It’s no secret we have seen a spike in insider risks associated with the privileged credentials of Software as a Service (SaaS) applications. Privileged credentials are the proverbial “keys to the kingdom,” and as more organizations continue to rapidly adopt cloud-first strategies, they will need to reevaluate their security posture to ensure these keys are not mishandled. Gone are the days where all data sits within the confines of your data center walls. It once was a challenge for an attacker to gain an initial foothold, perform reconnaissance, escalate privileges, and ultimately succeed in their nefarious plan to disrupt the business or exfiltrate sensitive data, not anymore.
The Criticality of Credentials
Today, organizations have more entities accessing an increasing number of applications and generating cloud-hosted data and files in higher volumes. Applications and their derivative data are what drive the business forward. Unfortunately, security often takes a back seat to driving this business enablement (and, ultimately, continuity).
It’s not uncommon for users to share credentials over a Slack channel or Microsoft Teams. The longer that credential is exposed over the Slack channel, the more likely it is to fall into the wrong hands. We saw this most recently through a rash of breaches that included the likes of Uber, Twitter and Okta. Moreover, as seen in the recent GitHub breach, OAuth tokens were compromised and leveraged to download data from dozens of their customers' repositories. In addition, late last year, Toyota publicly disclosed that they’d suffered a data leak when one of their subcontractors mistakenly exposed an AWS key on GitHub.
Remember, Not All Identities are Human
There is a common denominator across cyber attacks – the use of privileged credentials. Rapid advancements in technology, the pace of digital transformation initiatives and the continuing transition to the cloud have made securing the credentials and the identities that have access to them no easy task. The combined threat of both human and non-human access to corporate data has only heightened this challenge. Today’s organizations have more systems and applications that are accessed by both internal and external actors, as well as non-human identities – i.e. application-to-application integrations – than ever before. This challenge quickly snowballs, ultimately increasing an organization’s risk for data exfiltration.
Organizations would be right to shine a light on the risks associated with non-human user access. Their associated permissions can be easily overlooked by even the savviest security team, which makes them an attractive target for bad actors to gain some initial traction. For example, the OAuth protocol provides a convenient way for one application to connect to another, but when this access becomes compromised, it can provide unauthorized access to sensitive data within the application that it’s connected to. The risk of supply-chain-based attacks involving OAuth tokens and other non-human identity credentials are becoming, unfortunately, too commonplace.
Privileged Credentials and Insider Risk
Increasing insider risk concerns come as a result of the new norm of hybrid and remote working environments and the rapid introduction of work-related applications such as Slack and Microsoft Teams installed on personal devices.The risks of this new reality stem from two sources: negligence and sabotage. The tremendous comingling of various unsecured devices and unmonitored applications has left the door wide open to attackers. Thus, while sabotage happens, the lack of robust SaaS security means that negligence is a much greater threat than an employee with a bone to pick.
In order to mitigate risk, insider behaviors that increase risk through deliberately malicious or purely negligent means – such as a departing employee sharing or forwarding sensitive information from customer lists to their private email account – must be rapidly detected. From there, the relevant persons need to be alerted and the appropriate response applied.
From a non-human user lens, there is an increase in both sanctioned and unsanctioned applications within the SaaS estate. Some of these applications are often over privileged with risky permission scopes that might not be approved by internal IT/security teams. The same approach illustrated above needs to be applied for non-human access, where companies have the ability to identify malicious behaviors, such as activity that is indicative of a supply-chain based attack. Additionally, detecting high-risk application-related activity such as excessive API calls, a sudden and significant number of updates, or the discovery of a known malicious application server IP address is vital. IT/Security teams must be notified and take appropriate action to remove the OAuth token or suspend the application. In order to maintain both business continuity and a strong security posture, it is vital that these steps be automated.
Keeping the Keys to the Kingdom in Safe Hands
Knowing “who has access and to what” is critical in keeping the ‘keys to the kingdom’ from being mishandled. This goes for human users as well as machine identities. It’s important to create a full inventory of users, applications, assets, domains, groups, etc., as well as having an understanding of the business-context through mapping, relationship graphs and communications tracking. This may seem tedious, but there are tools that make this process simple and fully automated. These actions are essential to keeping data secure. Business-context is so critical to reducing productivity impacts, and security teams must be able to parse normal practice from events that introduce material risk to the business. If not, teams will end up with a significant number of false positives, positioning security teams further away from identifying and responding to events and threats quickly and efficiently. Introducing and enforcing the principle of least privilege to both human and non-human users is one key method to support a strong security posture for organizations pursuing a cloud-first strategy.
Identity security needs to be extended and go deeper down the technology stack – beyond solely protecting the keys. Securing sensitive cloud-hosted data and wrapping controls around the access will aid in the prevention of those keys from falling into the wrong hands. Automation is necessary to best protect the keys to the kingdom. Taking a manual approach is an act of sheer folly. In time, and as the business scales, this problem will become exacerbated. The time to act is now, otherwise security will become a blocker to driving the business forward.
This blog originally appeared in the Cyber Defense Magazine February Edition for 2023, you can find the original article here.