The SaaS environment is dynamic and continually evolving. As employees are added or removed and new apps onboarded, permissions and configurations must be reset, changed and updated. In addition, there are continuous compliance updates and security configurations needed to meet industry standards and align with best practices (NIST, MITRE, etc.), and security teams need to continuously ensure that all configurations are enforced company-wide, with no exceptions. Considering that a typical enterprise has, on average, 288 SaaS applications, this translates to hours of continuous work and effort that is just not sustainable.
IT professionals have to burn their mid night oil in order to save their organizations from any damage caused by misconfigurations of SaaS applications. Below are the top 5 setting everybody misses and get worried about SaaS misconfigurations.
MISCONFIGURATION #1 USE MFA ALONG WITH SSO
SSO has become a key feature in securing access for SaaS apps; however, there are still some users that can, by design, bypass this control. For maintenance reasons, most SaaS vendors enable system owners to login with their username and password even though SSO is turned on. Make sure mandatory multi-factor authentication is enabled for these super users. If your admins rely on username and passwords, and an admin’ credentials become compromised, attackers will be able to access the account.
MISCONFIGURATION #2 BEWARE OF SHARED MAILBOXES
Many companies use shared mailboxes for financial, customer, and other types of sensitive information. We’ve found that organizations have one shared mailbox for every 20 employees on average. These present issues because they have no clear owner, and every user has a password, which is static because no one changes them. The problems are so acute that Microsoft even recommends blocking sign-in for shared mailbox accounts.
MISCONFIGURATION #3 DON’T LOSE CONTROL OVER YOUR DATA
Many businesses today exchange information using collaboration tools. While external sharing is a great way to extend your organization to your suppliers and partners, it comes with the risk of losing control over your data. Make sure to define a collaboration policy with external users and set proper limitations across all SaaS apps.
MISCONFIGURATION #4 KEEP A SECURE CHECK AND BALANCE
As a security expert, you must be aware of the information you are missing. While the default audited actions are sufficient for some organizations, for others, it may be a major security gap. Make sure you understand what you’re not seeing and optimize if gaps exist.
MISCONFIGURATION #5 KEEP AN EYE ON UNAUTHENTIC AND UNAUTHORIZED USERS
Maintaining complete control over your corporate data is not an easy task. And it only gets harder as you add SaaS apps. Identify which resources are publicly exposed, such as dashboards, forms, discussions, or any other data entities, and act now to fix them.