spotting a security misconfiguration vulnerability

Step #1: Enforce security policies

The best scenario is one where you have as few security misconfiguration vulnerabilities as possible. That will mean less work spotting them and less risk. This is easier said than done, but investing in process and technology can pay dividends. 

For example, adopting repeatable hardening processes for applications and servers can help you avoid misconfigurations at the outset. Automating repetitive admin tasks can also help in this regard, as can rapidly deploying software patches. 

Step #2: Understand your complete architecture

Spotting misconfigurations depends on knowing what you have in your IT estate. The best practice is to develop a comprehensive architecture map and commit to keeping it updated. This map should include SaaS apps, which may integrate with productivity apps, storage systems, and other platforms. 

For example, it is common for SaaS-based CRM solutions to link with order management systems. You should track all such connections. If a SaaS vendor discloses that its third-party plugin has a security problem, your architecture map will tell you where it could be causing a vulnerability. 

Source

Step #3: Conduct automated scans

The reality of today’s highly complex IT environments is that manual processes for detecting security misconfigurations are doomed to failure. Automated tooling is essential for scanning the entirety of the network, the SaaS landscape, applications, databases, and operating systems. 

For example, a SaaS Security Posture Management (SSPM) platform like Suridata can automatically scan all your organization’s SaaS apps and identify misconfigured apps, creating risk. For example, the SSPM platform might discover that a user has decided to allow anyone in public to access files on a SaaS storage drive and automatically alert your team.

Step #4: Review IAM practices

Many insecure configurations involve Identity and Access Management (IAM). For instance, if your users can access SaaS apps without MFA, you risk hackers accessing your SaaS data with stolen credentials. 

Hackers also look for Broken Access Controls (BACs). This OWASP Top 10 vulnerability results from a poorly configured web application. Specialized security tools can detect such vulnerabilities and flag them for remediation. 

Source

Step #5: Check your data

Most cyberattacks target data. Therefore, hackers tend to look for misconfigurations that expose data to breach. Examples include unencrypted data and Structured Query Language (SQL) messages that inadvertently reveal sensitive information. 

SSPM can be helpful in this context. These tools will scan all your SaaS apps and discover where sensitive data is stored and who can access it. The results of such scans may surprise you, as your data is often stored in more places than you’re aware of, but it’s best to be surprised at this stage than later when your data has already been exploited. 

Step #6: Check for unused features and default settings

An unused feature hidden from view can allow access that doesn’t conform to policies and become a breeding ground for misconfigurations. Similarly, default settings might violate any number of security policies. For instance, they could allow access by people with Gmail addresses or permit access from insecure IP addresses. It’s a good practice to audit your systems for unused features and default settings and update these as soon as possible. 

Step #7: Review your SaaS vendor for compliance certifications

Your SaaS vendor’s approach to security can significantly impact your security, positively or negatively. From cryptographic failures to cross-site scripting (XSS) risks, the SaaS software can present itself with many insecure configurations. Compliance certifications such as SOC2 or PCI-DSS show that a SaaS vendor has demonstrated adherence to rigorous security frameworks. By reviewing your SaaS vendors’ compliance certifications, you can make sure you’re working with vendors that take your security seriously.

You can never stop looking for security misconfiguration vulnerabilities

Misconfigurations are a significant source of cyber risk, so you have to be able to spot them and resolve them promptly. This must be an ongoing process, however. Given the pace at which systems and connections evolve, new security misconfiguration vulnerabilities will arise continuously. 

Automation is your best friend in spotting misconfiguration vulnerabilities, helping you gain visibility across all layers of your SaaS apps. Suridata combines SSPM and SSDR, enabling you not just to gain visibility over your misconfigurations but to activate the proper response workflows as soon as a misconfiguration is spotted. Book a quick demo to see how it works.

Haviv Ohayon

Co-Founder & COO

Back to list

The Essential Guide to SaaS Compliance

The word “compliance” is one of those migraine triggers you probably don’t want to hear at work. It sounds simple: all you must do is adhere to relevant regulations or frameworks. However, compliance is a recurring workload that usually involves auditors, certifications, and laborious processes. 

SaaS compliance can be particularly challenging because you have little control over how users handle SaaS corporate data. While 43% of organizations added a new SaaS app that stores sensitive data in 2022, 25% had security violations, and 12% had to pay compliance-related penalties.

Dealing with SaaS compliance is not optional. The stakes are high, with non-compliance adding to costs and legal liability while creating risks to customer trust and brand reputation.

Source

What is SaaS Compliance? 

Compliance is about following government regulations and industry frameworks that are mandated or strongly recommended for your business. Most of the time, SaaS compliance means developing, implementing, and checking cybersecurity controls and policies that protect your and your customers’ sensitive data, such as financial and Personal Identifiable Information (PII). 

SaaS compliance varies by location and industry. For instance, if you do business in the European Union, you will be bound by the EU’s General Data Protection Regulation (GDPR) and data sovereignty rules. 

It sounds simple enough, but the SaaS “shared responsibility model” can complicate things. With shared responsibility, the SaaS vendor is responsible for compliance regarding its infrastructure. They have to have controls that protect your consumers’ data from breaches in their data centers. 

You, on the other hand, are responsible for compliance regarding your SaaS user. If a hacker steals your SaaS login and exfiltrates consumer data, you are on the hook for this compliance violation, not your SaaS vendor.

Why Should You Care about SaaS Compliance?

A business that does not take care of SaaS compliance is at increased risk of SaaS data breaches, which can lead to loss of reputation and tarnished customer relationships. Breaches resulting from a failure to comply with frameworks can also result in fines, penalties, or litigation.

When following regulations and frameworks, avoiding an understandable but counterproductive “box-checking” mindset is wise. Best practices that strengthen SaaS data security must be instilled across the company and followed as part of the broader security culture – regulatory compliance is a by-product. 

However, as the regulatory landscape grows and more SaaS apps are connected to your infrastructure, it’s easy to lose touch with the specific regulations that affect your business. A general understanding of these regulations is crucial to stay compliant. 

