Secure Your Company from the SaaS Tsunami · Risks of the SaaS Tsunami Some apps have excessive...
Transcript of Secure Your Company from the SaaS Tsunami · Risks of the SaaS Tsunami Some apps have excessive...
EBOOK
Secure Your Company fromthe SaaS Tsunami
2
IntroductionSaaS has fundamentally changed security requirements.We used to just go into work, and everything—corporate applications, sensitive
customer data, employee health records, etc.—was within the “safe” four walls
of the corporate network behind a fi rewall.
Now employees work remotely and use mobile devices, including unmanaged,
personal devices. They access SaaS apps that live in the cloud without any sort
of fi rewall that IT can use to monitor and manage access. Prominent examples
include Salesforce.com, Google Apps, Offi ce 365, Box, and many others.
As employees use these SaaS apps, they are creating proprietary company data,
often confi dential in nature, that exists outside the control of IT, creating new
challenges for security teams.
In this new world, IT needs to track sensitive corporate data in third-party SaaS
apps, and ensure that only the right people have the right level of access to it.
In this whitepaper, we’ll explain ten steps on how to do that.
Before Now
3
What Is the SaaS Tsunami?
Just like its real-world example, the SaaS Tsunami started small, and has steadily
increased in size to the point of wreaking havoc.
At many companies, SaaS usage started small. Perhaps an inconsequential social
media posting app, and then, the sales team shifted to Salesforce.com. SaaS
usage has steadily grown, due to low barriers to adoption and an increasingly
broad range of vendors.
How many SaaS applications does an average organization use?
To demonstrate, ask yourself, how many SaaS applications is my company using?
Without looking it up, would you guess 25? 50? According to a Cisco study,
IT departments estimate their companies use on average 51 cloud services.
The reality in the study, however, was a staggering 730. That means IT only knew
about 7% of the cloud services in use. Gartner analysts Neil MacDonald and Craig
Lawson confi rm in their research that a typical company uses 600 to 1000 SaaS
apps. Many IT departments fi nd it hard to believe their employees are using so
many SaaS apps beyond the “birthright” apps of email, documents, fi le sharing,
HR, and CRM.
Source: Cisco
730Average ActualSaaS Apps Used
51Estimated SaaS
Apps Used
4
Several factors drive the long tail of SaaS app usage:
1. Diff erent groups will use their own apps for the same functional purpose.
For instance, an engineering team might use Jira for project tracking, while
the product and marketing teams use Aha and Asana.
2. Companies might evaluate multiple, competitive apps over a period of time
to determine which works best.
3. Switching costs for SaaS apps are very low, making it easy to move from,
say, one chat app to another—and sometimes the old apps are kept around
to provide access to the information archived within them.
4. As every business becomes a software business, every supplier to your
company will have an app to speed up interaction and customer orders:
the company that manages your offi ce space, the company that supplies
your coff ee, and so on.
5. Companies might have apps for taxes, utilities, permits and other logistics for
every city, county, state, and national government for each jurisdiction it sells
or employs in.
6. Finally, there’s a mind-boggling array of niches fi lled by SaaS apps. Student
behavior tracking, childcare scheduling, and a range of other categories that
don’t come to mind immediately.
This is the SaaS Tsunami—a large (and continuously growing) number of SaaS
apps that collectively yield myriad data access issues.
5
The SaaS Tsunami consists of apps that use OAuth to authenticate and apps that use
other authentication methods. As you can see, the number of SaaS apps is exploding.
Why This Matters
Many companies use SaaS apps as powerful tools to accomplish work more
effi ciently and to give their employees greater fl exibility and means for
collaboration, among other benefi ts. This is all true; so SaaS usage itself is not
the issue.
The real issue is that many IT departments do not know the scope of SaaS usage
in their companies, and thus, cannot secure those SaaS apps. As a result, the risk
of data breaches, compliance violations, and other security issues is higher than
IT knows—and is growing daily.
How big is the SaaS Tsunami?
