In 2019 Gartner forecasted that Through 2025, 99% of cloud security failures will be the customer’s fault. Today, it seems true more than ever, just a few months ago CapitalOne data breach showed that a misconfigured access control (IAM) configuration on AWS was enough for a malicious attacker to obtain adequate credentials to illegally access Amazon S3 buckets and retrieve the information stored within. In addition, in July 2020 attackers successfully manipulated a small number of Twitter employees and used their credentials to access Twitter's Slack Channel, including getting through our two-factor protections and then took control of 180 high profile accounts.

Following Gartner recommendations, CIOs should enforce policies and apply security methodologies that are relevant to the multi-cloud approach. OK, so I enforced policies, but what next? How do I know that my SaaS tenants are protected? How can I validate my security posture across accounts and services?

Penetration tests and red teams are important processes for assessing and testing the effectiveness of security controls. In the “legacy” edge organization used to store the organization data in on-prem application so security teams utilized tools like Nessus and Metasploit.

In the “new edge”, organizations are leaning to use SaaS services like Slack, Teams, Jira and Netsuite. In this case, the classic pen-testing tools are not relevant anymore. While in the “legacy” world, pen testers were looking for networking issues like open ports or applications layer vulnerabilities like command injection, in the “new edge” the organizations do not have control over these aspects.

In the “new edge”, all your organization data is stored in the cloud, which means that is accessible from anywhere and anytime, in this case, any security breach might have a tremendous impact on your organization, in addition, your ability to mitigate breach is limited since you do not have full visibility like in your EDR dashboard. We highly recommend to pen-testing against the most common attack use cases in the cloud, including:

• Identity Access Management - Can I change my password to a weak password?
• Malicious Operations - Can I login to the service from TOR or any other suspicious IP
• Privilege Access Management - As a default user can I open a git repo to be public?
• Data Loss Protection - Can I store files with Social Security Numbers?
• Event Monitoring - Does the SIEM alert when there is a brute force attempt?

You might ask yourself, how can I run a pen-testing process against so many attack scenarios across 20 different SaaS applications I am using? This is why we built Saasment - Automated SaaS Security Posture Auditing.

In one click, we will run the most common attack scenarios and demonstrate a real attack or insider threat, As an output, you will get a security report that provides you visibility on your SaaS Security Posture score, what are the attack vectors your organization is exposed to and how to improve your cloud security.