Source

Who Regulates SaaS and Key Frameworks?

Compliance covers different regulations and frameworks developed by governmental institutions or industry associations. Some are legally required, while others are voluntarily complied with to demonstrate trustworthiness. Below are some prominent regulations and the entities that control them. 

Data Protection Regulations

Protecting consumer privacy is a priority for many governments, which have taken steps to prevent the misuse of PII. Two regulations currently predominate in this category. 

GDPR

GDPR was established by the European Union (EU). It covers responsibilities for entities that handle EU citizens’ PII in the EU and European Economic Area. GDPR is under the control of the European Data Protection Board, but data protection authorities (DPAs) enforce it in each of the EU’s 27 member countries. 

CCPA

The California Consumer Privacy Act (CCPA) became California state law in 2018. Implemented by the California Privacy Protection Agency (CPPA), this law dictates how companies must protect California consumers’ data. It mandates that companies (SaaS-based companies included) provide total transparency about data management and storage practices, update their privacy policies, and enable customers to opt out of the sale of their data.

Source

Security Standards 

Complying with security standards involves applying the specified controls and policies and passing an audit to achieve certification. 

ISO/IEC 27001

The International Standards Organization (ISO) develops and promulgates the ISO 27001 international standard for information security. It is a broad standard, mandating a wide range of controls, many of which are relevant when using SaaS applications.

SOC2 

Security Organization Control 2 (SOC2) is a standard that covers how organizations manage their customers’ information. SOC2 compliance is voluntary, but achieving it and passing a SOC2 audit represents a commitment to information security that many companies are eager to demonstrate. It was developed by the American Institute of CPAs (AICPA), which still oversees it today. 

Industry-Specific Regulations 

Some industry-specific compliance frameworks are based on laws, while others are private and theoretically voluntary but have the force of law. 

PCI DSS

The Payment Card Industry Data Security Standards (PCI DSS) is a strict set of controls companies must adopt to accept payments from credit and debit cards. PCI DSS compliance requires extensive control implementation and the passing of an audit. The Payment Card Industry Security Standards Council and the industry trade group for the payment card industry oversee this standard.

HIPAA

If you are a healthcare company, you must comply with HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is an American federal law that is overseen by the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). 

Source

How to Achieve SaaS Compliance: The Essential Guide 

  1. Understand each regulation’s applicability and draw a “heat map” for SaaS

Full compliance with all security standards is seldom possible, even for large enterprises. Too many rules and controls (and sub-controls) exist, so companies are selective about what they enforce. The best approach is to understand the applicability of a particular regulation or control to your specific business and SaaS landscape. 

From there, you can narrow down the most relevant regulations based on the probability of falling out of compliance and the impact of that non-compliance on your business. Some compliance professionals call this a “heat map” that shows which regulations deserve the most time and resources. Once you’ve established your “hottest” controls related to SaaS, you can work on implementing these. 

  1. Map overall compliance and information security controls to SaaS

Your SaaS compliance efforts do not exist in a vacuum. For example, PCI DSS compliance requires companies to “prohibit direct public access between the Internet and any system component in the cardholder data environment.” This control affects all system components, not just SaaS. Determine how you comply with the regulation in general and then map that control to relevant SaaS applications.

  1. Monitor SaaS compliance across the organization

Most organizations use dozens of SaaS apps. Not all are relevant to compliance, but for those that are, it is essential to monitor them regularly for adherence to required controls. This process may involve a formal audit or automated SaaS Security Posture Management (SSPM) platforms like Suridata. 

Suridata’s SaaS security platform combines SSPM with robust detection and response capabilities, helping you monitor usage across your SaaS apps and instantly detect and respond to any vulnerability. 

Source

  1. Make compliance part of the SaaS lifecycle

One of the significant advantages of SaaS risk compliance is the ease with which you can provision SaaS apps in an organization. It is a good practice to include compliance controls and safeguards into the SaaS lifecycle, such as ensuring that any SaaS app used by the company is subject to secure and compliant configurations and third-party integrations. An SSPM platform can ensure that SaaS users and system owners follow this approach.

  1. Add SaaS to corporate data governance policies

A great deal of compliance concerns consistent, secure, and effective data management. SaaS should be no exception. If compliance with relevant regulations means encrypting customers’ PII, your SaaS apps must also do that. The same goes for retaining data for time periods determined by compliance policies and deleting data according to those policies. 

Getting on the Path to SaaS Compliance 

The regulatory landscape includes SaaS, even when you aren’t sure what data your SaaS environment contains. Getting SaaS compliant is difficult, but it’s not mission impossible. You probably already have the foundation for SaaS compliance in your existing controls and policies. The challenge is to port those controls easily to your SaaS apps. 
This is where SaaS Security platforms like Suridata can help, offering automated monitoring, policy enforcement, detailed real-time insights, and remediation suggestions for any new SaaS vulnerability. Schedule a demo to learn more.

Haviv Ohayon

Co-Founder & COO

Back to list

The 7 Must-Have Cyber Security Controls You Can’t Neglect

The classic 1960s TV comedy “Get Smart” featured a fictitious spy agency called CONTROL locked in an unending battle against a devious enemy. Even at that time, when a small computer was about the size of three Coke machines, the concept of control was top of mind. 

Today, as we experience a deluge of devastating cyber attacks, we are more focused than ever on the effectiveness of our cyber security controls. Indeed, the fact that 55% of organizations reported a security incident involving SaaS in the past two years reveals that SaaS controls are not working as well as they could be. 

Every successful cyber attack is, after all, the result of a control failure. It could be a deficient control or one that didn’t exist in the first place when it should have. The growing use of cloud computing and SaaS applications also challenges the traditional approach to information security controls, making these increasingly difficult to map out and implement. 

What Are Cyber Security Controls in SaaS?

Generally, a control is a safeguard that reduces risk to an asset. Every control has an objective and an activity related to it. For instance, a lock on a cash register aims to reduce the risk of losing cash to a thief, and the “activity” encompasses purchasing the lock, installing it, and locking it. 