NUMBER OF SAAS APPS BASED ON OAUTH USAGE
Source: CloudLock CyberLab, 2016
6
Risks of the SaaS Tsunami
Some apps have excessive permission scopes.
Users are self-enabling a high volume of apps, and often with corporate
credentials through OAuth. It’s much simpler (for them) to click “Sign-in with
Google,” (or Facebook, LinkedIn, etc.) rather than provide an email and additional
password to remember. This means users have connected third-party apps
to core, sanctioned corporate applications that potentially include sensitive
corporate data, such as Google Drive.
Some of these apps are fairly innocent and request little information, but others
request an excessive amount of access. In fact, the CloudLock CyberLab found
27% of 157,000 third-party apps to be high risk based on their excessive OAuth
permission scope. For example, a third-party app could request the ability to
view, modify, and delete all the fi les within a user’s Google Drive. Because users
are all too quick to keep clicking next and accept without noticing permission
requests, they are likely to introduce vulnerabilities to corporate data.
Source: CloudLock CyberLab, 2016
7
Shadow IT makes compromised access tough to detect.If IT only knows about 7% of the apps in use and a company uses 600+ apps,
that means there are hundreds of SaaS apps in the shadows. Naturally this
poses a huge security challenge for companies. Each of those apps contains
unmanaged corporate data that IT has no control over and can violate industry
regulations. There could be a high risk application in use at your company and
you wouldn’t even know it.
Data gets left behind in zombie accounts. In one survey, over 10% of respondents could still access a previous employer’s’
system, and in some cases, two or more systems, using their old credentials.
Not only are these dormant accounts a waste of money, but also an unnecessary
security risk.
Spear phishing attacks expose data.In a spear phishing attack, a malicious party can take advantage of their
victim by, for example, gaining access to a sanctioned corporate app through
an OAuth enabled app. Employees may click through an authorization fl ow
and unknowingly give access to the malicious party acting like a legitimate
application.
To illustrate, here’s an example. After some social engineering, a malicious party
fi nds a VP of marketing will be attending an upcoming conference and sends
an email using a real conference employee’s name and title that they found on
LinkedIn. The email looks legitimate: it’s asking for a timely approval on a vendor
compliance agreement, using an electronic signature company we’ll call WebSign,
based in San Francisco. The WebSign OAuth access scope looks normal too.
However, the application is requesting excessive permissions, such as the ability
to view, modify, delete, and share Google Drive fi les. Upon further look, the
link provided is not websign.com either. It’s websign.co—a link registered to a
company outside the United States, presumably with no connection to WebSign.
This is just one example of how the proliferation of SaaS apps can lead
to compromised credentials and data loss.
Learn the 10 ways you can prepare your organization for the SaaS Tsunami in the next section.
8
Spear Phishing: A Realistic Example
1.A malicious party fi ndsa VP of Marketing that will be attending anupcoming conference and sends a legitmate looking email with a request for a signature from what looks like websign.com. However, a closer look reveals the URL is websign.co.
The VP clicks through the OAuth access scope, unkowingly giving excessive permissions to the malicious app.
When examining the WHOIS record for websign.co, you can see the domain is registered to a company in Australia, who has no connection to Websign.
More Info
List and search all of your documents and fi les in Google Drive
Download any of your documents and fi les in Google Drive
Create, move, copy, edit, or delete any of your documents and fi les in Google Drive
Share or unsure any of your documents and fi les in Google Drive
OK
By clicking Accept, you allow this app and Google to use your information in accordance with their respective terms of service and privacy policies. You can change this and other Account Permissions at any time.
AcceptCancel
2.
