Author: Haviv Ohayon

Napoleon would have made a great hacker. Now the subject of a historical action thriller, the Emperor once allegedly said, “Never interfere with the enemy while he is in the process of making a mistake.” So it goes in cybersecurity, as well. Some of the worst data breaches occur because of simple mistakes in configuration. These errors can be particularly problematic in SaaS environments, where every user can choose their security configurations— potentially leading to a wide range of unintended vulnerabilities. 

SaaS misconfigurations could be responsible for up to 63% of security incidents. People you don’t control or even know about are making decisions (or forgetting to) about configurations that protect your most sensitive data. Securing your SaaS applications should be on top of any business’s priority list, especially as cloud and SaaS become increasingly prevalent. 

What is a Security Misconfiguration?

Security misconfigurations can be a source of SaaS security risks in two distinct ways. The first involves functional settings that affect security. For example, a SaaS-based storage service’s default settings might enable anyone worldwide to access its store files. The second is specifically related to security settings. A security tool might have several configuration possibilities, allowing you to choose whether or not to, for instance, encrypt data or mandate multi-factor authentication. Each of these has implications for your security posture. 

It’s important to underscore that security misconfigurations can occur due to mistakes, negligence, or deficient policies, so human rather than technical factors. Suppose more than one department can set up SaaS security settings on the same SaaS app, for example. That’s inviting a misconfiguration vulnerability—especially if no one can monitor the security settings across the organization. 

Specifics will vary depending on each company, but most security misconfigurations arise from settings for data protection, encryption, user identity and authentication, and administrative privileges. 

Source

The Capital One incident in 2019 is arguably the most notorious misconfiguration data breach. In that case, a hacker exploited a misconfigured cloud firewall, assigned themselves AWS S3 bucket permissions, and exfiltrated over 100,000,000 customer credit applications. Numerous comparable episodes have occurred since then, leading to data breaches, penetration of networks, and phishing attacks.

5 Most Common Security Misconfiguration Vulnerabilities and Their Mitigation

1. Misconfigured Access Controls

The question of “who can access what?” is the core of many security controls. When access controls are not configured securely, organizations face significant risk exposure, opening doors for malicious actors to compromise identities and view, damage, or exfiltrate data. 

Examples of misconfigured access controls include the use of default passwords, abandoned accounts, and out-of-date administrative access permissions. Alternatively, not requiring MFA can let hackers exploit “password spraying” attacks to gain entry into systems – precisely what happened with the infamous attack on Citrix’s IMAP-based cloud email server. 

To detect misconfigured access controls, you can use an automated system that scans for IAM weaknesses, such as unused accounts and default password settings. For SaaS, solutions like Suridata’s SaaS security posture management (SSPM) can monitor access control configurations across multiple SaaS apps. This is essential today because most companies depend on hundreds of SaaS apps. 

2. Third-Party Configuration Risks/Unsecured APIs

Staying on top of secure configurations for a single application is challenging. But things get more complicated when you start connecting applications and growing your number of third-party configurations. Consider what happens when integrating two or more SaaS apps using external plugins. For example, you can link your customer relationship management (CRM) system with your email and SaaS-based file storage solution to improve productivity. However, each of these plugins has to be configured for security, and in many cases, this simply isn’t possible. 

The decisions about security settings may be up to end users who have no idea how to set up secure configurations. Or, the plug-in itself could also be no longer supported by the vendor and grow increasingly insecure over time—but you may not realize this until it’s too late.

A related insecure configuration risk arises with application programming interfaces (APIs) integrating applications and data sources. While APIs enable streamlined, low-cost integration that’s a boon to productivity and agility, they can also expose your organization to risk. 

Source

API configuration errors at the Texas Department of Insurance led to an information breach on nearly 2 million Texans in 2022. The data included birth dates, addresses, phone numbers, and Social Security numbers. The attack occurred because a web application was configured with an authorization flaw, resulting in a broken function level authorization (BFLA) attack on an API. In this kind of attack, the hacker sends a query to an API endpoint that should not, in theory, respond to it—but does, leaking sensitive information in the process. 

API security platforms can help mitigate these types of risks. They can automatically scan applications and flag vulnerable APIs. 

3. Default Configurations

The process of installing software requires choosing various security settings. However, default security configurations often remain in place if alternatives are not selected, which can lead to risk exposure. For example, the default settings might allow you to keep weak passwords or specific firewall ports open, and neither is great for security.

If the software in question is a single, centralized application installed and managed on-premises by the IT department, the chance of an insecure default configuration is lower. With cloud and SaaS, things get more complicated, as IT and security teams often lack visibility into the state of default settings. Manual auditing processes and employee training are helpful up to a point. However, it’s best to use an automated solution that scans and flags insecure default settings to mitigate risk properly. 