Cyber controls in SaaS are no different – they detect or prevent threats like ransomware attacks from impacting a SaaS asset and its data. Controls are essential in any digital environment but critical for SaaS. The average company uses more than 100 SaaS apps, each with its security options—many of which are at the discretion of end users. The potential for a breach is high without controls that can mitigate cyber risk.

Cyber controls vary in design and execution, but we can divide them into three main categories: 

  • Administrative controls – Organizational policies that help secure how your users access SaaS data. They include Identity Governance, such as managing identities’ lifecycles, reviewing access controls, and monitoring user behavior.  
  • Technical controls – Deployment of technologies and security tools to protect SaaS data, including implementing encryption and Web Application Firewalls (WAF)
  • Physical controls – Security controls that protect the physical infrastructure that hosts software. In the case of SaaS, your SaaS vendor is responsible for implementing controls such as fences and locks to secure its hosting infrastructure. 

Source

The 7 Must-Have Cyber Security Controls You Can’t Neglect

A large organization could employ hundreds or thousands of controls in its IT estate, so they can quickly get overwhelming. A handful of critical controls are deemed vital in SaaS, as they meet the unique security risks affecting SaaS apps.

1. A Software Asset Inventory that Includes SaaS 

Building and maintaining a complete inventory of software assets helps prevent attacks on neglected or invisible software. These can include unknown software assets with out-of-date security settings, untracked user accounts due to staff turnover, lack of follow-through on policies and procedures, or shadow IT. 

SaaS apps can be challenging to inventory without the proper tooling. Because they are hosted externally by third parties, knowing someone has set up a SaaS may be impossible if they didn’t inform the IT department. A SaaS Security Posture Management (SSPM) platform like Suridata can scan for SaaS apps and create an inventory of SaaS assets to support this control. 

2. Access Controls that Leverage MFA and Apply the Least Privilege Principle 

Unauthorized access to a SaaS app can cause severe data breaches and operational disruption. For instance, a hacker can use stolen credentials to log into a customer relationship management (CRM) system and exfiltrate the customer list or corrupt it to become unusable. 

Tighter access controls and multi-factor authentication (MFA) implementation can help prevent unauthorized access to SaaS apps. Ensure you also enact a policy of least privilege to reduce the risk of an attacker “moving laterally” through different sections of an application once they have logged in. 

MFA and least privilege should be part of a broader Identity and Access Management (IAM) program to achieve the control objective effectively. This may involve the integration of the MFA solution with the company’s IAM platform and related Identity Governance systems.

Source

3. Secure Configuration of SaaS Applications 

Malicious actors are constantly looking for insecurely configured SaaS apps that they can exploit. Think of a SaaS storage app set to allow anyone to access the files without being authenticated – misconfiguration vulnerabilities like this are liquid gold for attackers. 

You need to monitor SaaS security configurations continuously, flag insecure setups, and alert admins to remediate them. But with a hundred SaaS apps in use and potentially thousands of end users, inspecting security configurations must be done with an automated tool.

4. Data Protection Controls 

Encrypting data in transit and at rest and backing it up can prevent data breaches or, at the very least, reduce their impact. However, these controls require security managers to know where all their data is stored. This can be a challenge in SaaS, as the organization hosts the data externally. 

For example, how would you know that your order management SaaS app was storing customers’ Personal Identifiable Information (PII), which would cause a compliance problem if it was breached? You need an automated data scanning tool that can identify the location of data and establish who has access to it.  

5. Develop and Test an Incident Response Process 

Cyber attacks often have extensive, costly, and potentially irreversible business impacts. Even if your data isn’t stolen, unplanned downtime can negatively affect customer relationships and damage your reputation. Developing and testing an incident response process enables rapid recovery of SaaS apps from a cyber incident, ensuring no further damage is done. 

Responding to SaaS cyber incidents works best when you have immediate, detailed information about the nature of the threat and the status of your SaaS environment. A SSPM platform can provide the basis for forming an effective incident response plan. 

Source

6. Continuous Monitoring and Prioritization with SSPM 

To have your SaaS apps under control, you need to achieve comprehensive, real-time awareness of the security status of all apps in your ecosystem. Furthermore, you must be able to react quickly to detected threats and vulnerabilities.

Ensure you leverage the continuous monitoring capability of an SSPM platform to achieve constant, thorough, and up-to-date security awareness of all SaaS apps. This control needs to be coupled with a prioritization of alerts and some automation of remediation processes. 

Continuous monitoring can create a too-long list of vulnerabilities, and not all will be equally serious. Some might even be irrelevant to SaaS security. An effective SSPM platform will include a priority list of vulnerabilities to address and automatically remediate as many as possible—referring only those needing human attention to security managers.

7. Third-Party Security Risk Management

Third-party integrations can be a significant source of risk exposure for SaaS apps. Establish a process to inspect third-party integrations, such as those executed with plugins. Identify insecure plugins and integrations and alert critical stakeholders to trigger remediations. 

You will need an automated solution to do the groundwork for you, as you’ll likely have an extensive list of third-party integrations and plugins to monitor. Suridata monitors and analyzes all third-party integrations and identifies security problems, such as unsupported plugins that have become insecure or that enable unknown users to access SaaS apps. 

Source

Getting Started with Your Must-Have Cyber Security Controls

If you’re neglecting the seven SaaS controls highlighted in this article, now would be a good time to implement them. The risks are too significant to ignore and will continue to grow as your business grows. Even if your team has the basics covered, you should equip them with a comprehensive tool that automates all the monitoring, detection, and remediation processes to protect your entire SaaS arsenal. 
Purpose-built solutions like Suridata combine SSPM with robust SaaS Security Detection and Response (SSDR) capabilities, helping you get to the bottom of every SaaS vulnerability without operational overload. Learn more here.

Haviv Ohayon

Co-Founder & COO

Back to list

SaaS Data Security: 7 Tips to Keep Your SaaS Data Secure

Have you ever experienced typing your data into a form on a SaaS app, hitting “Save,” and then thinking, “Hey, wait…where did my data just go?”. We’re so thrilled with the convenience, speed, and economy of SaaS applications that we forget we’re storing some of our most sensitive data in the SaaS vendor’s cloud. 