3.Domain Name:Domain ID:Sponsoring Registrar:Sponsoring Registrar IANA ID:Registrar URL (registration services):Domain Status:Registrant ID:Registrant Name:Registrant Organization:Registrant Address1:Registrant Address2:Registrant City:Registrant Postal Code:Registrant Country:Registrant Country Code:Registrant Phone Number:Registrant Email:
WEBSIGN.COD45613856–COCENTRAL COMERCIALIZADORA DE INTERNET S.A.S88888http://mi.com.co/clientTransferProhibitedPP–SP–001Domain AdminPrivacyProtect.orgID#10760, PO Box 16Note – All Postal Mails Rejected, visit Privacyprotect.orgNobby BeachQLD [email protected]
whois websign.co
Nobby Beach
QLD 4218
Australia
AU
+45.36946676
~$ whois websign.co
ID#10760, PO Box 16Note – All Postal Mails Rejected, visit Privacyprotect.orgNobby BeachQLD [email protected]
9
10 Steps to Securing Your Company from the SaaS Tsunami
The SaaS Tsunami and Shadow IT are not going anywhere soon. Organizations
and IT departments have little choice but to embrace it. To attract and retain
tomorrow’s workforce, organizations must adopt innovative technologies which
support a mobile workforce. So how can IT help their organizations empower
users while protecting corporate data?
Here are ten strategies.
1. Prioritize Eff orts Based on Potential ImpactAs you apply the following strategies, an overarching principle and Gartner
recommendation is to prioritize your control eff orts based on potential impact.
That is, as data sensitivity and access (e.g. one person versus the entire company)
increases, so should the concentration of your eff orts and attention.
Source: Gartner
CONTROL EFFORTS BASED ON AMOUNT OF DATA AND DATA SENSITIVITY
10
2. Partner with Finance
Find SaaS apps in credit card statements.
Check your corporate credit card statements and expense fi lings to fi nd SaaS
application subscriptions, suggests Gartner analyst Jay Heiser, since everyone
who uses a SaaS app for work expenses it.
Add a “SaaS Subscription” expense category.
One way to better track these expenses is to add a “SaaS Subscription” expense
category. Then, ask fi nance to notify IT when an expense is submitted under that
category.
This strategy can help you do the following:
• Discover unsanctioned apps
• Investigate the apps’ risks
• Find and shut down zombie accounts
• Consolidate multiple subscriptions and save money
3. Build a Collaborative Security Culture
The importance of educating employees about best security practices, how
to avoid phishing attacks, and so forth, cannot be underestimated. In general,
employees want to do the right thing, so when they break security policies, they
often do so because they either forgot or didn’t know the policy. Partner with HR
to try to make the careless “forgot”s and “didn’t know”s happen less.
Make sure onboarding includes a clear cybersecurity policy.
If your company doesn’t have a clearly stated cybersecurity policy, sometimes
called an acceptable use policy, you can’t blame your employees for not following
it. Of the employees OneLogin and Arlington Research surveyed in a May 2016
study, almost half stated they didn’t know whether their company had a policy
in place surrounding password sharing. That’s a real problem. Eliminating
employees’ bad security habits starts with having a policy that clearly delineates
company cybersecurity rules.
Train employees about cybersecurity—onboarding and beyond.
Cybersecurity training must become part of the employee onboarding process,
but it can’t stop there. Consider setting aside fi ve minutes at the monthly
company meeting for a discussion of security best practices. Have a chat system
11
at your company, such as Slack, so employees can confi rm that any urgent emails
asking for sensitive data and purportedly from senior leaders are legitimate.
Then run a phishing assessment of your employees to see who responds to a
fake phishing email, and who uses chat to confi rm that it’s fake. By encouraging
employee cybersecurity literacy, you’ll improve company security.
4. Enforce Strong Authentication
Require that users access apps via strong passwords, changed regularly (say,
monthly or quarterly), and use multi-factor authentication (MFA) when coming
from an atypical location.
Defi ne your password policies.
When you defi ne your password policies, include requirements for the following:
• Password complexity—ensure passwords are not easily guessed
• Password rotation—if a password is guessed, replace it with another
• Password uniqueness—if a password is guessed, do not reuse for a while
• Session timeout—require users to regularly re-enter their passwords
• Password reset—force users to choose a new password in case of
a suspected account compromise
An easy way to enforce password and MFA policies is through Identity-as-a-
Service (IDaaS). So, when you look for an IDaaS vendor, be sure to ask which of
the above they are able to enforce.
