Strengthening Identity Security to Prevent and Detect SaaS Threats

July 18, 2024

Identity-based threats on SaaS applications are a growing concern among security professionals, although few have the capabilities to detect and respond to them. According to the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with phishing, an identity-based threat. Throw in attacks that use stolen credentials, over-provisioned accounts, and insider threats, and it becomes quite clear that identity is a primary attack vector. It’s not just human accounts that attackers target; non-human identities, including service accounts and OAuth authorizations, face similar risks. Recent examples, like the Snowflake breach, highlight the crucial need for a robust Identity Threat Detection and Response (ITDR) system. ITDR helps in identifying suspicious behaviors and triggers alerts before any substantial damage occurs.

When a threat actor infiltrates, it’s often by leveraging weak identity defenses. Initial defenses like passwords can be inadequate, especially if they rely solely on single-factor authentication. A comprehensive ITDR system that integrates with the overall identity security fabric can play a pivotal role in preventing massive breaches by flagging anomalies in real-time. For example, Snowflake’s failure to detect such anomalies allowed threat actors to exfiltrate over 560 million customer records undetected for a significant period. Moving forward, strengthening identity security frameworks and implementing effective ITDR tools are imperative actions for SaaS environments.

1. Classify Your User Accounts

High-risk accounts generally fall into several categories. To create strong identity governance and management, security teams should start by classifying the different user types. These may be former employees’ accounts, high-privilege accounts, dormant accounts, non-human accounts, or external accounts. Organizing accounts this way enables companies to prioritize security resources and policies more effectively. Former employee accounts pose significant risks because they may not be deactivated properly, leaving potential access points for malicious actors. Identifying dormant accounts is also critical since these are often less monitored and can be easily exploited.

Non-human accounts, on the other hand, tend to be service accounts or automated processes that may have broad permissions but lack regular oversight. These accounts can be exceptionally risky if compromised. External accounts for partners, agencies, or freelancers need special attention because they typically lie outside the direct control of the organization. This lack of control means that even well-intentioned actors could unintentionally compromise the system. Therefore, putting these accounts through a stringent classification process is the first step in securing your identity landscape.

2. Deprovision Ex-Employees and Disable Inactive User Accounts

Active accounts of former employees can lead to significant risk for organizations. Many SaaS administrators assume that once an employee is offboarded from the Identity Provider (IdP), their access is automatically removed from company SaaS applications. However, this assumption often falls short. While this may be true for SaaS applications connected to the IdP, numerous SaaS applications aren’t connected. In those circumstances, administrators and security teams must work together to deprovision former users with local credentials. Such overlooked accounts can serve as entry points for threats and need immediate deactivation.

Dormant accounts should be identified and deactivated whenever possible. These accounts often have high privileges and are shared by multiple users, meaning they typically have easy-to-remember passwords, making them more susceptible to breaches. Often, administrators used these accounts to run tests or set up the application initially. Given their high level of access and sporadic usage, these user accounts represent a substantial risk to the application’s integrity and its data. Deactivating dormant accounts or regularly auditing them can mitigate the associated risks significantly.

3. Monitor External User Accounts

External accounts must also be monitored diligently. Often provided to agencies, partners, or freelancers, these accounts mean the organization has no real control over who is accessing its data. When projects end, these accounts frequently remain active and can be used by anyone with the credentials to compromise the application. Moreover, these accounts are often privileged, making them high-value targets for malicious actors. Continuous monitoring and periodic reviews can help identify any suspicious activities originating from external accounts.

Regular audits and timely deactivation of unnecessary external accounts should be an integral part of the identity management strategy. When access is granted to external entities, establishing clear policies on acceptable use, logging, and monitoring can be invaluable. Implementing these policies ensures that any anomalies in external account usage can be quickly detected and neutralized. By maintaining tight control over external accounts, organizations can significantly reduce the risk of unauthorized access and potential data breaches.

4. Restrict User Permissions

Excessive permissions expand the attack surface. Adopting the principle of least privilege (POLP), where each user has access only to the areas and data within the app necessary to perform their job, can significantly reduce risks. By trimming down the number of high-privilege accounts, you lessen the potential for massive breaches. Restricting user permissions helps maintain a tighter security perimeter around sensitive data and critical functionalities. Regular audits and permission reviews are crucial for ensuring that user access levels remain appropriate over time.

Reducing the number of high-privilege accounts should be a continual process. As organizational roles and needs evolve, so should the access levels. Routine checks and updates are necessary to ensure that permissions align with current job responsibilities. Additionally, creating tiered access levels can add an extra layer of security. This segmentation ensures that even if one account is compromised, it won’t provide unfettered access to all critical systems and data. Implementing these strategies can considerably fortify an organization’s identity security framework.

5. Establish Checks for High-Privilege Accounts

Admin accounts are inherently high-risk. If compromised, they expose organizations to significant data breaches. It is imperative to create security checks that send alerts when users act suspiciously. Examples of such behavior include unusual late-night logins, connecting to a workstation from abroad, or downloading large volumes of data in short periods. Admins who create high-privilege user accounts but don’t assign them to a managed email address may also signal potential security threats. Implementing robust monitoring and alerting mechanisms can provide early detection of malicious activity.

Defining security checks that monitor these types of suspicious behaviors can give your security team a head start in identifying early-stage attacks. Real-time monitoring tools that provide immediate alerts upon detecting unusual activities can serve as an additional line of defense. Combining this with regular, manual checks ensures any automated oversight is compensated for. Early identification and rapid response can prevent small breaches from becoming catastrophic incidents, thereby ensuring the integrity and confidentiality of sensitive data.

Making Identity Threat Detection a Priority

Identity-based threats on SaaS applications are increasingly worrying security professionals, though many lack the tools to detect and respond effectively. The US Cybersecurity and Infrastructure Security Agency (CISA) reports that 90% of all cyberattacks start with phishing, an identity-based threat. Combine that with attacks utilizing stolen credentials, over-provisioned accounts, and insider threats, and it becomes evident that identity is a key attack vector. Attackers don’t just target human accounts; non-human identities, such as service accounts and OAuth authorizations, face similar threats. Incidents like the Snowflake breach underscore the vital need for robust Identity Threat Detection and Response (ITDR) systems. ITDR helps identify suspicious behaviors and trigger alerts before major damage occurs.

Often, threat actors infiltrate using weak identity defenses. Basic defenses like passwords can be insufficient, especially when relying only on single-factor authentication. A comprehensive ITDR system, integrated with the overall identity security framework, is crucial. For instance, Snowflake’s inability to detect anomalies allowed the breach, resulting in over 560 million customer records being exfiltrated undetected. Hence, strengthening identity security frameworks and deploying effective ITDR tools are critical actions for securing SaaS environments.

Subscribe to our weekly news digest!

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for subscribing.
We'll be sending you our best soon.
Something went wrong, please try again later