Data leakage is the most common SaaS security incident for IT and security professionals, with 58% having experienced one in the previous two years. 41% percent of respondents suffered a SaaS data breach in that period. 

The cloud infrastructure supporting your favorite SaaS apps is often secure. However, according to almost every SaaS user agreement and based on the Shared Responsibility Model, you still have a fair share of responsibility for protecting your SaaS data. 

What is SaaS Data Security?

SaaS data security comprises the risk analysis, policies, and practices that protect data stored on SaaS apps. The specifics of any SaaS data security program will vary based on the type of organization and the data it holds on SaaS. In general, however, SaaS data security aims to reduce the risk of data breaches and other attacks that can damage or delete your data. 

Not all data stored on SaaS is equally important regarding security. The big issue with SaaS data security is the difficulty in understanding which documents stored on a SaaS platform are innocuous and which aren’t. 

Almost anything could be in a SaaS file drive, from patent applications to confidential legal agreements. For instance, zombie Sharepoint groups and data repositories make Sharepoint security challenging. Alternatively, a SaaS app might contain customer information subject to privacy laws, which may differ from country to country. 

Access controls and integrations play a role in securing SaaS data. Keep in mind that threats can be internal, too. Employees or customers may steal or carelessly mishandle data, and the impact on data security is no less profound. 

Top Challenges of Securing Your SaaS Data

Defending data stored on SaaS apps has its share of challenges, propelled mainly by the dynamic nature of the cloud. For instance, knowing who can access the SaaS app or how each user configures their security settings can be complicated. 

Some of the more common and severe challenges in SaaS data security include:

  • Securely managing user identities—knowing who is who and who can access what, especially as employees get hired, change roles, and depart the company. 
  • Safeguarding data in transit and at rest—ensuring that SaaS data is encrypted when crossing the network or stored on a disk drive. 
  • Integrating SaaS applications with other services—staying on top of the connections and plugins as they affect data stored on SaaS apps.
  • Complying with data residency rules and other regulations—adhering to mandates like “data sovereignty,” which govern where data about citizens of a given country can be stored. 
  • Preventing data loss—following Data Loss Prevention (DLP) practices that help you avoid accidental deletion of SaaS data and system failures or security incidents that can affect data.

Shadow IT, particularly shadow SaaS, threatens to make these challenges even more grueling. When virtually anyone in an organization can set up a SaaS account with a credit card and start moving corporate data onto that app, security teams can struggle to keep up. Shadow SaaS creates security blind spots and increases SaaS data risk exposure.

Source

7 Tips to Keep Your SaaS Data Secure

1. Stay on top of best practices for SaaS Security Posture

SaaS data security is—or should be—a subset of a broader commitment to SaaS Security Posture Management (SSPM). After all, security countermeasures that protect SaaS apps from unauthorized access and abuse also serve to protect the data they store. 

Getting serious about SSPM means conducting regular security audits, logging and monitoring SaaS activity, and using strong access controls such as multi-factor authentication (MFA) to better manage identities and how they use your resources. It also includes training employees in SaaS security and establishing (and testing) a SaaS incident response plan.

2. Know your SaaS vendor

Your SaaS vendor has a great deal of control over the security of your data. While you are responsible for your end of the SaaS data security, the vendor’s systems are where the data is stored. 

Review your SaaS vendor’s data security policies carefully to ensure they comply with data privacy laws and data sovereignty regulations. For instance, if you keep data about French citizens on devices hosted inside France, your SaaS vendor must comply with all the French data regulations (and prove that they’ve done so).  

Most reputable SaaS vendors willingly share their data security management and privacy policies with customers. If they don’t, maybe that’s not a vendor to use. They should tell you, for instance, if they encrypt your data at rest and in transit through end-to-end encryption or E2EE.

The good news is that several respected organizations do the heavy lifting for you in vetting your SaaS vendor. A SaaS vendor might have certifications like the Cloud Security Alliance Star Verification or have passed an audit for EuroCloud SaaS Star or SOC2 and PCI-DSS. Such certificates establish that the vendor has met specific strict standards for data security.

Source

3. Define and implement data governance policies 

It’s hard to steal data from SaaS if it isn’t there or never existed in the first place. This is the realm of data governance, whose policies can be an effective countermeasure bolstering SaaS data security. 

Consider a customer intake form on a customer relationship management (CRM) solution. You can adjust these customizable forms to limit sensitive personal data that isn’t necessary for the customer relationship and avoid putting this data at risk of being breached or misused. 

Disposing of old data can also help you prevent security misconfigurations in your apps. For example, you can establish a firm policy to delete data over seven years old automatically. Don’t forget to delete such data from your backups as well. This requires automated data management tools, often available on SaaS apps.

4. Know where your data is

With the average company utilizing over a hundred SaaS apps, keeping track of where users put corporate data is nearly impossible. No manual process could keep IT managers informed on where data resides in the SaaS ecosystem. 

SSPM solutions like Suridata employ automated data scanning processes to identify where data is located across the SaaS environment. Suridata then alerts IT managers if it detects the presence of sensitive data in a SaaS app that is not adequately secured or subject to overly broad access privileges. 

5. Regularly monitor your data security controls

It’s one thing to implement data security controls. It’s another to be confident they’re working as expected over the long term. It is a best practice to monitor data security controls regularly. For example, suppose you’ve mandated that SaaS apps only be accessed through a cloud access security broker (CASB) or established endpoint hardening standards for employee devices. You should continuously check that these policies are being enforced.

Source

6. Implement robust security measures for accessing your data

Your SaaS data is only as secure as the password you use to access it. Of the 56 million leaked passwords in 2023, the password “123456” was used in 111,417 cases. Default passwords such as “admin,” “root,” or guest” were equally (and worryingly) prevalent. 

The most straightforward measures are often the most impactful. Ensure you employ multi-layered authentication protocols such as multi-factor authentication (MFA) and strong, regularly updated passwords so that only authorized users can access the data. 

