Category: Blog

Salesforce has been so successful that we tend to forget what a breakthrough it was when it debuted 25 years ago. At the time, people were skeptical that they could get enterprise-grade functionality on a browser. They were mistaken. 

As the leading customer relationship management (CRM) platform, Salesforce is a testament to the innovation and agility SaaS apps bring to businesses. However, there are still risks, particularly when it comes to security. 

39% of companies that use SaaS have experienced data breaches. Salesforce’s extensive integration capabilities, massive partner marketplace, and customization through purpose-built programming languages further exacerbate its cyber vulnerabilities. 

Why you need to invest in Salesforce security 

Salesforce is a highly professional organization that takes security seriously. However, the platform embodies several vulnerabilities, some of which are standard for SaaS and some particular to Salesforce. CRM apps like Salesforce hold sensitive data such as customers’ personally identifiable information (PII), financial details, and geolocation. Failure to secure SaaS data increases the risk of it being compromised by malicious actors and insiders. 

This problem is not different from what happens with other SaaS apps, but Salesforce’s deployment is usually so broad and interconnected in an organization that it amplifies the risk. Likely, every sales, marketing, and customer support person and their respective managers have access to Salesforce. That’s a large number of accounts that attackers can hijack. Plus, any extra person accessing this data increases the risk of insider threats.

Salesforce security should, at a minimum, be part of your SaaS security best practices. However, Salesforce deserves extra attention because of the potential business impact of a security incident in this app. 

Salesforce customers like Ohio’s Huntington Bank and the State of Vermont are dealing with the reputational fallout and expense of data leakage from the Salesforce Communities they set up. Securing your Salesforce app can prevent large-scale data breaches that often result in reputational damage, financial loss, and legal consequences. 

The most common security risks of Salesforce

Custom code vulnerabilities

Salesforce customers can create custom-coded functions with its Java-like Apex programming language. Apex enables developers to build apps that call on the Salesforce backend database. While useful, Apex classes potentially expose sensitive Salesforce data to unauthorized database calls through its application programming interface (API). This is of particular concern if Apex is configured “without sharing,” a setting that ignores the user’s permissions, allows access to records, and offers the ability to change them. 

Configuration weaknesses

You can configure Salesforce in ways that expose data to overly broad access. For example, the Salesforce Community module, which enables customers to set up public sites for their customers, can be configured to allow database access for guest users. Done wrong, this can easily lead to serious security misconfiguration vulnerabilities that facilitate data leakage.  

Integration risks with third-party applications

Salesforce is usually integrated with email systems, enterprise resource planning (ERP) platforms, and accounting systems, making it a gateway for attacks. The platform integrates with thousands of applications, many created using Salesforce developer tools and APIs. As a result, the potential for improper access and malicious activities on the platform is extremely high.

Social engineering attacks

This threat is not unique to Salesforce. However, the breadth and scope of the app in most organizations makes it vulnerable to hackers who impersonate work colleagues to pry loose access credentials, commit account takeover and other data from unsuspecting users. 

API vulnerabilities

Salesforce publishes numerous APIs that give other applications access to data and functionality on the Salesforce platform. While beneficial in business terms, the APIs create risk. One example is problems with object and file level security, where developers might generate an API call that does not consider the specific fields accessible, updatable, or deletable on the object invoked by the API. Significant risks also arise with the creation of third-party applications that invoke the Salesforce API but are themselves security deficient.

13 Essential Steps to a Secure Salesforce Environment

User Management & Permissions

1. Adopt the principle of “Least Privilege”

A Salesforce user should have the fewest possible access privileges. Applying this principle requires thinking and planning about user roles and what each role can access and clearly defining this in an Identity Governance framework. The “Least Privilege” principle should apply to system admins and developers working on custom Salesforce apps. 

2. Implement strong passwords & MFA

The ability for Salesforce users to log in from anywhere, on virtually any device, is great for productivity but disastrous for security. Requiring strong passwords and multi-factor authentication (MFA) can help reduce the risk of malicious actors gaining access by guessing passwords or using stolen login credentials. Salesforce has its own native MFA feature, but customers can also use third-party solutions like Okta and Duo for this purpose. 

3. Disable inactive users

Inactive user accounts are ripe for takeover by attackers. It’s wise to purge former employees or people who no longer need access to Salesforce from their user rolls. This should not be a manual process but take place automatically through integration with identity management solutions that manage the provision/de-provision of all system access for employees.

4. Integrate Salesforce with IAM solutions

Salesforce has its self-contained user management system. However, you shouldn’t let Salesforce be an identity silo, with a Salesforce admin taking care of provisioning/deprovisioning access. 

Instead, integrate Salesforce with your organization’s identity and access management (IAM) solution, such as Microsoft Active Directory. This integration lets you switch Salesforce access on or off centrally when employees join or leave the company or change roles. 

Allowing single sign-on (SSO) is a variant of this approach, enabling users to log in once and then automatically be signed in to Salesforce and other apps. Salesforce enables SSO through integrations with Okta, Duo, and many other SSO solutions. 

5. Map organizational structure and roles to Salesforce access rules

Salesforce functionality and access privileges are hierarchical. For example, a Sales Manager can see the activities of her direct reports. It is a good practice to map your organizational structure carefully to Salesforce role definitions and privileges. 

Data and Application Security

6. Implement field-level security

If you are using Apex code or Salesforce APIs, it’s wise to implement field-level security. This control forces you to decide which fields are exposed to access by the API or Apex classes. It is a countermeasure against exposing sensitive data to breaches.

7. Implement Data Loss Prevention (DLP)

Data Loss Prevention (DLP) for Salesforce can take various forms. Still, it mainly involves policies and processes like role-based access control (RBAC) and regular backups, which you can do using tools like Veeam. You should also implement data encryption as part of your DLP plan. Salesforce offers the Shield Platform Encryption feature, which encrypts data at rest on the Salesforce platform.

8. Mitigate third-party application risk

Third-party apps pose a significant threat to Salesforce, partly because it has little control over the quality of development and security of the third-party integration plugins that connect to its platform. SaaS security solutions like Suridata can scan for third-party plugins and flag integrations that may create risk in the Salesforce environment.

9. Engage in secure app development

If you’re developing applications for Salesforce using Apex or other developer tools, you should use secure development practices by leveraging approaches like the DevSecOps methodology. You should also review any AppExchange app for security before allowing anyone to implement it in your Salesforce environment. 

10. Build an IP allowlist

Salesforce enables IP allowlisting natively. This countermeasure allows you to restrict the range of Internet Protocol (IP) addresses that can access Salesforce, e.g., only IP addresses in North America. 

11. Focus on API security

APIs are a significant attack surface for Salesforce, so you should define and enforce security policies that reduce API-based vulnerabilities. This process may align with your organization’s existing API security and governance programs, so it may not be necessary to spin up API security just for Salesforce. 

Possible countermeasures include:

• Scanning for “rogue” or abandoned Salesforce API integrations.
• Managing API access.
• Using IAM and privileged access management (PAM) solutions.
• Using API security tools to discover APIs vulnerable to injection attacks. 

Monitoring & Logging

12. Create audit trails

Audit trails may not be a priority if you’re a small to medium company. However, generally, it’s helpful to create audit trails for review by stakeholders that range from executives to internal auditors and external regulators. Salesforce enables this capability natively in its Audit Trail Tab. 

13. Develop and test incident response processes

Salesforce security incidents are not that uncommon, so it pays to be prepared. An incident response process for Salesforce might be the same as you have for other SaaS apps. SaaS security solutions like Suridata offer SaaS detection and response (SSDR) capabilities, so you can leverage those to automate your incident response workflows and solve vulnerabilities promptly. 

