Originally published by Valence Security.
Written by Jason Silberman.
The rapid rise of Software-as-a-Service (SaaS) has transformed business operations, offering unprecedented flexibility and scalability. However, this shift brings its own set of security challenges, particularly when it comes to managing the lifecycle of SaaS applications and their associated resources such as identities. Effective lifecycle management is crucial in safeguarding against threats and ensuring that security measures keep pace with the evolving landscape of SaaS.
This blog post delves into the key challenges of account deprovisioning, dormant SaaS-to-SaaS integrations and non-human identities, and unused but still available external data shares.
The Importance of Lifecycle Management in SaaS Security
Lifecycle management encompasses the entire span of an application's existence, from initial deployment to eventual decommissioning. In the context of SaaS security, it involves managing user access, integrations, and data sharing throughout their lifecycle. Poor lifecycle management can leave organizations exposed to significant security risks, including unauthorized access, data breaches, and compliance violations.
A recent Gartner report stresses that lifecycle management in SaaS security simply cannot be ignored. Industry experts are increasingly emphasizing the critical nature of addressing lifecycle management comprehensively to prevent security gaps.
Challenges in SaaS Security Lifecycle Management
1. Account Deprovisioning and Offboarding
One of the most critical aspects of SaaS lifecycle management is timely account deprovisioning. The infamous 2020 Drizly data breach, where an attacker exploited an un-revoked GitHub account intended to be granted for one-day access from a 2018 hackathon, serves as a stark reminder of the consequences of lax offboarding practices. When employees or contractors leave an organization, their access to SaaS applications must be promptly revoked to prevent potential misuse. Despite the availability of automated offboarding processes, gaps often persist, and just offboarding from the corporate SSO is typically insufficient due to direct local access granted in SaaS applications.
According to the 2024 State of SaaS Security report, 93% of security teams claim to have automated processes for offboarding ex-employees and contractors. However, data reveals a different reality: In platforms like Google Workspace, about 6% of accounts remain inactive without any recent logins, and 4% of these have admin privileges. This creates a window of opportunity for attackers to exploit dormant accounts.
A significant challenge in this area is managing "Shadow IAM," which refers to unmanaged or local accounts that are not linked to the company's Single Sign-On (SSO) system or identity provider (IdP). When users create accounts directly within SaaS applications without going through SSO, these accounts can remain unmanaged if the IT team focuses only on accounts tied to the corporate IdP. Consequently, when an employee is offboarded, their SSO-linked accounts may be deactivated, but these unmanaged, local accounts can be left untouched. This oversight can create security risks, as these accounts, which may retain access privileges, remain active and unmonitored.
2. Inactive Non-Human Identities
Non-human identities, such as service accounts and API keys, play a vital role in integrating various SaaS applications. However, inactive or unused non-human identities can pose serious security risks. The 2024 State of SaaS Security report highlights that 65% of integrations in platforms like Microsoft 365 are inactive but still hold valid API keys or OAuth tokens. These forgotten integrations often become entry points for attackers.
In the Cloudflare breach publicized in February 2024, attackers exploited overlooked service tokens and accounts that were compromised during a previous Okta breach. Despite rotating more than 5,000 production credentials and performing an in-depth forensic analysis, the Cloudflare security team missed one service token and three service accounts that were presumed to be unused. This oversight, involving only four out of 5,000+ credentials, ultimately contributed to the breach, illustrating that every credential counts in maintaining security.
Similarly, the Microsoft Midnight Blizzard attack further exemplifies the risks associated with unmanaged non-human identities. Among the numerous attack vectors, attackers exploited a legacy test OAuth application—a non-human identity—that had full access to Microsoft’s corporate production Microsoft 365 tenant, including the ability to read emails. This demonstrates how even outdated or seemingly benign non-human identities can become significant security liabilities if not properly managed.
Inactive integrations often result from failed Proofs of Concept (PoCs). When organizations trial new SaaS solutions, they grant temporary access which, if not properly decommissioned, can leave lingering vulnerabilities. Managing and auditing these integrations is crucial to prevent unauthorized access and potential breaches.
Additionally, some security teams might offboard a SaaS user or former employee but fail to disable OAuth tokens or third-party integrations set up by the user. These overlooked integrations can continue to provide access, posing significant security risks if not properly addressed.
3. Inactive and Unused External Data Shares
External data sharing is a common feature in SaaS applications, enabling collaboration and information exchange. However, it also presents risks if not managed properly. We all have shared files, folders, and recordings, but rarely do we ever “unshare that file” beyond the time it’s needed. The 2024 State of SaaS Security report reveals that a staggering 94% of external data shares are inactive, with no recent access by external users. Additionally, 22% of these shares utilize open links, exposing sensitive information to anyone with the link.
Inactive external shares can pose significant security risks. For instance, a misconfigured Google Drive folder exposed personal data of nearly one million individuals. Ensuring that external data shares are regularly reviewed and deactivated when no longer needed is crucial for maintaining data security.