WHAT IS IDAAS?
IDaaS is also known as cloud identity and access management (IAM). IDaaS
capabilities include single sign-on (SSO), explained below, as well as SaaS
application access provisioning when an employee joins a company, and
deprovisioning when they leave. IDaaS enables IT to give the right users
access to the right applications with the right permissions.
Additionally, using Security Assertion Markup Language (SAML) increases access
security since a username and password credentials never have to be created. At
OneLogin, we have many pre-integrated applications that are SAML-enabled.
12
5. Bring SaaS Apps Out of the Shadows With SSO
How do you encourage employees to register their unsanctioned SaaS apps with
IT so IT can enforce strong authentication for those apps? Single-sign (SSO) is a
key tactic. SSO lets employees log in just once to an IDaaS web page, and from
there, click on any app they want to access—no additional password required.
This is a tremendous time-saver for employees. Since employees typically use
unsanctioned SaaS apps to be more productive, IT should think like marketers,
and use the productivity of SSO as a carrot to get employees to tell IT about
these apps.
Ask new hires about SaaS apps they use during onboarding.
Many times as people move to diff erent companies, SaaS apps move with
them. Something we do at OneLogin is ask which SaaS apps a new hire needs
during onboarding. This way IT can include it into OneLogin Application
Portal for the employee’s benefi t of single sign-on (SSO) and for IT’s benefi t
of reviewing the risk and properly securing the app.
I can’t recall of one tool that we’ve deployed recently or chosen recently that wasn’t SAML. That is a big critical factor for us when we determine what tools and applications we use.
–MUSTAFA EDABI, Vice President, Information Technology Services, SOTI Inc.
“ ”
13
SSO WITH ONELOGIN
Dynamic App-Catalog
The OneLogin App Catalog has connectors to over 4,000 apps, and uses heuristic
form recognition to provide SSO to over 90% of web apps, even those not in our
catalog. In the unlikely event that your app isn’t covered by the existing catalog or
heuristic form recognition technology, OneLogin makes it possible for someone
with a basic understanding of HTML and regular expressions to build custom
connectors in minutes.
OneLogin Desktop
OneLogin Desktop adds to the convenience of SSO by creating a secure profi le
on your computer, with a unique certifi cate, to eliminate an extra login. Since
the OneLogin Cloud Directory recognizes your computer as a trusted device,
it becomes a second factor. Once set up, all a user has to do is log in to their
computer, and they are already logged into OneLogin Application Portal for
frictionless access to their applications.
Relieve password reset support burden with SSO.
SSO also reduces the IT support load because, with just one password to
remember, employees will not need as many password resets. When looking
at IDaaS providers, see if they give your users the power to do self-service
password resets.
We have people now who have brought in an application unannounced to IT, and once it reaches a critical mass, they are actually coming out of a shadow IT and saying, ‘Hey, we would love to have this in OneLogin. We would love to have you manage this for us. It’s very critical to what we do, we fi nd it very useful.’ In the past, there would have been no reason for those folks to talk to IT and the applications wouldn’t be exposed to us.
–TONY GOSSELIN, IT Director, TubeMogul
“ ”
14
6. Track App Usage by Former Employees
As important as deprovisioning users is to data security, often it is not done
fully. Tracking app usage by former employees will help you fi nd active accounts
that should have been disabled. For example, perhaps a former employee is
downloading customer lists from their CRM account. You’ll want to disable the
account immediately. How do you prevent this from happening in the fi rst place?
Use off boarding checklists.
Having an off boarding checklist will help IT ensure users are reliably off boarded
from all apps, and not just those with APIs.
Some IDaaS vendors automatically generate an off boarding checklist, making
deprovisioning easier and less error-prone. This checklist includes two types of
tasks: automated ones, where the IDaaS deprovisioned the user from an app
using an API, and manual ones, where the app does not have a user management
API and IT has to manually deprovision the user.
Use a SIEM integration.