4. Insecure Data Storage Configurations

Data is vulnerable both when it’s moving and when it’s at rest. The security configurations of data storage are, therefore, critical to data security. Access controls matter, but encryption is arguably the most important countermeasure. However, encryption depends on configuration, and storage managers often get it wrong. 

Even the US Army’s Intelligence and Security Command unintentionally allowed a sensitive database—including top secret files—to be stored on Amazon S3 without configuring the cloud storage array for adequate user authentication.

Source

Encryption is relatively easy to manage when an organization employs a few on-premises storage solutions. However, moving data into the cloud gets much more challenging, as employees can set up cloud storage using SaaS storage solutions without informing the IT department or security team. 

Suridata can scan the entire SaaS environment to detect the location of data and its associated security configurations. The SSPM platform can flag data at risk and notify admins to fix the problem before a breach occurs.

5. Improperly Configured File and Directory Permissions

Hackers can sometimes guess file and directory names, in which case they can gather system information to orchestrate attacks. They might discover and download your compiled code, for example, and reverse engineer them to reveal your source code. This is, in part, a configuration issue. You can configure directory servers with strict control over access permissions and make it impossible to use easy-to-guess files and directory names. 

Getting Secure with Your Configurations

As we’ve seen, many types of security misconfigurations can expose your organization to cyber risk. Even the more innocent vulnerabilities can lead to serious security breaches – all it takes is a hacker to exploit a small mistake with default settings, a weak password, or a forgotten open port. SaaS environments are especially vulnerable to such vulnerabilities as the complexity of hundreds of integrations makes for poor visibility and a lack of control over your system. 

Mitigation is possible with the right technology. Platforms like Suridata combine powerful SSPM with SSDR capabilities, helping you monitor your SaaS apps and quickly remediate vulnerabilities as they arise. Suridata scans vulnerabilities automatically and provides you with detailed findings, their priority based on risk level, and automated remediation guidance. Get a demo to learn more.    

Have you ever woken up at 2:00 AM, worried if your company’s most sensitive data was safe? Or perhaps you worried about whether you did everything required to protect privacy laws and avoid unimaginable violations.

From HR to finance departments, companies run most of their workloads on third-party software. While there is no turning back on SaaS, we also can’t ignore that it opens up a can of security worms for your business. 55% of organizations experienced a SaaS security event in the last two years. And to make matters worse, mitigating these issues often falls outside the capabilities of traditional security tools. 

But that’s what SaaS Security Posture Management (SSPM) is here for. SSPM solutions give IT and security teams visibility into the security posture of their sprawling SaaS ecosystems—detecting vulnerabilities and, in some cases, offering automated remediation – both essentials in combating increasingly frequent SaaS threats. 

What is SaaS Security Posture Management (SSPM)?

SaaS Security Posture Management (SSPM) is a combination of tools, processes, and practices that aim to improve the security posture of SaaS environments. Security posture concerns an organization’s ability to defend its networks, information systems, and other digital resources. 

An organization that uses SaaS apps needs SSPM to protect its data and business operations. The average company now uses over a hundred SaaS apps (that they know of… which is a whole other problem). These apps store corporate data in ways that may not be secure—which tends to be opaque to IT and security teams. 

Source

In contrast to traditional on-premises applications and databases, which security teams can relatively quickly defend and monitor, SaaS apps are freestanding. They’re operated by third parties, offering a wide latitude in security configuration to individual users. 

Implemented correctly, an SSPM solution helps mitigate the security risks inherent in SaaS and unique to the SaaS architecture. It extends an organization’s security posture into SaaS. Benefits include a lower risk of data breach and leakage from SaaS and less chance of SaaS compliance problems.

The challenges of implementing SSPM 

Making SSPM work can be challenging, primarily due to the sheer scale of most SaaS environments. If a company has five SaaS apps, admins can check each for compliance. If there are a hundred apps, however, admins will be overloaded and unable to check for compliance consistently. Establishing and maintaining visibility over configurations, user access, data placement, and third-party integrations can be challenging. 

A parallel problem comes from SaaS apps’ rapid development cycles. Each SaaS vendor will update its app regularly, perhaps as often as every few weeks. Each new version has the potential to break security controls and integrations, so the third-party plugin that was secure last week may no longer be. The plugins may also create security risks due to frequent updates and neglect. 

Only 10% of companies continuously conduct SaaS security configuration checks, and 5% don’t scan for misconfigurations. Without multidimensional visibility and monitoring, it is possible to miss threats and vulnerabilities that can negatively affect the SaaS security posture.

Source

Compliance requirements can change, too, which may lead to specific SaaS configurations and data storage decisions causing compliance problems. Alternatively, SaaS providers may move your customers’ Personal Identifiable Data (PII) data between regions that don’t allow such moves, and you’ll be hard-pressed to know about it. 