Source

7. Back up your data regularly

There is often some confusion about SaaS data backups, so it bears explaining. Most of the time, the SaaS vendor will back up its cloud instances. If they experience an outage, your data should be safe. However, the SaaS vendor’s backup does not necessarily protect you from cyberattacks and malicious data handling on a SaaS platform. If an insider decides to delete your SaaS data, you may have lost it for good. 

Getting Started Protecting Your SaaS Data

SaaS apps are most likely holding a lot of your sensitive data. You should want it protected, even if it’s not in your direct control. Getting started with SaaS data security involves adhering to basic SaaS cybersecurity practices, understanding your vendor’s data protection policies, knowing where all your data is in the SaaS landscape, and implementing effective data governance policies. 

Suridata can be a valuable tool for achieving your SaaS data security objectives. It monitors SaaS usage and flags suspicious activity that could signal the start of a data breach. It also monitors where your data has been stored and who has access to it in your SaaS environment. These and other functions help you establish a robust SaaS security posture, including solid data protection. Learn more or request a demo today.

Haviv Ohayon

Co-Founder & COO

Back to list

Locking Down SharePoint Security: 7 Steps to Take Now

You can’t spell SharePoint without “share.” This word represents the best and worst that this enduring, top-rated platform offers. Used by hundreds of millions of people worldwide, Microsoft SharePoint natively integrates into the Microsoft 365 system and is renowned for its custom intranet portals, document repositories, and team collaboration spaces. 

Nearly 65% of Sharepoint customers adopted SharePoint Online instead of on-premise, reiterating how valuable this tool can be for collaboration and productivity. But there’s a downside to SharePoint’s exciting features: they make you more vulnerable to security risks. 

Sensitive data stored in SharePoint can be subject to severe security attacks when access controls and third-party integrations are misconfigured. While Microsoft offers built-in security features, it’s up to each organization to take control of its SaaS integrations and ensure that teams are leveraging SharePoint effectively without compromising security. 

What are SharePoint’s Security risks?

SharePoint’s attack surface is as extensive and inviting as its deployment scope. The essence of SharePoint—that any user can get permission to set up data repositories and share data externally in seemingly infinite permutations—poses many challenges for SaaS security. The bigger the implementation, the more users, and the greater the variety of SharePoint instances, the more insecure the SharePoint environment becomes. 

One of the most severe SharePoint vulnerabilities relates to the potential to have too many SharePoint administrators, or “Group Owners,” as they are known. Group Owners can designate who is a “Member” and a “Guest” of a SharePoint Group, which dictates their access to data. Within a SharePoint Group, the Group Owner can further establish policies on data access across the organization. If there are too many Group Owners for SharePoint admins to track, the potential for data leakage becomes worrisome. 

Source

Like all browser-based apps, SharePoint is vulnerable to threats like cross-site scripting (XSS), misconfigured security settings, and identity-related attacks. External connections are particularly troublesome. With potentially every user in an organization able to share documents with the outside world, it’s almost inevitable that sensitive data will get into the wrong hands.

The challenges of managing SharePoint security 

SharePoint security is challenging due to the complexity and scale of most deployments. In theory, you can define and enforce security policies that protect data held in SharePoint. However, in reality, there are invariably way too many SharePoint groups and people involved to make policy enforcement feasible. At the same time, excessive moves to restrain SharePoint use in the name of security restrict the collaboration that SharePoint aims to facilitate.

A SharePoint security challenge is knowing where data is stored and who can access it, as there is no feasible way to track this manually. In addition, organizational churn inevitably leads to “zombie” SharePoint groups and data repositories that no one knows anything about and doesn’t have the time to investigate. Such SharePoint sprawl often gets ignored, leading to data leakage risks.

So, what does it take to make SharePoint more secure? SharePoint offers basic cyber hygiene and security policies, like requiring complex passwords. Part of these are general Microsoft security practices applicable to the broader Microsoft Windows/Office ecosystem that is standard in almost every organization. However, organizations are responsible for managing their SaaS security posture – their integrations with SaaS apps like SharePoint and the array of security gaps that may arise within these connections. 

Source

Locking down SharePoint security: 7 steps to take now

1. Make sure you’re totally on top of your sharing 

Given that sharing is the heart of SharePoint, one of the most important steps you can take to secure SharePoint is to get on top of how sharing occurs in your environment. For example, your SharePoint Group Owners and members can freely share files inside the organization by default. This may improve operational efficiencies, but it’s not an optimal security procedure. Instead, a good practice is to limit sharing by changing permissions so that only site owners can share files. 

If you share files externally through SharePoint, you should track your permissions carefully. As major companies like Target have learned the hard way, you can’t ensure that outside companies will diligently protect your data or access to your network. The best practice is to turn off SharePoint’s External Sharing feature, which enables users to invite external users to access content. Turning on External Sharing when necessary is possible, but it’s best to keep it off by default.

Limit sharing by domain and designate forbidden domains if you must share externally. For instance, you can prohibit users from sharing SharePoint files with people who have Gmail addresses.

On another front, you should prevent users from synchronizing their devices with SharePoint document libraries. This “Doc Library Sync” puts SharePoint files on users’ laptops, enabling them to accidentally delete files (i.e., data loss) if they “clean” their C Drives. 

2. Track and secure third-party integrations

It is possible to integrate SharePoint with third-party applications using software plugins. For example, users can link their SharePoint groups with Box.com or Salesforce.com. While good for productivity, this practice may expose SharePoint data to the risk of breach. Malicious actors can exploit the plugin to gain unauthorized access. 

The breadth of third-party integrations across a large company’s SharePoint environment makes tracking and securing these integrations difficult. SSPM platforms like Suridata can automatically scan for the use of third-party plugins and alert system admins to plugins that create risk exposure.

Source

3. Implement robust access control policies

Adequate SharePoint security relies on controlling who can access Groups and files. Under the Shared Security Model, Microsoft provides several built-in security controls enabling you to, for instance, create user roles in Microsoft Active Directory that map to SharePoint permissions. The challenge here is to administer these roles, as it’s easy to fall behind and allow users to retain access they no longer need. 