Making Salesforce Secure

In a perfect world, your SaaS security measures would cover all risks affecting your Salesforce environment. However, the reality is that Salesforce is so far-reaching in the average organization and so profoundly interconnected that it embodies a unique level of risk. For this reason, you should review your Salesforce security, taking concrete steps to manage user access and permissions, protect data, and monitor Salesforce for signs of attack.

Suridata’s SaaS security solution can help you here. Suridata monitors user activities, checks for insecure configurations across all systems layers, and conducts granular vulnerability assessments. Plus, you get real-time alerts and in-depth vulnerability information to activate the correct workflows. Learn more here.

Have you ever managed to extract a file folder from a locked filing cabinet? Most likely not. That lock is a simple example of an information security control. Computers are no different, except that information security controls today are significantly more sophisticated. 

And they need to be, as cyber threats are causing massive disruptions worldwide. Ransomware incidents increased by a staggering 60% from 2022 to 2023. There was also a 49% jump in overall cybercrime losses, from $6.9 billion in 2021 to $10.3 billion in 2022.

Information security controls help detect cyber threats, prevent them from damaging information assets, and correct damage if it occurs. 

The 3 Principles of Information Security 

Understanding information security controls must begin with understanding the purpose of information security. The term “Information Security” (InfoSec) dates back to old-school nerdiness in the era of crewcuts and pocket protectors. As prehistoric as these people may have been, they had a clear and still extremely useful way to define the purpose of InfoSec.

They came up with three core goals for information security:

• Confidentiality—Information security efforts should endeavor to keep information private, ensuring that only those with permission can access a given data set.
• Integrity—The information in computer systems should have integrity, meaning that users can be confident that it has not been modified or selectively deleted by accident or malicious act.
• Availability—Information should be available to users to the greatest extent possible, ideally 100% of the time. 

The three goals are known as the “CIA Triad.” They underpin nearly every aspect of cybersecurity and form the foundation for information security controls. Today, the CIA Triad applies to software, data storage, networks, cloud-based systems, SaaS security, and virtually any other digital asset in cyberspace. 

What are Information Security Controls

Information security control is a safeguard that realizes some aspects of the CIA Triad. For confidentiality, for example, you might implement a control that uses an identity and access management (IAM) system to block unauthorized users from data you want to keep confidential. 

Some organizations set up their controls under a control framework, such as the National Institute of Standards (NIST) Cybersecurity Framework (NIST CSF) or ISO 27001. These frameworks suggest dozens of controls, and consultancies and auditors work with organizations in their implementation. 

Each information security control has a “Control Objective,” which states the purpose of the control. For example, NIST CSF has a control for “Identity Management and Access Control (PR.AC),” whose objective holds that “Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.”

Following the control objective, each control has a set of control activities that realize the objective. PR:AC, for instance, has six sub-categories of control activity that support fulfilling the control objective. One of these sub-categories is PR.AC-1, which requires an organization to deploy a solution so that “Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes.” In practice, this means some sort of IAM system.

It may seem overly elaborate to require a control objective and a list of control activities to operationalize the CIA Triad. A small organization might not need to go through the whole hassle. However, working off an information security controls framework is beneficial for most organizations. The framework provides a coherent and complete approach to implementing controls that make the CIA Triad do its job of protecting your data. 

Without the coherence and thoroughness of a framework and its associated objectives and activities, you’ll likely have control gaps that create risk exposure. 

10 Types of Information Security Controls

Getting more granular, there are three categories of control functions: Preventive, detective, and corrective. These control functions deal with preventing attacks on information assets, detecting attacks, and correcting the effects of attacks, respectively. Controls also vary by type, with some controls being physical, such as locks; technical, such as web application firewalls; and administrative, such as data access policies. 

Effective cybersecurity posture comes from deploying a well-thought-through and balanced mix of these functions and types. Controls may be layered, supporting a “defense in depth” security strategy. With that in mind, here are ten types of information security controls that are common across the three control functions:

Preventative Controls 

1. Access controls

Access controls prevent the wrong people from accessing data, networks, SaaS apps, and other system components. They are crucial because unauthorized access is one of the most common cyber risks. Many IAM tools can help you build a robust identity governance framework and implement comprehensive access controls such as multi-factor authentication (MFA) or behavior analytics.

2. SaaS security controls

SaaS apps are new territory for information security controls, mainly because traditional controls don’t cover SaaS well. For example, you can have a practical set of access controls for your network, but they won’t do much to prevent a malicious actor from logging into a SaaS app. 

SaaS apps have their own built-in access management features. These apps will remain vulnerable unless you deploy specialized SaaS security tools that map the established access control list to SaaS. 

Other preventive cyber security controls specific to SaaS include monitoring and remediating misconfigured SaaS apps exposed to threats and policy-based controls that govern who has administrative back-end access to SaaS apps.

3. Data protection controls

Cyber attackers tend to be after data to steal, spy on, or ransom it. Data protection controls like data monitoring and data encryption are, therefore, among the more critical information security controls in force at an organization. Data encryption, for instance, makes data unusable to attackers, preventing the worst outcome of a data breach. 

Ransomware protections, such as immutable backups and logical air gaps, are preventive data protection controls. They make it harder for a ransomware attacker to achieve his objective of encrypting data and ransoming it.

4. Patch management

Some of the worst cyber attacks exploit vulnerabilities that could have been fixed with software patches but weren’t. A patch management regimen is a preventive policy-based control to reduce the likelihood of this outcome. It is usually implemented through a combination of processes and tools. For example, the policy may require you to apply all software patches as they are announced. In practice, this encompasses patch testing and patching prioritization. 

Detective Controls

5. Intrusion detection controls

Intrusion detection controls aim to discover when an attacker is trying to gain unauthorized entry into a system—and then alert the right people or even mitigate the threat automatically. Many intrusion detection systems (IDSs) can fulfill the control objective, though some suffer from false positives and excessive alerting. The new generation of IDSs uses AI to improve accuracy by flagging only actual intrusion attempts.

6. Anomalies and events detection controls

It may be possible to detect an attack by analyzing events occurring in the IT estate and flagging anomalies for investigation. For example, suppose a user located in the United States appears to be logging into a SaaS app from Europe. In that case, that anomaly might indicate that an attack is underway. 

Detective controls in this category may monitor device logs (think of network firewalls or endpoints) and flag suspicious activities for security analysts to examine. Some advanced threat detection tools will automatically mitigate the threats they detect, such as quarantining a device.

7. Vulnerability and misconfiguration scanning

Devices and applications must be configured for security. For example, you can “harden” a server by limiting who can install new software. It is very possible, unfortunately, for a device or application to be misconfigured, making it vulnerable to threats. 

This is a particular concern with SaaS because each SaaS app has its security configurations, and in many cases, individual end users can change these configurations. They can, for example, make data accessible to anyone, not just employees of the organization. 

SaaS security platforms like Suridata can facilitate the implementation of this control by enabling system owners to scan multiple SaaS apps and detect security misconfiguration vulnerabilities that expose the apps to risk. 

Corrective Controls 

8. Incident response plans

An incident response plan is a corrective control that counteracts the impact of a cybersecurity incident. Like most corrective controls, it works in tandem with a detective control. When a detective control signals that an incident has occurred, that triggers the incident response plan, which corrects the incident by quarantining compromised endpoints, reinstalling infected software, or notifying key stakeholders. 