There’s also the “shadow SaaS” issue, where employees sign up for SaaS apps independently and store corporate data on them without getting IT or security permission. This is more common than people realize and can be a significant security headache as it creates invisible risk exposure. A good SSPM solution will be able to scan for shadow SaaS and flag it for intervention by IT. 

7 Building Blocks of SaaS Security Posture Management

All effective SSPM solutions should offer a high degree of flexibility, scalability, and visibility into your SaaS environment. But there are other vital factors to consider: 

1. Automation

All SSPM solutions feature some degree of automation; the more automation, the better. With each SaaS app potentially having hundreds of settings and a user base that could span thousands of devices, human admins simply cannot keep up with the SaaS security workload. Ideally, teams will be free to analyze complicated SaaS security situations that arise while the bulk of security alerts and remediations occur automatically. This is possible with Suridata, which automates some of its SaaS security remediations, such as misconfigurations and version changes. 

2. Misconfiguration discovery and remediation

Misconfigurations are common in a SaaS environment and can lead to risk exposure. For example, if users keep the default settings on certain file-sharing SaaS apps, data stored on them may be accessible worldwide. An SSPM solution must offer deep visibility into all configurations, settings, and any built-in security controls that affect SaaS security posture. With the ability to discover SaaS misconfigurations, an SSPM solution can also identify SaaS apps that are not using multi-factor authentication (MFA) in critical accounts. It can flag unencrypted file sharing, which might cause risk exposure in certain use cases.  

Source

3. Detection and remediation of insecure third-party integrations

Employees who use third-party plugins to integrate their SaaS apps with others can inadvertently expose sensitive data to unauthorized access, among other risks. The integration may seem innocuous, such as linking a SaaS-based customer relationship management (CRM) solution with a SaaS email program. The problem is that the email program will treat the CRM as a user who does not need to be authenticated after the initial connection is established. A malicious actor can exploit this connection channel to access the email account. 

SSPM solutions like Suridata offer a countermeasure. They provide an overview of each third-party integration’s source and give admins detailed information about all the various permissions granted via the plugin. This way, teams can detect “overprivileged” users—potentially shutting off their access until their access rights can be reviewed. 

4. IAM and user monitoring

Your SaaS security posture benefits from your team’s firm understanding of who is who and who can access what. Indeed, almost any security breach is possible without such control and will be challenging to detect or respond to. For these reasons, an SSPM solution must integrate with IAM solutions and other access control tools that enable zero trust security, such as privileged access management (PAM) suites. When combined with the SSPM solution’s user activity monitoring, the result is an effective countermeasure against SaaS penetrations by malicious actors. 

Source

5. Data exposure analysis 

The ability for end users to store data in hard-to-monitor or unknown SaaS locations represents a significant point of vulnerability and a source of compliance violations. An SSPM solution has to automatically scan for data stored in SaaS apps and detect threats; this process should work preventatively and forensically. The SSPM solution should identify corporate data that users have placed on SaaS apps and determine who has access to it and who can share it. If there is a breach, SSPM solutions like Suridata can analyze the impact on data sets stored on SaaS apps—recommending actions to limit the damage. 

6. Threat detection and response

Like other information systems, SaaS apps need protection that activates threat detection and response processes. SSPM solutions need to monitor all SaaS apps for suspicious activities, including, for instance, detecting a user who has logged in from a foreign country and attempted to download a great deal of data. Suridata offers this capability, along with automated alerts and other incident response tasks. 

7. SecOps integration

SSPM should be part of a broader security and IT management workflow set. A security alert regarding a SaaS app is like any other security alert – it must be routed to a human analyst and subject to a planned incident response plan or go through an automated response workflow. Either way, this can only happen if the SSPM solution is integrated with ticketing systems and security operations (SecOps) tools like security automation, orchestration, and response (SOAR) and ITDR platforms. 

Source

Given that the overring goal in SecOps is to minimize drains on people’s time, the SSPM solution will ideally support automated remediations. If the solution can fix a problem without human hands, that’s the best outcome. On a related front, the SSPM solution should prioritize SaaS security alerts—focusing analysts’ attention only on the most serious. The SSPM solution would also provide remediation guidance for each alert. The path to correcting a security problem may not be evident to everyone. Solutions like Suridata benefit from collective experience in SaaS security to guide security analysts in their remediation efforts.

Getting to a strong SaaS security posture

A robust SaaS security posture is attainable but will take a lot of groundwork and the right tools. SSPM solutions like Suridata can make your SaaS security journey much more seamless, offering you the automation capabilities to monitor all your SaaS apps, including the ones you didn’t even know your employees were using. With the detection and remediation of insecure third-party integrations, monitoring for anomalies, and integrating with IAM, you can mitigate many of the most severe threats affecting SaaS and the business operations that depend on it. To learn about Suridata’s SSPM solution, visit our demo page.