SSPM solutions like Suridata provide a way to escape this trap through automated scanning of data access rights. You should also implement multi-factor authentication (MFA) to limit access to people with company email addresses. MFA is a potent tool, but it’s necessary to moderate its use so it doesn’t interfere with productivity. It can be frustrating if a user has to enter an authentication code repeatedly while inside the corporate or virtual private network (VPN). 

SharePoint provides several levels of link-sharing permissions. In the SharePoint Admin Center, you can adjust your default settings and create a link for each file, which you can then share with the relevant people via email. This permission helps implement the principle of least privilege and strengthen your zero-trust strategy, limiting link access to only those who need it. 

You could make it the default policy that employees can only share SharePoint links with internal people, allow specific people to share links, or permit people who already have access to the links to share them. Alternatively, you can assign “View only” permission instead of “Edit” to restrict access controls. 

Source

5. Protect and manage your data 

At its root, SharePoint is a place to store data for use in collaboration and workflows. Data security becomes a significant issue when users add, edit, share, or delete files. Encryption is one essential countermeasure, and it’s a great practice to apply SharePoint’s native encryption whenever possible. 

Data retention is another area where you can take action to protect data in SharePoint. You can set up data retention policies that enable users to specify how long data will remain in SharePoint before being automatically deleted. This control prevents people from uploading files to SharePoint and forgetting about them—leading to sensitive data simply sitting around for potentially unauthorized users to view.

However, the reality is that SharePoint data is so voluminous and varied that it’s impossible to manage and secure it actively. Instead, it makes sense to use an automated SaaS data security solution like Suridata to run continuous automated scans to identify sensitive data in SharePoint and flag it for removal by admins. 

6. Implement SaaS Security Posture Management (SSPM)

While SharePoint Online contains a collection of security controls, robust security requires a dedicated external security solution. There are simply too many variables to rely on SharePoint alone. 

SaaS Security Posture Management (SSPM) tools have automated processes that monitor the usage of SaaS apps. They continuously analyze security configurations, such as third-party plug-ins and access permissions, ensuring that every infrastructure layer is covered. A comprehensive SSPM tool also recommends remediation processes that let security teams quickly activate vulnerability management workflows and mitigate risks in near real time. 

Source

7. Deploy a SaaS Security Detection and Response (SSDR) solution

Security Detection and Response (SSDR) solutions are the ideal complement to SSPM, observing SharePoint activity and flagging anomalous user behavior that suggests the presence of a threat. For example, if a user repeatedly attempts to download data to a location outside a company’s regular geographic area, that’s a sign of a breach. SSDR tools like Suridata can alert admins and shut off access to that user – preventing security breaches promptly without impacting operations. 

Suridata combines the best of both worlds by providing SSPM and SSDR in a single solution. It offers complete monitoring of all your SaaS apps and the depth of detection and analysis you need to establish a strong security posture for SharePoint. 

Onward to a Secure SharePoint Environment

SharePoint security is neither intuitive nor straightforward. While the software has its security controls, its broad usage and connectivity with external entities make it imperative to take specific steps to lock it down. These include protecting data through encryption and retention policies, carefully managing access, and limiting sharing of files and links. With SSPM and SSDR, you can take advantage of all SharePoint offers without worrying about the security risks that come with it.

Learn more or schedule a demo to see how Suridata can help secure your SharePoint environment.

Haviv Ohayon

Co-Founder & COO

Back to list

5 Most Common Security Misconfiguration Vulnerabilities and Their Mitigation

Napoleon would have made a great hacker. Now the subject of a historical action thriller, the Emperor once allegedly said, “Never interfere with the enemy while he is in the process of making a mistake.” So it goes in cybersecurity, as well. Some of the worst data breaches occur because of simple mistakes in configuration. These errors can be particularly problematic in SaaS environments, where every user can choose their security configurations— potentially leading to a wide range of unintended vulnerabilities. 

SaaS misconfigurations could be responsible for up to 63% of security incidents. People you don’t control or even know about are making decisions (or forgetting to) about configurations that protect your most sensitive data. Securing your SaaS applications should be on top of any business’s priority list, especially as cloud and SaaS become increasingly prevalent. 

What is a Security Misconfiguration?

Security misconfigurations can be a source of SaaS security risks in two distinct ways. The first involves functional settings that affect security. For example, a SaaS-based storage service’s default settings might enable anyone worldwide to access its store files. The second is specifically related to security settings. A security tool might have several configuration possibilities, allowing you to choose whether or not to, for instance, encrypt data or mandate multi-factor authentication. Each of these has implications for your security posture. 

It’s important to underscore that security misconfigurations can occur due to mistakes, negligence, or deficient policies, so human rather than technical factors. Suppose more than one department can set up SaaS security settings on the same SaaS app, for example. That’s inviting a misconfiguration vulnerability—especially if no one can monitor the security settings across the organization. 

Specifics will vary depending on each company, but most security misconfigurations arise from settings for data protection, encryption, user identity and authentication, and administrative privileges. 

Source

The Capital One incident in 2019 is arguably the most notorious misconfiguration data breach. In that case, a hacker exploited a misconfigured cloud firewall, assigned themselves AWS S3 bucket permissions, and exfiltrated over 100,000,000 customer credit applications. Numerous comparable episodes have occurred since then, leading to data breaches, penetration of networks, and phishing attacks.

5 Most Common Security Misconfiguration Vulnerabilities and Their Mitigation

1. Misconfigured Access Controls

The question of “who can access what?” is the core of many security controls. When access controls are not configured securely, organizations face significant risk exposure, opening doors for malicious actors to compromise identities and view, damage, or exfiltrate data. 

Examples of misconfigured access controls include the use of default passwords, abandoned accounts, and out-of-date administrative access permissions. Alternatively, not requiring MFA can let hackers exploit “password spraying” attacks to gain entry into systems – precisely what happened with the infamous attack on Citrix’s IMAP-based cloud email server. 