9. Disaster recovery plans

Disaster recovery plans are a vital part of any cyber threat intelligence framework. The control objective of disaster recovery (DR) plans is to support the availability of systems and data. A good DR plan restores data and system functionality in a cyberattack or any other event that causes an outage.

10. Data backups

A data backup serves as a corrective control in case of a data breach or outage affecting data availability. By backing up data and providing the ability to restore it in the wake of an attack, the control mitigates the effect of the breach and realizes the control objective of data availability. 

Getting The CIA Triad Under Control, Everywhere

Information security controls are essential for preventing, detecting, and correcting security incidents that adversely affect data and systems’ confidentiality, integrity, and availability. Whether you implement them ad hoc or endeavor to operationalize a large-scale controls framework like NIST CSF, you will always be dealing with the same issues: What is the control objective, and what activities will it take to attain it?

SaaS can be a challenging environment for information security controls. Apps are freestanding and delivered by external entities. Individual end users may be able to set their controls—often at odds with organizational security policy and even common sense. 

New SaaS security solutions like Suridata can improve this risky setup.  By monitoring the entire SaaS environment and flagging data at risk and insecure misconfigurations, they provide the basis for defining and implementing information security controls for SaaS apps. Learn more about Suridata.

If your organization is like most, you probably use over a hundred SaaS applications. SaaS apps offer convenience, instant access to pre-built and easily deployable features, and flexibility to meet changing business needs. However, the more SaaS apps you connect to, the bigger your security gaps.  

58% of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications. Even if you have robust controls and cybersecurity technologies on-premises and in the cloud, they are unlikely to cover the usage of your SaaS apps. 

What is SaaS security?

SaaS security comprises a collection of controls, policies, and practices to protect SaaS data and systems. Each SaaS app typically has its own security controls, many of which end users can configure. This flexibility opens the door to various security gaps and misconfigurations, which can be used to launch cyberattacks. This challenge is exacerbated by the fact that users can access SaaS apps from devices anywhere in the world.

Until recently, companies have been able to live with the SaaS tradeoff: you get the benefits of SaaS, but security can be a troubling afterthought. However, rising SaaS threats like ransomware, Cross-Site Scripting (XSS), and Man-in-the-Middle (MitM) attacks are pressuring IT managers to improve their SaaS security strategy.

SaaS security in 2024: The top challenges

1. Shadow SaaS

Shadow SaaS, a subsegment of Shadow IT, refers to employees using SaaS apps without IT approval or awareness. For example, employees may set up a SaaS account using a credit card and add corporate data to that app without notifying the IT department or security team. 

It’s a highly problematic occurrence, as it can lead to data breaches, loss of confidential data, and exposure to cyber-attacks. Plus, because the relevant teams are unaware of the usage of this app, response to potential vulnerabilities may be delayed. 

2. Insecure SaaS configurations

Each SaaS app is hosted and managed by a separate company, so it can be configured separately. The end user can often choose how to configure their security settings. Without appropriate security training, employees may unintentionally set up the wrong configurations and open doors to data exposure or unauthorized access. Other misconfiguration risks include not updating the app’s default settings, permitting easy-to-guess passwords, and not requiring Multi-Factor Authentication (MFA). 

3. Lack of visibility into third-party risks

SaaS apps are often integrated with third-party systems, including other SaaS apps. These integrations, typically done with plugins, are a significant source of SaaS risk. Malicious actors can use vulnerable plugins to penetrate SaaS apps, steal data, or damage the system. 

Gaining complete visibility into your vendor’s systems and other connected third parties is challenging. However, companies can remediate this lack of transparency by implementing robust third-party risk management. This strategy ensures vendors have the tools and processes to restrict user access, protect user data, and comply with relevant regulations such as GDPR, SOX, HIPAA, or CCPA. 

4. Insider threats

Employees can pose a threat to your SaaS security as they can to other digital assets. The difference is that with SaaS, it can be much harder to track who is doing what, and insiders can exfiltrate data before anyone finds out. Sometimes, the threat is accidental, such as when an employee moves data to a SaaS app without realizing it’s against the company’s policy. In more extreme and infrequent cases, disgruntled employees may misuse their access to seek revenge and sabotage systems. 

5. Potential compliance violations

If your organization doesn’t have visibility into corporate data stored on SaaS apps, it risks violating regulations and industry frameworks that protect consumer privacy. Some of the most notable regulations, like GDPR, CPPA, and PIPEDA, require proof that you have the security tools and systems to protect user data. 

6. Poor access control management (IAM)

Without centralized identity and access management (IAM), SaaS users log into each app’s separate access control system independently. You can quickly have a situation where a hundred SaaS apps comprise a hundred different access management systems, and it becomes impossible to know who has access to what. One of many risks inherent in this scenario is unintentionally enabling former employees to still log in to your apps and get their hands on confidential data. 

7 Essential SaaS Security Best Practices

1. Implement Centralized User Authentication and Access Controls

Your SaaS security posture will improve dramatically if you can control who has access to each SaaS app and what privileges they have once logged into it. Integrating your IAM solution into each SaaS app will enable you to build a unified identity governance framework and centrally define access rights and privileges. For example, you could integrate Microsoft Active Directory with Salesforce.com, Workday, or HubSpot. Alternatively, you could deploy a purpose-built solution.

2. Scan (and train) for Shadow SaaS

Shadow SaaS creates risk exposure across multiple dimensions. Employees may place sensitive data on SaaS apps without proper controls, or they may not set up adequate security protections, like MFA and data encryption. Worst of all, no one in IT or security knows about it. 

Training can help reduce the potential for Shadow SaaS to occur. While it isn’t a bulletproof solution, it is wise to make employees aware that setting up their own SaaS accounts is a bad practice. Continuously scanning for Shadow SaaS is an even better solution. Using specialized tools like the Suridata SaaS security platform, you can monitor endpoints for activities that reveal the presence of Shadow SaaS accounts. The platform can then alert the right people and recommend remediations.

3. Include SaaS in Your Security Incident Response and Recovery Plans

Suridata’s research revealed that 88% of organizations have had a SaaS security incident. Even if you’re part of the lucky 12%, you should still adopt preventative cybersecurity controls and ensure you can respond and recover from a security incident should it occur. 

The Security Operations Center (SOC) team should create an incident response playbook for a SaaS security incident. The playbook, which could be entered into a Security Orchestration Automation and Response (SOAR) solution, might include steps like isolating affected endpoints, contacting the SaaS provider to determine the cause of the incident, tracking the vendor’s recovery efforts, and notifying internal stakeholders like your legal department. 

4. Conduct SaaS Vendor Security Assessments

Subscribing to a SaaS app is more than just a technology integration- it’s a business relationship. You’re working minute by minute with another company, often with your most critical information assets at stake. You want to work with the right SaaS vendors and trust them to protect your assets. 

For this reason, it’s a best practice to conduct a SaaS vendor security assessment as part of the procurement process. You could ask the vendor for specifics on securing their data centers and infrastructure, encryption and MFA options, or whether they have passed a SOC2 audit and other key certifications. 

5. Vet Your Third-Party SaaS Integration Plugins

Third-party integration plugins are a potential source of vulnerability, so it’s wise to vet these plugins for security. You will want to look at factors like the level of support, security features like data encryption, and data storage and retention practices. 

Sometimes, a software company releases a SaaS plugin but then abandons it. Eventually, this plugin will get outdated and insecure. Even just looking at a plugin’s age may inform your decision on whether or not you should integrate it into your software. If a new version of this plugin hasn’t come out in about three years, it may be best to raise some questions and consider your decision further. 

6. Continuously Monitor Your Entire SaaS Environment

One of the biggest problems in SaaS security is a lack of visibility into what’s happening across multiple SaaS apps. A vital best practice is to implement continuous monitoring of the entire SaaS environment. This might mean monitoring user sessions to detect suspicious activities and verifying that third-party integration plugins are secure or that security configurations are not creating risk exposure. 

Due to the extensibility of your SaaS apps, it’s virtually impossible to monitor this activity manually. Therefore, you should consider using a comprehensive SSPM platform or equivalent.

7. Map SaaS to Your Compliance Programs

SaaS must be part of any compliance process involving financial transactions, health information, and privacy. Compliance teams should know where SaaS apps store data relevant to regulations and industry compliance frameworks like PCI-DSS. 

SaaS system owners also need to understand where their apps intersect with compliance. For example, a SaaS-based Enterprise Resource Planning (ERP) application may be subject to rules regarding financial controls, which prevent the same user from issuing a purchase order and approving a payment to that vendor. In that case, the SaaS owner must show that user permissions on the app adhere to such controls.

Getting Started in Securing Your SaaS Apps 

The risks of a data breach or comparably bad incident are too high for SaaS security to be neglected. Centralizing user authentication and access controls, continuously monitoring the entire SaaS environment, and protecting your SaaS data through encryption are just some of the steps you can take today to fortify your SaaS security posture. 

Tools like Suridata can help you gain visibility across all your SaaS apps, enabling you to spot hidden misconfigurations and vulnerabilities and address these in real-time. By automating SaaS monitoring, threat detection, and response, you can take a proactive approach to SaaS security and develop a sustainable and efficient remediation plan. Request a demo here. 

Last October, Okta, the $1.8 billion identity and access management (IAM) giant, revealed that it had been targeted in a complex and multifaceted cybersecurity attack that exposed vulnerabilities in the company’s digital identity security. The attack highlights the risks associated with managing sensitive user data. It also demonstrates the necessity of robust digital SaaS identity security measures, along with the importance of rapid detection, communication, and response to those kinds of threats. This article looks at what happened, and how it could have been prevented.

First, to truly understand the Cloudflare breach, we need to see the timeline of events:

October 2023: Okta  Breach

Early October: Okta’s breach occurred, resulting in the compromise of various customer credentials, including those belonging to Cloudflare.

The breach began with an attack that exploited a stolen cookie from Okta’s support system, leading to unauthorized access to Okta’s support case management system. This system, separate from the main Okta service, is used for managing customer support tickets and related data, which includes sensitive HTTP Archive (HAR) files containing cookies and session tokens crucial for maintaining user sessions.

The breach led Okta to revoke session tokens embedded in shared HAR files, disable the compromised service account, and implement measures to prevent employees from signing into personal accounts on Okta-managed devices. These steps were part of Okta’s broader effort to enhance security and combat the threat of session token theft against administrators. Those crucial measurements can be performed through a centralized SaaS Security platform, such as Suridata.

October 18, 2023: Cloudflare’s Okta instance was specifically breached using the authentication token stolen from Okta’s support system, affecting files belonging to 134 customers, including Cloudflare.

---

November 2023: The Cloudflare Attack & Response

November 14, 2023: Attackers first gained unauthorized access to Cloudflare’s self-hosted Atlassian server, marking the beginning of the direct attack on Cloudflare.

November 22, 2023: The attackers established persistent access through ScriptRunner for Jira, accessing the source code management system, and attempting to access a console server linked to an undeveloped data center in São Paulo, Brazil.

November 23, 2023: Cloudflare detected malicious activity within its systems.

---

Post-Attack Actions

November 26, 2023: Cloudflare’s cybersecurity forensics team initiated a detailed investigation into the incident.

In the following weeks: Cloudflare undertook extensive remediation efforts, including credential rotation, system segmentation, forensic triage, and a comprehensive reboot of systems across its global network.

January 5, 2024: Formal remediation efforts were concluded, although Cloudflare maintains ongoing efforts in software hardening and security improvements.

---

Insights and Summary:

The Cloudflare breach was initiated through the exploitation of stolen authentication tokens and service account credentials from a prior Okta breach. Attackers targeted Cloudflare’s self-hosted Atlassian server, gaining unauthorized access to its Confluence, Jira, and Bitbucket systems. Despite the attackers’ efforts, the breach did not affect customer data or systems. Cloudflare undertook extensive remediation efforts, including credential rotation, to prevent future intrusions.

---

How Could have Suridata Prevented this Attack?

1. The breach highlights the complex challenge of managing and securing authentication tokens and service account credentials in a landscape where sophisticated attackers continuously seek to exploit any vulnerabilities. Suridata protects tokens and API keys by proactively monitoring those digital assets, revoking their access, deleting them, setting expiration dates, granting specific scopes, and alerting for the need for rotation of tokens and credentials. In this case, Suridata could have detected the access permissions granted through the token, its usage, and who granted and used the token. Suridata could have then alerted the relevant admins or the security team regarding the suspicious activities and high-risk score, thus preventing the misuse of the tokens.
2. Suridata, which integrates with critical systems such as Okta, Confluence, Jira, and Bitbucket, could offer substantial benefits in the early detection and mitigation of cybersecurity risks. Suridata’s capability to connect with these systems means it can continuously monitor for new risks, anomalies, or changes in user or token behavior, providing a proactive stance against potential security threats.
   This means that any unusual behavior or deviation from the norm, such as the misuse of authentication tokens or unexpected changes in user privileges, could be quickly identified. This level of surveillance is crucial for early detection of security incidents, potentially even before any data compromise occurs.

---

Conclusion

A breach of this magnitude is a serious problem for any business. For a company like Okta, whose brand is largely based on its reputation for guarding identity credentials, this breach proved to be a major embarrassment—and a significant distraction and resource drain in the remediation process. No system is ever completely bulletproof, but an examination of the attack chain suggests that certain countermeasures, such as those provided by Suridata, could have mitigated the threat.

---

Hackers are all diabolical geniuses, clad in hoodies, who sneak past our best defenses like ninjas… or not. Their job is actually a bit dull. Most hacking involves automated software looking for easy break-ins enabled by security misconfigurations.

11% of successful breaches result from cloud misconfigurations. These mishaps are not just widespread but deceptively dangerous. Based on OWASP’s Top 10, “security misconfiguration” is the 5th most critical vulnerability worldwide, having moved up from 6th place in the previous edition. 

It’s not just about spotting misconfigurations but being quick at spotting them. With hackers taking as little as one minute to exploit a weakness, your team can’t afford to take weeks to discover and respond to it (if it ever discovers it at all). 

Source

What is a security misconfiguration vulnerability?

A security misconfiguration vulnerability is any system setting that causes exposure to cyber threats. It often originates from a lack of security controls and processes. For instance, it may be caused by not switching on recommended app security settings, enabling unnecessary features like legacy encryption protocols, incomplete hardening of servers, or allowing default passwords.  These vulnerabilities can affect operating systems, web servers, databases, applications, and cloud services. 

SaaS applications present a distinct challenge when it comes to misconfiguration risks. For example, a SaaS system user might be granted temporary privileged (administrative) access, but the person who added the privilege forgets to revoke it. If a malicious actor compromises that user’s account, he now has administrative access. The average company uses over a hundred SaaS apps, so the attack surface is vast. 

The impact of security misconfiguration vulnerability attacks

Attacks that exploit security misconfiguration vulnerabilities can take many forms. Ransomware, data breaches and exfiltration, impersonation of employees, and phishing attacks are among the most impactful. 