Even with reliable off boarding, you still need a way to catch ex-employees
continuing to use company apps. A SIEM can track application access events.
Some IDaaS and CASB providers integrate with leading SIEMs. For example,
OneLogin streams events in JSON format to Splunk, ELK, Sumo Logic and others.
Streaming events is faster than polling, which will help you respond faster during
security breaches.
WHAT IS A SIEM?
SIEM, or security information event management, software ingests all data from
various sources (logs, servers, databases, applications, network devices, etc.),
centralizes and aggregates all security-relevant events, as well as adds context
and threat intelligence to security events.
Find and disable zombie accounts.
Find the zombie accounts in your SaaS applications, the ones that no one
has logged into for a while. They represent an open door that can be used
for access by ex-employees, or, for that matter, hackers. Again, start with the
most commonly used applications that have the most sensitive data in them.
15
7. Implement HR-Driven Identity
Since your human resource information system (HRIS) has the most accurate and
up-to-date information about employee status, it makes a lot of sense for identity
management to begin and end with your HRIS.
Defi ne a deprovisioning plan for various types of user roles.
Consider the various types of user roles in your company and the apps they use:
What types of apps do you need to deprovision for a salesperson? How about
for an engineer and so forth? Socialize it with your HR team, with the rest of
your IT team, and see what opportunities there are to streamline the process.
When looking for an IDaaS, be sure to ask which HRIS they connect
to and to what extent. Some IDaaS vendors, including OneLogin, off er
thorough integration to synchronize user information from HR across all
systems. OneLogin is able to pull employee identities from an HRIS, and pass
them through its mappings engine to ensure that each type of an employee can
access the right apps in the OneLogin application portal. For example, a new
employee in the engineering department can automatically get access to JIRA.
These assignments can be based on any employee attribute in the HRIS, including
title, department, location, and employee ID. And, when HR marks an employee as
“departed” in the HRIS, OneLogin automatically removes that employee’s access
to the OneLogin application portal. This eliminates manual, error-prone steps.
8. Implement App Control
Think of app control as the enforcement behind good policy for preventing
security incidents. After you have a policy in place, it’s best practice to have
tools and systems in place to enforce the policy in an automated way.
For instance, a CASB can help IT enforce your app control protocol by alerting
the admin that they’re using a banned app through email, the CASB platform,
SIEM, or a response within IDaaS (e.g. terminated session or required MFA).
WHAT IS A CASB?
A CASB (Cloud Access Security Broker) can be on-premise or cloud-based and
acts as security policy enforcement points between cloud service consumers
(e.g. browsers, mobile apps) and cloud service providers to reveal which
SaaS apps are being used. A good CASB provides visibility, compliance, data
security, and threat protection.
16
Here are a few thoughts to consider for determining banned apps.
Inventory and determine acceptable OAuth permissions.
For an attacker, OAuth apps represent potential inroads to your organization.
As mentioned earlier, some are not risky and have limited access scopes, whereas
some are risky due to excessive access scopes. Considering 27% of the 157,000
third-party apps are high risk, IT should create a protocol around which apps
should be allowed, reviewed or automatically revoked, as well as who should
grant access.
For the sake of prioritization, start determining acceptable OAuth permissions
with your top 25 most-used apps. The following variables will help shape this
protocol:
• Are you in a highly-regulated industry?
• Do your users store sensitive data in the cloud?
• Are the cloud apps in scope for audits and security concerns?
Defi ne criteria for determining a banned app.
Similarly, write down and make sure your department knows the criteria for
determining a banned app. Questions you may want to consider include the
following:
• Which users will need access?
• How business critical is this app?
• Is there a viable or safer alternative?
• Do we already have a standardized alternative in other departments that
we want to synchronize across the organization?
Cross-check OAuth apps for admin accounts.
Also, keep track of your admins since privileged users mean they have bigger
targets on their back and if accounts are compromised, the potential impact is
much higher. Make sure a super admin account never connects third-party apps
to corporate systems via OAuth due to the possible enterprise-wide implications.