To detect misconfigured access controls, you can use an automated system that scans for IAM weaknesses, such as unused accounts and default password settings. For SaaS, solutions like Suridata’s SaaS security posture management (SSPM) can monitor access control configurations across multiple SaaS apps. This is essential today because most companies depend on hundreds of SaaS apps. 

2. Third-Party Configuration Risks/Unsecured APIs

Staying on top of secure configurations for a single application is challenging. But things get more complicated when you start connecting applications and growing your number of third-party configurations. Consider what happens when integrating two or more SaaS apps using external plugins. For example, you can link your customer relationship management (CRM) system with your email and SaaS-based file storage solution to improve productivity. However, each of these plugins has to be configured for security, and in many cases, this simply isn’t possible. 

The decisions about security settings may be up to end users who have no idea how to set up secure configurations. Or, the plug-in itself could also be no longer supported by the vendor and grow increasingly insecure over time—but you may not realize this until it’s too late.

A related insecure configuration risk arises with application programming interfaces (APIs) integrating applications and data sources. While APIs enable streamlined, low-cost integration that’s a boon to productivity and agility, they can also expose your organization to risk. 

Source

API configuration errors at the Texas Department of Insurance led to an information breach on nearly 2 million Texans in 2022. The data included birth dates, addresses, phone numbers, and Social Security numbers. The attack occurred because a web application was configured with an authorization flaw, resulting in a broken function level authorization (BFLA) attack on an API. In this kind of attack, the hacker sends a query to an API endpoint that should not, in theory, respond to it—but does, leaking sensitive information in the process. 

API security platforms can help mitigate these types of risks. They can automatically scan applications and flag vulnerable APIs. 

3. Default Configurations

The process of installing software requires choosing various security settings. However, default security configurations often remain in place if alternatives are not selected, which can lead to risk exposure. For example, the default settings might allow you to keep weak passwords or specific firewall ports open, and neither is great for security.

If the software in question is a single, centralized application installed and managed on-premises by the IT department, the chance of an insecure default configuration is lower. With cloud and SaaS, things get more complicated, as IT and security teams often lack visibility into the state of default settings. Manual auditing processes and employee training are helpful up to a point. However, it’s best to use an automated solution that scans and flags insecure default settings to mitigate risk properly. 

4. Insecure Data Storage Configurations

Data is vulnerable both when it’s moving and when it’s at rest. The security configurations of data storage are, therefore, critical to data security. Access controls matter, but encryption is arguably the most important countermeasure. However, encryption depends on configuration, and storage managers often get it wrong. 

Even the US Army’s Intelligence and Security Command unintentionally allowed a sensitive database—including top secret files—to be stored on Amazon S3 without configuring the cloud storage array for adequate user authentication.

Source

Encryption is relatively easy to manage when an organization employs a few on-premises storage solutions. However, moving data into the cloud gets much more challenging, as employees can set up cloud storage using SaaS storage solutions without informing the IT department or security team. 

Suridata can scan the entire SaaS environment to detect the location of data and its associated security configurations. The SSPM platform can flag data at risk and notify admins to fix the problem before a breach occurs.

5. Improperly Configured File and Directory Permissions

Hackers can sometimes guess file and directory names, in which case they can gather system information to orchestrate attacks. They might discover and download your compiled code, for example, and reverse engineer them to reveal your source code. This is, in part, a configuration issue. You can configure directory servers with strict control over access permissions and make it impossible to use easy-to-guess files and directory names. 

Getting Secure with Your Configurations

As we’ve seen, many types of security misconfigurations can expose your organization to cyber risk. Even the more innocent vulnerabilities can lead to serious security breaches – all it takes is a hacker to exploit a small mistake with default settings, a weak password, or a forgotten open port. SaaS environments are especially vulnerable to such vulnerabilities as the complexity of hundreds of integrations makes for poor visibility and a lack of control over your system. 

Mitigation is possible with the right technology. Platforms like Suridata combine powerful SSPM with SSDR capabilities, helping you monitor your SaaS apps and quickly remediate vulnerabilities as they arise. Suridata scans vulnerabilities automatically and provides you with detailed findings, their priority based on risk level, and automated remediation guidance. Get a demo to learn more.    

Haviv Ohayon

Co-Founder & COO

Back to list

What is SSPM? 7 Building Blocks of SaaS Security Posture Management

Have you ever woken up at 2:00 AM, worried if your company’s most sensitive data was safe? Or perhaps you worried about whether you did everything required to protect privacy laws and avoid unimaginable violations.

From HR to finance departments, companies run most of their workloads on third-party software. While there is no turning back on SaaS, we also can’t ignore that it opens up a can of security worms for your business. 55% of organizations experienced a SaaS security event in the last two years. And to make matters worse, mitigating these issues often falls outside the capabilities of traditional security tools. 

But that’s what SaaS Security Posture Management (SSPM) is here for. SSPM solutions give IT and security teams visibility into the security posture of their sprawling SaaS ecosystems—detecting vulnerabilities and, in some cases, offering automated remediation – both essentials in combating increasingly frequent SaaS threats. 

What is SaaS Security Posture Management (SSPM)?

SaaS Security Posture Management (SSPM) is a combination of tools, processes, and practices that aim to improve the security posture of SaaS environments. Security posture concerns an organization’s ability to defend its networks, information systems, and other digital resources. 

An organization that uses SaaS apps needs SSPM to protect its data and business operations. The average company now uses over a hundred SaaS apps (that they know of… which is a whole other problem). These apps store corporate data in ways that may not be secure—which tends to be opaque to IT and security teams. 

Source

In contrast to traditional on-premises applications and databases, which security teams can relatively quickly defend and monitor, SaaS apps are freestanding. They’re operated by third parties, offering a wide latitude in security configuration to individual users. 

Implemented correctly, an SSPM solution helps mitigate the security risks inherent in SaaS and unique to the SaaS architecture. It extends an organization’s security posture into SaaS. Benefits include a lower risk of data breach and leakage from SaaS and less chance of SaaS compliance problems.