Source

Compliance problems are also a related risk. If a malicious actor can access and exfiltrate consumers’ Personal Identifiable Information (PII), that could result in penalties and legal liability for violating privacy laws such as GDPR and CCPA. 

Common challenges in spotting security misconfigurations 

Spotting security misconfigurations is inherently challenging because these are often easy-to-miss errors. Vulnerabilities may emerge from seemingly minor lapses like failing to require periodic password changes or allowing anonymous file shares. 

Then there’s the extra complexity we’re all dealing with today—a high level of interconnectivity between apps and systems. With SaaS, this takes the form of third-party integration plugins that link SaaS apps to one another, creating risk exposure.

Configurations also tend to be dynamic, and as the landscape continually changes, it is increasingly difficult to keep up with new integrations and settings. If detailed documentation is unavailable, it becomes all the more challenging to see misconfigurations because you don’t know what the configurations should look like. 

A step-by-step guide to spotting a security misconfiguration vulnerability

Step #1: Enforce security policies

The best scenario is one where you have as few security misconfiguration vulnerabilities as possible. That will mean less work spotting them and less risk. This is easier said than done, but investing in process and technology can pay dividends. 

For example, adopting repeatable hardening processes for applications and servers can help you avoid misconfigurations at the outset. Automating repetitive admin tasks can also help in this regard, as can rapidly deploying software patches. 

Step #2: Understand your complete architecture

Spotting misconfigurations depends on knowing what you have in your IT estate. The best practice is to develop a comprehensive architecture map and commit to keeping it updated. This map should include SaaS apps, which may integrate with productivity apps, storage systems, and other platforms. 

For example, it is common for SaaS-based CRM solutions to link with order management systems. You should track all such connections. If a SaaS vendor discloses that its third-party plugin has a security problem, your architecture map will tell you where it could be causing a vulnerability. 

Source

Step #3: Conduct automated scans

The reality of today’s highly complex IT environments is that manual processes for detecting security misconfigurations are doomed to failure. Automated tooling is essential for scanning the entirety of the network, the SaaS landscape, applications, databases, and operating systems. 

For example, a SaaS Security Posture Management (SSPM) platform like Suridata can automatically scan all your organization’s SaaS apps and identify misconfigured apps, creating risk. For example, the SSPM platform might discover that a user has decided to allow anyone in public to access files on a SaaS storage drive and automatically alert your team.

Step #4: Review IAM practices

Many insecure configurations involve Identity and Access Management (IAM). For instance, if your users can access SaaS apps without MFA, you risk hackers accessing your SaaS data with stolen credentials. 

Hackers also look for Broken Access Controls (BACs). This OWASP Top 10 vulnerability results from a poorly configured web application. Specialized security tools can detect such vulnerabilities and flag them for remediation. 

Source

Step #5: Check your data

Most cyberattacks target data. Therefore, hackers tend to look for misconfigurations that expose data to breach. Examples include unencrypted data and Structured Query Language (SQL) messages that inadvertently reveal sensitive information. 

SSPM can be helpful in this context. These tools will scan all your SaaS apps and discover where sensitive data is stored and who can access it. The results of such scans may surprise you, as your data is often stored in more places than you’re aware of, but it’s best to be surprised at this stage than later when your data has already been exploited. 

Step #6: Check for unused features and default settings

An unused feature hidden from view can allow access that doesn’t conform to policies and become a breeding ground for misconfigurations. Similarly, default settings might violate any number of security policies. For instance, they could allow access by people with Gmail addresses or permit access from insecure IP addresses. It’s a good practice to audit your systems for unused features and default settings and update these as soon as possible. 

Step #7: Review your SaaS vendor for compliance certifications

Your SaaS vendor’s approach to security can significantly impact your security, positively or negatively. From cryptographic failures to cross-site scripting (XSS) risks, the SaaS software can present itself with many insecure configurations. Compliance certifications such as SOC2 or PCI-DSS show that a SaaS vendor has demonstrated adherence to rigorous security frameworks. By reviewing your SaaS vendors’ compliance certifications, you can make sure you’re working with vendors that take your security seriously.

You can never stop looking for security misconfiguration vulnerabilities

Misconfigurations are a significant source of cyber risk, so you have to be able to spot them and resolve them promptly. This must be an ongoing process, however. Given the pace at which systems and connections evolve, new security misconfiguration vulnerabilities will arise continuously. 

Automation is your best friend in spotting misconfiguration vulnerabilities, helping you gain visibility across all layers of your SaaS apps. Suridata combines SSPM and SSDR, enabling you not just to gain visibility over your misconfigurations but to activate the proper response workflows as soon as a misconfiguration is spotted. Book a quick demo to see how it works.

The word “compliance” is one of those migraine triggers you probably don’t want to hear at work. It sounds simple: all you must do is adhere to relevant regulations or frameworks. However, compliance is a recurring workload that usually involves auditors, certifications, and laborious processes. 

SaaS compliance can be particularly challenging because you have little control over how users handle SaaS corporate data. While 43% of organizations added a new SaaS app that stores sensitive data in 2022, 25% had security violations, and 12% had to pay compliance-related penalties.

Dealing with SaaS compliance is not optional. The stakes are high, with non-compliance adding to costs and legal liability while creating risks to customer trust and brand reputation.

Source

What is SaaS Compliance? 

Compliance is about following government regulations and industry frameworks that are mandated or strongly recommended for your business. Most of the time, SaaS compliance means developing, implementing, and checking cybersecurity controls and policies that protect your and your customers’ sensitive data, such as financial and Personal Identifiable Information (PII). 

SaaS compliance varies by location and industry. For instance, if you do business in the European Union, you will be bound by the EU’s General Data Protection Regulation (GDPR) and data sovereignty rules. 

It sounds simple enough, but the SaaS “shared responsibility model” can complicate things. With shared responsibility, the SaaS vendor is responsible for compliance regarding its infrastructure. They have to have controls that protect your consumers’ data from breaches in their data centers. 

You, on the other hand, are responsible for compliance regarding your SaaS user. If a hacker steals your SaaS login and exfiltrates consumer data, you are on the hook for this compliance violation, not your SaaS vendor.

Why Should You Care about SaaS Compliance?

A business that does not take care of SaaS compliance is at increased risk of SaaS data breaches, which can lead to loss of reputation and tarnished customer relationships. Breaches resulting from a failure to comply with frameworks can also result in fines, penalties, or litigation.

When following regulations and frameworks, avoiding an understandable but counterproductive “box-checking” mindset is wise. Best practices that strengthen SaaS data security must be instilled across the company and followed as part of the broader security culture – regulatory compliance is a by-product. 

However, as the regulatory landscape grows and more SaaS apps are connected to your infrastructure, it’s easy to lose touch with the specific regulations that affect your business. A general understanding of these regulations is crucial to stay compliant. 

Source

Who Regulates SaaS and Key Frameworks?

Compliance covers different regulations and frameworks developed by governmental institutions or industry associations. Some are legally required, while others are voluntarily complied with to demonstrate trustworthiness. Below are some prominent regulations and the entities that control them. 

Data Protection Regulations

Protecting consumer privacy is a priority for many governments, which have taken steps to prevent the misuse of PII. Two regulations currently predominate in this category. 

GDPR

GDPR was established by the European Union (EU). It covers responsibilities for entities that handle EU citizens’ PII in the EU and European Economic Area. GDPR is under the control of the European Data Protection Board, but data protection authorities (DPAs) enforce it in each of the EU’s 27 member countries. 

