SaaS security in an expanding reality of third-party connected apps

Cloud security on the level of SaaS (Software as a Service) is less straightforward than people often think, especially now that the use of SaaS applications and SaaS-to-SaaS connections is more vast than ever and SaaS security is confronted with additional challenges.

The Software as a Service (SaaS) model has long been the most common cloud service model by which vendors and start-ups propose their business applications in an age of digital transformation. Moreover, when many people worked from home during the pandemic and digitization efforts skyrocketed, the SaaS market experienced an additional boost.

But the SaaS model faces several challenges today. First, the world has changed rapidly since the pandemic, and the geopolitical, economic, and digital landscape has evolved and continues to evolve. In addition, more and more employees are (partially) back in the office as remote and even hybrid working gradually declined. And all this impacts the evolution of SaaS companies, also from a commercial perspective.

SaaS security and the challenge of SaaS-to-Saas access in the enterprise

Moreover, many companies are concerned about the security of SaaS applications. This is not just about the classic concerns regarding the – perceived – security of cloud computing (in general) that have existed for years. It is increasingly about the risks associated with the increasing use of a growing number of – connected – SaaS applications by ever more SaaS users.

In our highly connected world, where third-party cyber risks are prevalent, concerns regarding working with third parties have increased. In a cybersecurity-related context of third-party risk management, visibility into the digital SaaS footprint and growing SaaS ecosystem attack surface with more and more connected cloud applications is essential. Other cybersecurity challenges regarding our increasing SaaS stacks include user management, settings, configurations, the complexity and diversity regarding connected SaaS apps, etc.

It’s a known fact that organizations’ digital footprint and attack surface, in general, has dramatically increased. We are working with more third parties on the one hand, but on the other hand, we do not have more people and resources to keep our organizations safe from problems and breaches. And even if we had those people, it would become too expensive to do so “manually. Therefore, there are, of course, many solutions to automate and support this.

The SaaS security posture and digital footprint: a complex tangle

That all the above also applies to the SaaS footprint and to our SaaS environments is unsurprising since the SaaS model is so popular and we have started using more and more cloud applications.

“In the rush to efficiency and productivity, businesses have adopted SaaS apps to handle much of the heavy lifting. However, employees don’t realize that this SaaS-to-SaaS connectivity, which typically takes place outside the view of the security team, increases risk in a significant way.”

This is even more so since the pandemic, which forced organizations to shift to the cloud fast. Moreover, we often don’t know which SaaS applications employees use, how they are configured and connected, and which vendors the manufacturers of those applications have worked with to build their apps. These problems existed long before the pandemic but have grown as SaaS ecosystems did.

Moreover, employees don’t always realize they are giving access to third-party (and N-th party) applications when they link them to the company’s central SaaS applications. In short: a lot of cyber risks.

Of course, there are solutions to address this. For example, cloud security applications enabling SaaS Security Posture Management (SSPM) are one example that has recently gotten more attention.

Adaptive Shield is one of the more well-known providers of such solutions. In a report, Adaptive Shield took a closer look at the challenge of connecting various SaaS applications. The company looked at the issues focusing on some of the core SaaS workspace applications commonly used in business. The two most important of these are Microsoft 365 and Google Workspace.

Employees are granting thousands of third-party apps access to the two most dominant workspaces, Microsoft 365 (M365) and Google Workspace. With no oversight or control from security teams, companies have no way to quantify the risk that these SaaS-to-SaaS connections present to their businesses.

Among other things, they looked at what types of SaaS applications are being connected to them and what the risk levels, scope, and types of permissions are in doing so.

The more employees, the more connected SaaS apps

On average, companies using Microsoft 365 appear to have 0.2 connected apps per SaaS user; with Google Workspace, the average is 0.6 apps per SaaS user. The larger companies get and the more SaaS users they have, the more applications are connected via SaaS-to-Saas access. Looking at the average of Microsoft 365 and Google Workspace combined, companies with 10,000 SaaS users have more than 4,370 additional connected apps.

The main category of such connected apps concerns email clients, followed by apps for managing files and documents and – in third place – apps for communications and meetings. Remarkably, no plateau is reached, after which the number of apps per user levels off once critical mass is reached. So it is literally: the more users, the more apps.

App categories that are connected most frequently: 1) email applications (by far), 2) apps related to file and document management, 3) communications and meetings, and 4) calendars and scheduling.

The mass of apps connected to core apps is already one huge challenge for security teams. It is here, among other things, that SSPM solutions play a role.

Another troubling finding from the Adaptive Shield report is that the scope of why third-party apps request access to the SaaS applications they are linked to is often considered “high risk”. By way of example, 15 percent of applications that demand access to Microsoft 365 request permission to delete all files the user can access. With Google Workspace, the figure is as high as 40 percent.

Thirty-nine percent of apps connected to M365 and 11% to Google Workspace have ‘high-risk’ permission access. In Google Workspace, the top 3 high-risk permission sets (78%) request the ability to see, edit, create, and delete any or all Google Drive files, emails, and docs. In the Microsoft 365 ecosystem, the 2 most common high-risk scopes grant the app the ability to read, create, update, and delete data. Together, they make up 27% of all high-risk scopes being granted. Press release Adaptive Shield, February 27, 2023

Of course, it’s not just about the big workspace applications like Microsoft 365. Other large SaaS applications typically used by multiple (but not all) teams and employees, such as, say, Salesforce, are also supplemented by various SaaS-to-SaaS links to other tools.

If you add in other more or less centralized SaaS applications (for example, at the level of a function or division), you can quickly arrive at a massive environment of SaaS tools that often largely escapes the visibility and control of security teams, e.g., on the level of potential misconfigurations. Per the research, organizations have an average of 222 SaaS-to-SaaS apps for Slack and another 41 apps for Salesforce.

For Adaptive Shield, it’s an argument for recommending their solutions. For organizations and their employees, it’s (also) a wake-up call to look deeper at their SaaS security and not think that it is easy but instead make employees at the least aware of the risks (and we haven’t touched shadow IT yet). It’s clear that employee training/awareness is also a priority here. But as always, it’s not enough. On top of training and the appropriate systems to gain visibility into permission sets (and change them when needed) etc., there is also the matter of developing policies for integrating apps, as Maor Bin, CEO of Adaptive Shield, reminds in the press release announcing the research.

“The simple app-to-app connectivity that makes SaaS apps vital productivity tools also makes them significantly dangerous. While it’s clearly unrealistic to expect businesses to curb their reliance on SaaS apps, they cannot allow this adoption to go unchecked. To eliminate these risks companies must develop policies for integrating apps, prioritize employee training, and deploy monitoring solutions that help over-taxed security teams identify and eliminate high-risk permission sets before it’s too late.” (Maor Bin, CEO of Adaptive Shield)

You can find more findings from the report in this blog post that summarizes some findings. Of course, you can also download the entire report, entitled “Uncovering the Risks & Realities of Third-Party Connected Apps ‍2023 SaaS-to-SaaS Access.” here.

The SaaS market may not be growing as fast as it did in the pandemic years, but security challenges need attention as SaaS remains the dominant model, and we continue to connect all ecosystems, also those with essential data and applications.

Next in cloud security: CNAPP adoption: Cloud Native Application Protection Platform drivers