The challenges of implementing SSPM 

Making SSPM work can be challenging, primarily due to the sheer scale of most SaaS environments. If a company has five SaaS apps, admins can check each for compliance. If there are a hundred apps, however, admins will be overloaded and unable to check for compliance consistently. Establishing and maintaining visibility over configurations, user access, data placement, and third-party integrations can be challenging. 

A parallel problem comes from SaaS apps’ rapid development cycles. Each SaaS vendor will update its app regularly, perhaps as often as every few weeks. Each new version has the potential to break security controls and integrations, so the third-party plugin that was secure last week may no longer be. The plugins may also create security risks due to frequent updates and neglect. 

Only 10% of companies continuously conduct SaaS security configuration checks, and 5% don’t scan for misconfigurations. Without multidimensional visibility and monitoring, it is possible to miss threats and vulnerabilities that can negatively affect the SaaS security posture.

Source

Compliance requirements can change, too, which may lead to specific SaaS configurations and data storage decisions causing compliance problems. Alternatively, SaaS providers may move your customers’ Personal Identifiable Data (PII) data between regions that don’t allow such moves, and you’ll be hard-pressed to know about it. 

There’s also the “shadow SaaS” issue, where employees sign up for SaaS apps independently and store corporate data on them without getting IT or security permission. This is more common than people realize and can be a significant security headache as it creates invisible risk exposure. A good SSPM solution will be able to scan for shadow SaaS and flag it for intervention by IT. 

7 Building Blocks of SaaS Security Posture Management

All effective SSPM solutions should offer a high degree of flexibility, scalability, and visibility into your SaaS environment. But there are other vital factors to consider: 

1. Automation

All SSPM solutions feature some degree of automation; the more automation, the better. With each SaaS app potentially having hundreds of settings and a user base that could span thousands of devices, human admins simply cannot keep up with the SaaS security workload. Ideally, teams will be free to analyze complicated SaaS security situations that arise while the bulk of security alerts and remediations occur automatically. This is possible with Suridata, which automates some of its SaaS security remediations, such as misconfigurations and version changes. 

2. Misconfiguration discovery and remediation

Misconfigurations are common in a SaaS environment and can lead to risk exposure. For example, if users keep the default settings on certain file-sharing SaaS apps, data stored on them may be accessible worldwide. An SSPM solution must offer deep visibility into all configurations, settings, and any built-in security controls that affect SaaS security posture. With the ability to discover SaaS misconfigurations, an SSPM solution can also identify SaaS apps that are not using multi-factor authentication (MFA) in critical accounts. It can flag unencrypted file sharing, which might cause risk exposure in certain use cases.  

Source

3. Detection and remediation of insecure third-party integrations

Employees who use third-party plugins to integrate their SaaS apps with others can inadvertently expose sensitive data to unauthorized access, among other risks. The integration may seem innocuous, such as linking a SaaS-based customer relationship management (CRM) solution with a SaaS email program. The problem is that the email program will treat the CRM as a user who does not need to be authenticated after the initial connection is established. A malicious actor can exploit this connection channel to access the email account. 

SSPM solutions like Suridata offer a countermeasure. They provide an overview of each third-party integration’s source and give admins detailed information about all the various permissions granted via the plugin. This way, teams can detect “overprivileged” users—potentially shutting off their access until their access rights can be reviewed. 

4. IAM and user monitoring

Your SaaS security posture benefits from your team’s firm understanding of who is who and who can access what. Indeed, almost any security breach is possible without such control and will be challenging to detect or respond to. For these reasons, an SSPM solution must integrate with IAM solutions and other access control tools that enable zero trust security, such as privileged access management (PAM) suites. When combined with the SSPM solution’s user activity monitoring, the result is an effective countermeasure against SaaS penetrations by malicious actors. 

Source

5. Data exposure analysis 

The ability for end users to store data in hard-to-monitor or unknown SaaS locations represents a significant point of vulnerability and a source of compliance violations. An SSPM solution has to automatically scan for data stored in SaaS apps and detect threats; this process should work preventatively and forensically. The SSPM solution should identify corporate data that users have placed on SaaS apps and determine who has access to it and who can share it. If there is a breach, SSPM solutions like Suridata can analyze the impact on data sets stored on SaaS apps—recommending actions to limit the damage. 

6. Threat detection and response

Like other information systems, SaaS apps need protection that activates threat detection and response processes. SSPM solutions need to monitor all SaaS apps for suspicious activities, including, for instance, detecting a user who has logged in from a foreign country and attempted to download a great deal of data. Suridata offers this capability, along with automated alerts and other incident response tasks. 

7. SecOps integration

SSPM should be part of a broader security and IT management workflow set. A security alert regarding a SaaS app is like any other security alert – it must be routed to a human analyst and subject to a planned incident response plan or go through an automated response workflow. Either way, this can only happen if the SSPM solution is integrated with ticketing systems and security operations (SecOps) tools like security automation, orchestration, and response (SOAR) and ITDR platforms

Source

Given that the overring goal in SecOps is to minimize drains on people’s time, the SSPM solution will ideally support automated remediations. If the solution can fix a problem without human hands, that’s the best outcome. On a related front, the SSPM solution should prioritize SaaS security alerts—focusing analysts’ attention only on the most serious. The SSPM solution would also provide remediation guidance for each alert. The path to correcting a security problem may not be evident to everyone. Solutions like Suridata benefit from collective experience in SaaS security to guide security analysts in their remediation efforts.

Getting to a strong SaaS security posture

A robust SaaS security posture is attainable but will take a lot of groundwork and the right tools. SSPM solutions like Suridata can make your SaaS security journey much more seamless, offering you the automation capabilities to monitor all your SaaS apps, including the ones you didn’t even know your employees were using. With the detection and remediation of insecure third-party integrations, monitoring for anomalies, and integrating with IAM, you can mitigate many of the most severe threats affecting SaaS and the business operations that depend on it. To learn about Suridata’s SSPM solution, visit our demo page.

Haviv Ohayon

Co-Founder & COO

Back to list