CCPA

The California Consumer Privacy Act (CCPA) became California state law in 2018. Implemented by the California Privacy Protection Agency (CPPA), this law dictates how companies must protect California consumers’ data. It mandates that companies (SaaS-based companies included) provide total transparency about data management and storage practices, update their privacy policies, and enable customers to opt out of the sale of their data.

Source

Security Standards 

Complying with security standards involves applying the specified controls and policies and passing an audit to achieve certification. 

ISO/IEC 27001

The International Standards Organization (ISO) develops and promulgates the ISO 27001 international standard for information security. It is a broad standard, mandating a wide range of controls, many of which are relevant when using SaaS applications.

SOC2 

Security Organization Control 2 (SOC2) is a standard that covers how organizations manage their customers’ information. SOC2 compliance is voluntary, but achieving it and passing a SOC2 audit represents a commitment to information security that many companies are eager to demonstrate. It was developed by the American Institute of CPAs (AICPA), which still oversees it today. 

Industry-Specific Regulations 

Some industry-specific compliance frameworks are based on laws, while others are private and theoretically voluntary but have the force of law. 

PCI DSS

The Payment Card Industry Data Security Standards (PCI DSS) is a strict set of controls companies must adopt to accept payments from credit and debit cards. PCI DSS compliance requires extensive control implementation and the passing of an audit. The Payment Card Industry Security Standards Council and the industry trade group for the payment card industry oversee this standard.

HIPAA

If you are a healthcare company, you must comply with HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is an American federal law that is overseen by the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). 

Source

How to Achieve SaaS Compliance: The Essential Guide 

1. Understand each regulation’s applicability and draw a “heat map” for SaaS

Full compliance with all security standards is seldom possible, even for large enterprises. Too many rules and controls (and sub-controls) exist, so companies are selective about what they enforce. The best approach is to understand the applicability of a particular regulation or control to your specific business and SaaS landscape. 

From there, you can narrow down the most relevant regulations based on the probability of falling out of compliance and the impact of that non-compliance on your business. Some compliance professionals call this a “heat map” that shows which regulations deserve the most time and resources. Once you’ve established your “hottest” controls related to SaaS, you can work on implementing these. 

2. Map overall compliance and information security controls to SaaS

Your SaaS compliance efforts do not exist in a vacuum. For example, PCI DSS compliance requires companies to “prohibit direct public access between the Internet and any system component in the cardholder data environment.” This control affects all system components, not just SaaS. Determine how you comply with the regulation in general and then map that control to relevant SaaS applications.

3. Monitor SaaS compliance across the organization

Most organizations use dozens of SaaS apps. Not all are relevant to compliance, but for those that are, it is essential to monitor them regularly for adherence to required controls. This process may involve a formal audit or automated SaaS Security Posture Management (SSPM) platforms like Suridata. 

Suridata’s SaaS security platform combines SSPM with robust detection and response capabilities, helping you monitor usage across your SaaS apps and instantly detect and respond to any vulnerability. 

Source

4. Make compliance part of the SaaS lifecycle

One of the significant advantages of SaaS risk compliance is the ease with which you can provision SaaS apps in an organization. It is a good practice to include compliance controls and safeguards into the SaaS lifecycle, such as ensuring that any SaaS app used by the company is subject to secure and compliant configurations and third-party integrations. An SSPM platform can ensure that SaaS users and system owners follow this approach.

5. Add SaaS to corporate data governance policies

A great deal of compliance concerns consistent, secure, and effective data management. SaaS should be no exception. If compliance with relevant regulations means encrypting customers’ PII, your SaaS apps must also do that. The same goes for retaining data for time periods determined by compliance policies and deleting data according to those policies. 

Getting on the Path to SaaS Compliance 

The regulatory landscape includes SaaS, even when you aren’t sure what data your SaaS environment contains. Getting SaaS compliant is difficult, but it’s not mission impossible. You probably already have the foundation for SaaS compliance in your existing controls and policies. The challenge is to port those controls easily to your SaaS apps. 
This is where SaaS Security platforms like Suridata can help, offering automated monitoring, policy enforcement, detailed real-time insights, and remediation suggestions for any new SaaS vulnerability. Schedule a demo to learn more.

Introduction

In the ever-evolving landscape of cyber threats, the financial services sector has recently encountered a series of sophisticated attacks. This article delves into three notable incidents, underscoring the pivotal role of third-party applications in these breaches. 

---

First American’s System Shutdown

The cyberattack on First American, a leading title insurance provider, led to a significant system shutdown. Following a 2019 data breach, attackers exploited vulnerabilities in a third-party application, accessing sensitive customer documents and credentials without authentication. Suridata’s SSPM solution, with its advanced discovery and alert capabilities, could have been instrumental in averting such risks. 

---

Fidelity National Financial’s Disrupted Services

Fidelity National Financial experienced service disruptions due to a cyberattack that implicated the AlphV/BlackCat group. The attackers capitalized on the CitrixBleed vulnerability, extracting valid session tokens to bypass authentication and gain unauthorized access. This incident highlighted the necessity of vigilant security measures, particularly against sophisticated third-party app exploits. Suridata’s expertise in detecting unauthorized plugin access could have been crucial in preventing such breaches. 

---

Mr. Cooper’s Massive Data Breach

Mr. Cooper, a mortgage servicing firm, reported a breach affecting 14.7 million individuals. An unauthorized third party accessed technology systems, underlining the significance of enhanced security in third-party collaborations. Suridata’s comprehensive risk management approach could ensure high security standards among partners, preserving the integrity of customer banking information. 

---

Conclusion

The financial sector’s recent cyberattacks demonstrate the urgent need for dynamic and proactive security solutions focused on third-party application threats. 

Suridata’s SaaS Security solution provides any organization with knowledge about the third-party applications that are connected to its core applications, with full coverage of existing risks, users’ data, permissions, and the ability to perform actions in order to remediate risk. Suridata’s approach ensures business continuity and the safeguarding of customer trust. 

The classic 1960s TV comedy “Get Smart” featured a fictitious spy agency called CONTROL locked in an unending battle against a devious enemy. Even at that time, when a small computer was about the size of three Coke machines, the concept of control was top of mind. 

Today, as we experience a deluge of devastating cyber attacks, we are more focused than ever on the effectiveness of our cyber security controls. Indeed, the fact that 55% of organizations reported a security incident involving SaaS in the past two years reveals that SaaS controls are not working as well as they could be. 

Every successful cyber attack is, after all, the result of a control failure. It could be a deficient control or one that didn’t exist in the first place when it should have. The growing use of cloud computing and SaaS applications also challenges the traditional approach to information security controls, making these increasingly difficult to map out and implement. 

What Are Cyber Security Controls in SaaS?

Generally, a control is a safeguard that reduces risk to an asset. Every control has an objective and an activity related to it. For instance, a lock on a cash register aims to reduce the risk of losing cash to a thief, and the “activity” encompasses purchasing the lock, installing it, and locking it. 

Cyber controls in SaaS are no different – they detect or prevent threats like ransomware attacks from impacting a SaaS asset and its data. Controls are essential in any digital environment but critical for SaaS. The average company uses more than 100 SaaS apps, each with its security options—many of which are at the discretion of end users. The potential for a breach is high without controls that can mitigate cyber risk.

Cyber controls vary in design and execution, but we can divide them into three main categories: 

• Administrative controls – Organizational policies that help secure how your users access SaaS data. They include Identity Governance, such as managing identities’ lifecycles, reviewing access controls, and monitoring user behavior.  

• Technical controls – Deployment of technologies and security tools to protect SaaS data, including implementing encryption and Web Application Firewalls (WAF). 
• Physical controls – Security controls that protect the physical infrastructure that hosts software. In the case of SaaS, your SaaS vendor is responsible for implementing controls such as fences and locks to secure its hosting infrastructure. 

Source

The 7 Must-Have Cyber Security Controls You Can’t Neglect

A large organization could employ hundreds or thousands of controls in its IT estate, so they can quickly get overwhelming. A handful of critical controls are deemed vital in SaaS, as they meet the unique security risks affecting SaaS apps.

1. A Software Asset Inventory that Includes SaaS 

Building and maintaining a complete inventory of software assets helps prevent attacks on neglected or invisible software. These can include unknown software assets with out-of-date security settings, untracked user accounts due to staff turnover, lack of follow-through on policies and procedures, or shadow IT. 

SaaS apps can be challenging to inventory without the proper tooling. Because they are hosted externally by third parties, knowing someone has set up a SaaS may be impossible if they didn’t inform the IT department. A SaaS Security Posture Management (SSPM) platform like Suridata can scan for SaaS apps and create an inventory of SaaS assets to support this control. 

2. Access Controls that Leverage MFA and Apply the Least Privilege Principle 

Unauthorized access to a SaaS app can cause severe data breaches and operational disruption. For instance, a hacker can use stolen credentials to log into a customer relationship management (CRM) system and exfiltrate the customer list or corrupt it to become unusable. 

Tighter access controls and multi-factor authentication (MFA) implementation can help prevent unauthorized access to SaaS apps. Ensure you also enact a policy of least privilege to reduce the risk of an attacker “moving laterally” through different sections of an application once they have logged in. 

MFA and least privilege should be part of a broader Identity and Access Management (IAM) program to achieve the control objective effectively. This may involve the integration of the MFA solution with the company’s IAM platform and related Identity Governance systems.

Source

3. Secure Configuration of SaaS Applications 

Malicious actors are constantly looking for insecurely configured SaaS apps that they can exploit. Think of a SaaS storage app set to allow anyone to access the files without being authenticated – misconfiguration vulnerabilities like this are liquid gold for attackers. 

You need to monitor SaaS security configurations continuously, flag insecure setups, and alert admins to remediate them. But with a hundred SaaS apps in use and potentially thousands of end users, inspecting security configurations must be done with an automated tool.

4. Data Protection Controls 

Encrypting data in transit and at rest and backing it up can prevent data breaches or, at the very least, reduce their impact. However, these controls require security managers to know where all their data is stored. This can be a challenge in SaaS, as the organization hosts the data externally. 

For example, how would you know that your order management SaaS app was storing customers’ Personal Identifiable Information (PII), which would cause a compliance problem if it was breached? You need an automated data scanning tool that can identify the location of data and establish who has access to it.  

5. Develop and Test an Incident Response Process 

Cyber attacks often have extensive, costly, and potentially irreversible business impacts. Even if your data isn’t stolen, unplanned downtime can negatively affect customer relationships and damage your reputation. Developing and testing an incident response process enables rapid recovery of SaaS apps from a cyber incident, ensuring no further damage is done. 

Responding to SaaS cyber incidents works best when you have immediate, detailed information about the nature of the threat and the status of your SaaS environment. A SSPM platform can provide the basis for forming an effective incident response plan. 

Source

6. Continuous Monitoring and Prioritization with SSPM 

To have your SaaS apps under control, you need to achieve comprehensive, real-time awareness of the security status of all apps in your ecosystem. Furthermore, you must be able to react quickly to detected threats and vulnerabilities.

Ensure you leverage the continuous monitoring capability of an SSPM platform to achieve constant, thorough, and up-to-date security awareness of all SaaS apps. This control needs to be coupled with a prioritization of alerts and some automation of remediation processes. 

Continuous monitoring can create a too-long list of vulnerabilities, and not all will be equally serious. Some might even be irrelevant to SaaS security. An effective SSPM platform will include a priority list of vulnerabilities to address and automatically remediate as many as possible—referring only those needing human attention to security managers.

7. Third-Party Security Risk Management

Third-party integrations can be a significant source of risk exposure for SaaS apps. Establish a process to inspect third-party integrations, such as those executed with plugins. Identify insecure plugins and integrations and alert critical stakeholders to trigger remediations. 

You will need an automated solution to do the groundwork for you, as you’ll likely have an extensive list of third-party integrations and plugins to monitor. Suridata monitors and analyzes all third-party integrations and identifies security problems, such as unsupported plugins that have become insecure or that enable unknown users to access SaaS apps. 

Source

Getting Started with Your Must-Have Cyber Security Controls

If you’re neglecting the seven SaaS controls highlighted in this article, now would be a good time to implement them. The risks are too significant to ignore and will continue to grow as your business grows. Even if your team has the basics covered, you should equip them with a comprehensive tool that automates all the monitoring, detection, and remediation processes to protect your entire SaaS arsenal. 
Purpose-built solutions like Suridata combine SSPM with robust SaaS Security Detection and Response (SSDR) capabilities, helping you get to the bottom of every SaaS vulnerability without operational overload. Learn more here.

Have you ever experienced typing your data into a form on a SaaS app, hitting “Save,” and then thinking, “Hey, wait…where did my data just go?”. We’re so thrilled with the convenience, speed, and economy of SaaS applications that we forget we’re storing some of our most sensitive data in the SaaS vendor’s cloud. 

Data leakage is the most common SaaS security incident for IT and security professionals, with 58% having experienced one in the previous two years. 41% percent of respondents suffered a SaaS data breach in that period. 

The cloud infrastructure supporting your favorite SaaS apps is often secure. However, according to almost every SaaS user agreement and based on the Shared Responsibility Model, you still have a fair share of responsibility for protecting your SaaS data. 

What is SaaS Data Security?

SaaS data security comprises the risk analysis, policies, and practices that protect data stored on SaaS apps. The specifics of any SaaS data security program will vary based on the type of organization and the data it holds on SaaS. In general, however, SaaS data security aims to reduce the risk of data breaches and other attacks that can damage or delete your data. 

Not all data stored on SaaS is equally important regarding security. The big issue with SaaS data security is the difficulty in understanding which documents stored on a SaaS platform are innocuous and which aren’t. 

Almost anything could be in a SaaS file drive, from patent applications to confidential legal agreements. For instance, zombie Sharepoint groups and data repositories make Sharepoint security challenging. Alternatively, a SaaS app might contain customer information subject to privacy laws, which may differ from country to country. 

Access controls and integrations play a role in securing SaaS data. Keep in mind that threats can be internal, too. Employees or customers may steal or carelessly mishandle data, and the impact on data security is no less profound. 

Top Challenges of Securing Your SaaS Data

Defending data stored on SaaS apps has its share of challenges, propelled mainly by the dynamic nature of the cloud. For instance, knowing who can access the SaaS app or how each user configures their security settings can be complicated. 

Some of the more common and severe challenges in SaaS data security include:

• Securely managing user identities—knowing who is who and who can access what, especially as employees get hired, change roles, and depart the company. 
• Safeguarding data in transit and at rest—ensuring that SaaS data is encrypted when crossing the network or stored on a disk drive. 
• Integrating SaaS applications with other services—staying on top of the connections and plugins as they affect data stored on SaaS apps.
• Complying with data residency rules and other regulations—adhering to mandates like “data sovereignty,” which govern where data about citizens of a given country can be stored. 
• Preventing data loss—following Data Loss Prevention (DLP) practices that help you avoid accidental deletion of SaaS data and system failures or security incidents that can affect data.

