min read

29/6/2023

What AWS AppFabric Means For SaaS Security?

Home Blog What AWS AppFabric Means For SaaS Security?

On June 27, 2023, Amazon Web Services (AWS) announced the launch of AppFabric with the goal of improving Application Observability for SaaS Applications. The purpose of this blog post is to provide more details on AppFabric, and what it means for both SaaS security and security teams.

What is AWS AppFabric?

According to AWS: “AppFabric quickly connects SaaS applications across your organization. IT and security teams can then easily manage and secure applications using a standard schema, and employees can complete everyday tasks faster using generative AI.”

AppFabric integrates multiple SaaS applications to streamline SaaS activity events, create a unified events schema/database, offer analytics, and interconnectivity with other AWS Security products, such as Security Data Lake, Security Hub, etc.

What SaaS applications are supported?

AppFabric launches with an impressive list of SaaS integrations, each with its specific constraints and limitations:

What data is now available?

AWS AppFabric pulls two main data points:

Audit logs ingestions

SaaS applications generate Audit Log events representing any administrative access by SaaS administrators. AWS AppFabric pulls these audit logs from multiple SaaS applications so you can monitor them all in one centralized location. AWS AppFabric pulls audit log data every two minutes and customers cannot change this frequency.

A few examples:

New user provisioning
Multi-Factor Authentication (MFA) setting changes
User permission role changes
Password policy changes

User information

SaaS application user information contains data around users themselves (email, name, etc), their permission roles (admin, read-only, etc), and their activity events (view, create, share, etc).

‍

What are the main use cases?

Taken from AWS:

Connect your SaaS applications quickly

AppFabric natively connects top SaaS productivity and security applications to each other, providing a fully managed SaaS interoperability solution.

Elevate your security posture

Application data is automatically normalized, enabling administrators to set common policies, standardize security alerts, and easily manage user access across multiple applications.

Reimagine productivity

With a common generative AI assistant, AppFabric empowers employees to get answers quickly, automate task management, and generate insights across their SaaS productivity applications.
‍

What is out of scope?

While AWS AppFabric is exciting and puts SaaS security “on the map”, it is still very limited when it comes to offering a comprehensive SaaS security solution. It plays smoothly with the broader AWS ecosystem, but with very limited data points covering a small fraction of the SaaS Security threat landscape.

Even though AWS AppFabric helps monitor Audit Logs and query for user information, it lacks critical capabilities completing the picture for security teams:

Near real-time events - subscribing to webhook events to benefit from near real-time events instead of the current hardcoded 2 minute frequency.
Data inventory - full discovery of all the data you store in SaaS applications, who owns it, across what departments, how exposed is it internally, externally, and publicly, etc.
OAuth apps inventory - full discovery of all the 3rd party OAuth tokens granted by employees installing 3rd party tools - now having programmatic access to your corporate data.
Business context enrichments (HRIS, IDP, EDR) - activity events and user information alone lack critical business context to speed up mitigation paths. HRIS, IDP, and EDR integrations provide robust enrichments used to infer decision making and automations.
DLP scanning - AppFabric offers this through a 3rd party vendor integration, meaning that you need to purchase another tool to benefit from PII/PHI/sensitive data scanning.
Remediation - the holy grail of enterprise security (unlike IaaS Security) is the ability to remediate and solve security incidents right away. For example, removing a permission, changing ownership, deleting files, and running approvals.
Workflow automations - the only way to reduce total cost of ownership (TCO) is to embed workflow automations between activity events, business context, and remediation paths.
Anomaly detection - using ML/AI models to identify anomalies across activity events, data sets, permission sets, 3rd party apps, etc.
Custom downstream integrations - the ability to streamline information to any custom endpoint using simple, generic HTTPs requests.

‍

What does it mean for SaaS security and security teams?

AWS AppFabric is a very important validation for the importance of SaaS Security in 2023. Historically, AWS launches products associated with massive total addressable markets, critical customer pain points, and available budgets. Security teams now have a robust SaaS security solution to compare against all other solutions in the market, and make the best decision for their specific organizational needs/requirements. Security teams now look at the bigger picture and prioritize SaaS Security in their 2023/2024 budgets.

SaaS applications partnering with AWS on AppFabric validates that native SaaS Security capabilities are not enough to truly protect data at the speed of modern collaboration, data complexity, and rising threats.

As SaaS Security Platforms (SSPs) are on the rise, customers’ expectations are to purchase solutions that offer up comprehensive coverage of SaaS security threat models – all from a single vendor. Securing SaaS is a challenge at scale, given the application and data sprawl that is ultimately created for organizations of all shapes and sizes.

While this validation from AWS reaffirms the criticality of securing SaaS applications and data, what AppFabric lacks at this current moment in time is the combination of your SaaS attack surface, business context, and automated remediation. This combo is absolutely necessary in order to scale SaaS utilization and drive business enablement simultaneously.

‍

Adam Gavish

Co-Founder and CEO

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15 years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

DoControl Recognized in Forrester’s The Insider Risk Solutions Landscape, Q2 2024

DoControl is highlighted in Forrester's latest report on insider risk solutions, offering invaluable insights for security professionals aware of the unique security risks posed by insiders.

Securing Your Data Amidst Threats: Insights from the Dropbox Breach

In the realm of digital security, the recent breach at Dropbox highlights the perpetual battle against cyber threats and the critical need for proactive defense strategies.

Why Sensitive Data Discovery Tools are Wrong More Often Than You'd Like

Discover why sensitive data discovery tools often trigger false alarms, causing frustration for InfoSec teams. Learn why this happens and how to find tools for accurate detections.