17
9. Implement User Entity Behavior Analytics (UEBA)
User Entity Behavior Analytics (UEBA) is automating the identifi cation of
anomalous activity and the response to it. With UEBA, IT is able to detect
anomalous user activity, such as a user account simultaneously accessing an app
from locations that are thousands of miles apart. Since a person cannot be in
two places at once, IT must assume that this account has been compromised..
UEBA also lets IT see if there is an increased amount of activity during abnormal
hours,an increased number of downloads, or access from countries where you
don’t do business, all of which could indicate account compromise.
It’s important to develop a procedure to remediate when a user’s account
is compromised. A CASB and an IDaaS can work together to provide
comprehensive UEBA, because CASB provides the visibility into anomalous
activity and IDaaS, the remediation functionality. In the account compromise
scenarios above, a CASB could automatically request an IDaaS to require an
account to always use MFA, terminate a session, force a password reset, revoke an
account’s access to an app, or suspend an IDaaS account entirely.
Write down fi ve simple rules for what constitutes anomalous behavior at your company.
Here are some example rules based on the following categories:
Category Example Rule
Atypical Time of Login
Atypical Location
Atypical Device
Atypical Access Patterns
Atypical Behavior Within the Platform
Terminate session, deprovision access, and enforce password reset when large number of fi les is suddenly accessed or shared
Terminate sessions, deprovision access, and enforce password reset when a user logs in from more than 6 countries in a 2-hour period
Enforce MFA when a user logs in at 3AM
Whitelist USA (which blocks access from all other countries)
Enforce MFA when a user logs in with a mobile device
18
10. Implement Data Loss Prevention (DLP)
Data breaches are painful and costly. The 2016 Cost of Data Breach Study found
that the average total cost of a data breach grew to $4 million. The average cost
per breached record is $150, and roughly double in regulated industries
like healthcare. An additional cost of a data breach, although intangible, includes
the headlines in the press which can tarnish an organization’s reputation.
Data loss prevention (DLP) is a strategy for making sure users cannot expose
sensitive data by sharing it inappropriately, whether accidentally or maliciously.
IT can selectively encrypt data and leverage IDaaS and CASB for DLP.
With IDaaS, IT can ensure appropriate entitlements for applications with
sensitive data and restrict access via intelligent SAML confi gurations. For
example, OneLogin enables IT to map access through “groups” and “roles,”
so that a user receives only the right amount of access within an app.
With a CASB, IT can detect and remediate improperly shared sensitive
documents. IT will know the answers to important security and compliance
questions, such as
• Which users are using which cloud apps?
• What data is inside those apps?
• Who is sharing data publicly?
Write down your 25 most sensitive data assets.
Think about the top fi les in your company that if exposed would have serious
implications. How many customer records do you have in total? How much
money or cost is attached to each record on average?
Knowing these numbers will help inform a logical budget for cloud security
eff orts, which may look like partnering with vendors or implementing other
techniques. Just like insurance premiums, where a business or person budgets
a percentage for risk, you can determine how much of a comparable cost
percentage for data loss risk makes sense to pay each year.
Risk is where opportunity lives.
–COLIN POWELL, Former National Security Advisor, Secretary of State,
and Chairman of the Joint Chiefs of Staff
During the Gartner Security & Risk Management Summit 2016, Colin Powell in
his keynote said “Risk is where opportunity lives.” The SaaS Tsunami contains
risks for which we need to prepare, but also provides opportunities for increased
agility, productivity and value creation.
Prepare for the security risks by combining the following processes and tools:
• Partner with Finance to check expenses for unknown SaaS apps in use
• Partner with HR to make cybersecurity part of onboarding andongoing education
• Use IDaaS to provide SSO, enforce strong passwords and MFA, and reliablyprovision and deprovision access
• Use CASB to further enforce security policies, monitor for suspicious behavior,and remediate exposures
• Use SIEM to analyze machine data for additional incident detection
“ ”Summary
855.426.7227 | ONELOGIN.COM