Shadow IT, particularly shadow SaaS, threatens to make these challenges even more grueling. When virtually anyone in an organization can set up a SaaS account with a credit card and start moving corporate data onto that app, security teams can struggle to keep up. Shadow SaaS creates security blind spots and increases SaaS data risk exposure.

Source

7 Tips to Keep Your SaaS Data Secure

1. Stay on top of best practices for SaaS Security Posture

SaaS data security is—or should be—a subset of a broader commitment to SaaS Security Posture Management (SSPM). After all, security countermeasures that protect SaaS apps from unauthorized access and abuse also serve to protect the data they store. 

Getting serious about SSPM means conducting regular security audits, logging and monitoring SaaS activity, and using strong access controls such as multi-factor authentication (MFA) to better manage identities and how they use your resources. It also includes training employees in SaaS security and establishing (and testing) a SaaS incident response plan.

2. Know your SaaS vendor

Your SaaS vendor has a great deal of control over the security of your data. While you are responsible for your end of the SaaS data security, the vendor’s systems are where the data is stored. 

Review your SaaS vendor’s data security policies carefully to ensure they comply with data privacy laws and data sovereignty regulations. For instance, if you keep data about French citizens on devices hosted inside France, your SaaS vendor must comply with all the French data regulations (and prove that they’ve done so).  

Most reputable SaaS vendors willingly share their data security management and privacy policies with customers. If they don’t, maybe that’s not a vendor to use. They should tell you, for instance, if they encrypt your data at rest and in transit through end-to-end encryption or E2EE.

The good news is that several respected organizations do the heavy lifting for you in vetting your SaaS vendor. A SaaS vendor might have certifications like the Cloud Security Alliance Star Verification or have passed an audit for EuroCloud SaaS Star or SOC2 and PCI-DSS. Such certificates establish that the vendor has met specific strict standards for data security.

Source

3. Define and implement data governance policies 

It’s hard to steal data from SaaS if it isn’t there or never existed in the first place. This is the realm of data governance, whose policies can be an effective countermeasure bolstering SaaS data security. 

Consider a customer intake form on a customer relationship management (CRM) solution. You can adjust these customizable forms to limit sensitive personal data that isn’t necessary for the customer relationship and avoid putting this data at risk of being breached or misused. 

Disposing of old data can also help you prevent security misconfigurations in your apps. For example, you can establish a firm policy to delete data over seven years old automatically. Don’t forget to delete such data from your backups as well. This requires automated data management tools, often available on SaaS apps.

4. Know where your data is

With the average company utilizing over a hundred SaaS apps, keeping track of where users put corporate data is nearly impossible. No manual process could keep IT managers informed on where data resides in the SaaS ecosystem. 

SSPM solutions like Suridata employ automated data scanning processes to identify where data is located across the SaaS environment. Suridata then alerts IT managers if it detects the presence of sensitive data in a SaaS app that is not adequately secured or subject to overly broad access privileges. 

5. Regularly monitor your data security controls

It’s one thing to implement data security controls. It’s another to be confident they’re working as expected over the long term. It is a best practice to monitor data security controls regularly. For example, suppose you’ve mandated that SaaS apps only be accessed through a cloud access security broker (CASB) or established endpoint hardening standards for employee devices. You should continuously check that these policies are being enforced.

Source

6. Implement robust security measures for accessing your data

Your SaaS data is only as secure as the password you use to access it. Of the 56 million leaked passwords in 2023, the password “123456” was used in 111,417 cases. Default passwords such as “admin,” “root,” or guest” were equally (and worryingly) prevalent. 

The most straightforward measures are often the most impactful. Ensure you employ multi-layered authentication protocols such as multi-factor authentication (MFA) and strong, regularly updated passwords so that only authorized users can access the data. 

Source

7. Back up your data regularly

There is often some confusion about SaaS data backups, so it bears explaining. Most of the time, the SaaS vendor will back up its cloud instances. If they experience an outage, your data should be safe. However, the SaaS vendor’s backup does not necessarily protect you from cyberattacks and malicious data handling on a SaaS platform. If an insider decides to delete your SaaS data, you may have lost it for good. 

Getting Started Protecting Your SaaS Data

SaaS apps are most likely holding a lot of your sensitive data. You should want it protected, even if it’s not in your direct control. Getting started with SaaS data security involves adhering to basic SaaS cybersecurity practices, understanding your vendor’s data protection policies, knowing where all your data is in the SaaS landscape, and implementing effective data governance policies. 

Suridata can be a valuable tool for achieving your SaaS data security objectives. It monitors SaaS usage and flags suspicious activity that could signal the start of a data breach. It also monitors where your data has been stored and who has access to it in your SaaS environment. These and other functions help you establish a robust SaaS security posture, including solid data protection. Learn more or request a demo today.

MongoDB, a leading database management system, recently experienced a significant security incident. On December 16, 2023, MongoDB reported unauthorized access to their corporate systems, resulting in the exposure of customer account metadata and contact information. This breach occurred despite MongoDB’s robust security measures and highlights the ever-present risks in managing and securing data in any SaaS application.

---

What happened?

• Security Breach Timeline: MongoDB detected suspicious activity on December 13, 2023. The breach involved unauthorized access to MongoDB’s corporate systems, affecting customer account metadata and contact information.
• Customer Impact: While MongoDB’s primary database service, MongoDB Atlas, was not directly compromised, the incident raised concerns regarding the potential misuse of exposed customer data.
• Response Measures: MongoDB responded by activating its incident response process, advising customers to be vigilant against social engineering and phishing attacks. They also recommended the use of phishing-resistant multi-factor authentication (MFA) and regular password rotation.

---

Why is it this dangerous?

• Exposure of Sensitive Data: The unauthorized access led to the exposure of customer account metadata and contact information, which could be exploited for malicious purposes.
• Risk of Phishing and Social Engineering Attacks: With access to customer contact information, attackers might launch targeted phishing campaigns, leveraging the trust in MongoDB’s brand.
• Potential Long-Term Security Implications: The breach indicates that MongoDB’s systems were vulnerable for a certain period, suggesting a need for more proactive security measures.

---

How can Suridata come to the rescue?

• Enhanced Visibility and Monitoring: Suridata’s SSPM solution could provide continuous visibility into the MongoDB SaaS application, enabling earlier detection of unusual user activities across the application, along with detecting and viewing unauthorized access attempts.
• Configuration Management: Suridata’s solution could check that the Mongo SaaS application is configured in line with the latest security best practices, including MFA that will be enforced at the application level, and not only at the user level. The platform would alert system owners if configurations did not align with SaaS security best practices. Moreover, implementing a hygienic password environment in the MongoDB environment would reduce the risk of sensitive data being exploited.
• Comprehensive Security Posture Assessment: Suridata’s SSPM could offer a thorough assessment of SaaS applications and third parties’ security posture, identifying potential weaknesses and suspicious behaviors before they are exploited.

---

Summary

In December 2023, MongoDB suffered a serious security breach involving unauthorized access to its corporate systems. This breach exposed customer account metadata and contact information, posing risks of phishing and social engineering attacks. Suridata’s SSPM could have mitigated the risks of this attack by offering critical capabilities in terms of enhanced monitoring, threat detection, and proactive security measures—potentially preventing such incidents or mitigating their impact. As MongoDB continues to investigate and strengthen its security measures, integrating an SSPM solution like Suridata can be a strategic step toward enhancing overall security resilience and protecting sensitive customer data.

---