Macro trends such as the shift to cloud services, a growing remote (or hybrid) workforce, and heavy reliance on third-party partners and contractors means organizations are working with more software-as-a-service applications than ever. That also means that attackers are taking advantage of the ubiquity of SaaS as they target insecure default configurations and weakly secured identities.
Over the past year, attackers have attempted to intercept OAuth tokens, bypass multifactor authentication schemes, and exploit misconfigured systems and applications to gain unauthorized access to business-critical applications such as GitHub, Microsoft 365, Google Workspace, Slack, and Okta — to name a few.
Researchers from Valence Threat Labs identified various ways SaaS usage exposes organizations to attack in the new 2023 State of SaaS Security report. The report findings are based on organizations that have deployed Valence Security’s SaaS security platform.
Organizations have to do a better job of tracking abandoned applications, files, and user accounts.
- Over half — 51% — of an organization’s SaaS third-party integrations are inactive.
- Most — 90% — of an average organization’s shared assets (files and folders shared with external collaborators) have not been accessed for at least 90 days.
- On average, 1 in 8 employee accounts are dormant (with the user no longer with the company, for example).
- On average, 10% of an organization’s shared integrations and data belong to ex-employees.
More SaaS = More Risk
SaaS has also evolved to be an ecosystem of interconnected applications sharing data and identities — they are no longer stand-alone single-function applications. But all that integration is a problem because applications have too many privileges, and data sharing is out of control.
- 100% of organizations grant full read/write access to email, files, and calendar to at least one third-party tool or service.
- There are 21 integrations per organization with tenant-wide access to company and employee data.
- 30% of the time, files are shared with personal accounts.
- There are 54 shared resources (files, folders, SharePoint sites) per employee, and 193,000 shared resources per company, on average. Most are sitting idle.
SaaS has its benefits, but abandoned SaaS integrations and idle data sharing introduces risk to the enterprise. Organizations should regularly remove unused integrations and revoke sharing to reduce the attack surface. Data shares should be automatically revoked after a certain time period (such as 30 days), and user accounts should be deactivated when they leave the company. Lifecycle management is critical to ensure that existing businesses processes are not impacted when an employee leaves the company and the account gets deactivated, the report says.
