Even before the COVID 19 came on the scene, digital transformation was accelerating across industries. Now, a year later, the global pandemic has put those initiatives into overdrive, as organizations look to embrace Software-as-a-Service (SaaS) applications that enable remote work and digital collaboration, while also freeing themselves of legacy IT investments and infrastructure.
As liberating as digital transformation can be, however, it introduces a number of risk and compliance headaches for companies, especially in areas such as threat and risk monitoring and – especially – user access control. Indeed, recent events underscore the growing risks posed by SaaS applications. A report last week from Cisco’s Talos security group, for example, noted that collaboration platforms like Slack and Discord are increasingly being used to launch attacks on companies and exfiltrate data. These include account takeovers and credential theft from Slack and Discord users that further attacks such as spam, malware distribution, data theft and ransomware.
The problem for organizations is that the embrace of digital transformation and adoption of platform as a service (PaaS) and SaaS offerings has not gone hand in hand with assessments of cyber risk and changes to both monitoring, detection and response to SaaS. Existing regulations like SOX, HIPAA, PCI and SOC 2 all require reviews of user access permissions, but these regulations are just starting to catch up to the unique mix of user and API-based access that makes cloud applications and services unique. And even focused user access audits can flounder in the face of multiplying and siloed SaaS applications and platforms, where poor governance is the rule rather than the exception.
But that doesn’t have to be the case. While digital transformation and cloud adoption might change the way organizations manage risk, they don’t make effective risk management impossible. With that in mind, here are some tips our team of experts came up with to help organizations with one of the most important, but thorny risk management exercises: cloud user access management.
The most critical questions that your IT team needs to answer before attempting to assess the security of your cloud environment is what applications they are using and which employees are using them.
To get a firm grasp on what applications and services you are using and the users and applications that are accessing them, larger firms often seek the services of Cloud Access Security Brokers (CASBs) like Netskope, Bitglass or others. These platforms can perform a range of tasks including identifying cloud services in use within your environment and the systems that are accessing those services.
Organizations that have not deployed a CASB solution may rely on manual methods to understand their environment: doing direct audits of applications or using surveys and questionnaires directed at application owners to build a list of applications. Additionally, passive monitoring of inbound and outbound traffic can identify low visibility applications, as can reviews of corporate, departmental, and even individual expense reports for evidence of active subscriptions that may have been overlooked.
Once you have a list of all the SaaS and cloud based applications that are being used in your organization, we advise customers to do a rough sort of those applications to identify those that are “IT-led,” those that are “Business Led” and those that are orphans, without any clear owner.
By “IT-led,” we’re referring to the applications that your IT and security teams are actively managing. In general, those are applications like Salesforce.com, Slack, Office365 that bear directly on compliance or that are the subject of company-wide policies. In contrast, “Business Led” applications include specialized applications and application stacks used by sales, marketing, finance, and other business functions.
The third category, “orphaned” applications are neither directly managed by your IT group nor are they the responsibility of a business unit. Orphaned applications may be highly specialized services or web-based tools provisioned by a user or group of users to help with discrete problems in sales, marketing or other departments. These “orphans” are common, but are often overlooked by your CISO and security team.
Because they were acquired and provisioned outside of the purview of IT or the business unit, these orphaned applications are typically not scrutinized and may introduce IT risk. You need to understand what these applications and services are. Remember, even though your home-grown or third party application may be deployed on a cloud managed by Google, Microsoft, or Amazon, the shared security model means that responsibility for the security of the application and the application users falls to your organization, not the cloud provider.
Once you have a firm grasp on both the cloud users and applications in your environment, create a comprehensive view of cloud entitlements. Technology like Zilla’s can automate this process. Regardless: make sure you have accounted for any API integrations with cloud applications that your organization has enabled and determine whether your security model has been extended to service- as well as user accounts. For internally developed (“in house”) applications, make sure your organization has followed NIST’s Access Control Guidance for Cloud Systems.
Recent attacks that leverage collaboration platforms like Discord and Slack, for example, have revealed malware and malicious actors using APIs for those platforms for command and control (C2) and data exfiltration. Making sure you have extended core security principles like “least privilege” to APIs as well as users can prevent that type of malicious activity in your environment.
Additionally, if your organization must show compliance with industry or government regulations like HIPAA, PCI and so on, you will need to assess the requirements of each of those and identify any control gaps that exist. And remember: simply auditing user accounts and access is insufficient. You must also take account of application integrations using APIs (application program interfaces) access to SaaS applications, as well. Remember that your assessment should extend to applications, as well as users – even if regulations don’t yet require that.
Understanding the boundaries and gray areas around SaaS applications is critical, especially when considering regulatory and compliance mandates. Your SaaS applications may operate from infrastructure that is owned and managed by a third party provider. But your organization is responsible for much of the security and identity and access management (IAM) on that application. That includes authentication and authorization mechanisms like usernames and passwords, single sign-on (SSO), multi-factor authentication (MFA), access keys, certificates, and so on. Furthermore, your organization is responsible for user provisioning, user deprovisioning and password management on that platform, all within the constraints imposed by the platform.
Stepping back from the specific cloud applications and users in your environment, don’t forget that your responsibility extends to everything in your organization that connects with those cloud applications as well. The endpoint devices your users connect with, on premises applications and infrastructure and traffic to- and from your physical environment and the cloud are all part of the milieu. The monitoring and alerting your IT security team relies on to identify emerging security threats and incidents must stretch to cover both your legacy infrastructure and the applications and data you are running on AWS, Google Cloud, Azure, or other public- or private clouds.
While cloud based computing and applications have made it easier and cheaper than ever to deploy new applications within your organization, it has not simplified security. Ultimately, organizations need a way to both leverage the convenience of vertical cloud based applications or application stacks, but still manage security and compliance across multiple platforms and in a holistic manner.
Zilla Security helps organizations do just that. With Zilla’s technology, your team can quickly assemble a holistic view of cloud entitlements that includes both users and application (API) integrations. Zilla provides a single pane of glass for tracking access for third-party and homegrown SaaS applications, and multiple cloud platforms including AWS, Azure and Google Cloud. To learn more: