In the last decade, software-as-as-service platforms have transformed businesses worldwide. The SaaS model has streamlined operations, increased efficiency, and empowered small startups all the way up to Fortune 500 enterprises.
However, there have been pitfalls. Notably, as SaaS apps have proliferated throughout the industry, so, too, has the amount of data generated by these apps — creating a new threat to data security.
Problems Like ‘0mega’
A recent report by the Cloud Security Alliance indicated a pressing need for robust security frameworks as organizations navigate the SaaS landscape. Despite inherent security features of SaaS applications, configuration and governance lapses pose substantial risks. This could open the floodgates to cyber threats, including data breaches and ransomware attacks.
Davit Asatryan
To grasp the severity of the SaaS data security problem, consider the recent “0mega” ransomware attack. It leveraged a compromised account to create an active directory user, which then granted permissions — such as Global Admin, SharePoint Admin, and Exchange Admin — to wreak havoc within the company’s environment.
Whether it’s data breaches affecting healthcare records, ransomware attacks targeting financial transactions, or simply a bad actor seeking to cause reputational damage, the stakes have never been higher. The exposure is not just limited to potential loss of business or reputation damage; it also poses compliance risks, subjecting businesses to legal consequences under regulations like GDPR and CCPA.
The New Frontier of Risks
As companies grapple with SaaS application risks, another threat connected to data in mission-critical SaaS applications such as Google Workspace and Microsoft 365 is quietly gaining momentum: browser extension risk.
Spin.AI analysis showed that there are more than 300,000 third-party browser extensions and OAuth apps that interact with SaaS platforms. While extensions may offer user-friendly features, their risk to data security is alarmingly high.
Consider an extension that was advertised on Facebook as a search enhancement tool. It instead acted as a Trojan horse and hijacked Facebook accounts undetected. The extension was quickly removed from the storefront, but not before stealing login credentials of at least 6,000 corporate accounts and 7,000 VPN accounts.
Browser extensions typically require various permissions within an application or cloud environment to function properly. These permissions range from seemingly benign features like, “Read and change your data on websites you visit,” to far more intrusive ones like, “Capture content of your screen.”
This makes evaluating each extension for potential security risks cumbersome and complicated. These numerous permissions can also be layered together to create a security nightmare. For instance, an extension with “identity” permissions could leverage “webrequest” permissions to transmit personal information to third-party servers. This scenario is akin to leaving your front door open with a sign inviting strangers to come in.
Take Control
As the array of available extensions proliferates — many of which originate from unverified or unknown sources — organizations should consider a multilayered approach to protecting their valuable SaaS data.
It’s nearly impossible to secure your environment if you don’t know what’s in it. A solid first step to protecting your organization should include maintaining an up-to-date inventory of all installed extensions and SaaS applications. This will provide a comprehensive view of the potential points of vulnerability and allow you to spot potential weaknesses.
Second, conduct regular risk assessments to evaluate the level of threat each extension and application poses. These assessments should include established third-party risk management frameworks adapted to the specific needs and nature of your business. You should define what level of risk is acceptable and establish protocols for extensions that exceed this level.
ISACA’s analysis further reinforced the importance of robust access management and the proactive mitigation of risks associated with insecure APIs and shadow IT. It advocates for integrating SaaS platforms with enterprise identity solutions and enforcing multifactor authentication to fortify defenses against unauthorized access.
You can do this through automated controls configured to allow or block extensions and applications based on your organization’s established policies. Automating this process can ensure more consistent policy enforcement, thereby further reducing the likelihood of human error leading to a security breach.
Multilayered Approach
Remember, the cybersecurity landscape is always evolving. So, your strategy should as well.
A dynamic, multilayered strategy should include periodic reviews of security policies, risk assessments, and even the technologies used for automated controls. These will allow you to adapt to new kinds of threats as they emerge.
SaaS applications and browser extensions offer many benefits and conveniences, but they can also be a backdoor to your sensitive SaaS data. Taking a multilayered approach to SaaS security will help you better position your organization for success and allow you to take advantage of all that SaaS platforms and browser extensions have to offer.
Davit Asatryan is vice president of product for Spin.AI, focusing on the all-in-one SaaS Security platform, SpinOne. Davit specializes in SaaS data protection, helping organizations battle shadow IT, ransomware, and data leak issues.
Image: iStock
