An insider threat is a person with inside knowledge of or access to an organization’s resources, who then uses that privileged knowledge or access to cause harm to the organization.
When it comes to SaaS, an insider threat is when a person who has been granted access permissions to the organization’s SaaS applications or data uses that access to cause harm.
Who can pose insider threats in SaaS ecosystems?
The three main categories of parties who can pose insider threats in your organization’s SaaS ecosystem are:
- Employees
- 3rd party collaborators
- Former employees/contractors (if access isn’t rescinded)
Employees
Employees need access to your SaaS systems to do their job and do it well. But the same access that provides them with the tools to do good may turn into a tool to do harm, if misused.
3rd party collaborators
While the most obvious source of insider threats in cyber security comes from the organization’s employees, they are not the only source. The nature of SaaS (and its primary selling point!) is the ease of collaboration, and so any external party that an employee needs to collaborate with can potentially be made an insider.
These potential insiders can include:
- Contractors
- Service providers
- Suppliers
- Customers and clients
- Partners
Former employees/contractors (if access is not rescinded)
Organized systems tend toward entropy. It’s less effort to make a mess than to clean it up. And it’s easier to give access to your SaaS assets than to remember to remove that access when it’s no longer needed.
Almost everyone who uses Google Workspace, for example, has had the experience of seeing a Google Drive asset with access permissions for people who no longer work at the company. This is even more common when access is given to private or personal email accounts. Retained access past the point of practical benefit invites unnecessary risk.
Types of insider threats
Not all insider threats are created equal. Insider risks range in intention from benign mistakes to deliberate destruction. The following are the different types of intentional and unintentional insider threats.
Unintentional insider threats
Unintentional insider threats tend to fall into two categories: ignorance and negligence.
Ignorance-based insider threats occur when an insider makes a genuine mistake that opens up the organization to harm. Examples include:
- mistyping a user account when giving access, which accidentally exposes a sensitive SaaS asset
- unknowingly or inadvertently clicking on a hyperlink or responding to a phishing email
Negligence-based insider threats occur when an insider acts irresponsibly even though they know that the action goes against security policies. Examples include:
- Using weak passwords even when told they should create a strong password
- Revealing their access credentials to other people
- Sharing sensitive information in public channels in Slack
- Setting SaaS asset sharing permissions to “anyone with the link can access”
Intentional (malicious) insider threats
Intentional insider threats are when an insider acts to harm their organization in order to act on a personal grievance or to derive personal benefit.
For example, an employee who has been fired or passed over for a promotion may intentionally expose sensitive information, steal assets or corrupt data in order to “get even.”
Alternatively, an employee who is planning on leaving to work at a competitor may steal proprietary data to try and advance their career in their new position.
The Unique Security Challenge of Insider Threats
Of all the security threats to your SaaS environment, insider threats are among the hardest to detect. Firewalls or any other service “edge” security solution aren’t helpful, because there is no perimeter when it comes to the insider; the insider is inside the perimeter!
Your insider has legitimate access to at least a subset of your SaaS applications and assets. How can you read their intentions when they use this legitimate access? This is what makes insider threat detection and response (ITDR) so tricky within SaaS.
How to Combat Insider Threat Within SaaS Systems
Despite the challenges, there are ways to effectively perform ITDR within SaaS systems.
First and foremost, however, it is important to focus on the ways to prevent insider threats. Why need to get to the stage of insider threat detection when you can prevent insiders from becoming threats in the first place?
Insider threat prevention
If you hire someone to water the plants in your living room while you’re on vacation, they don’t need the keys to your bedroom or home office. Giving insiders no more access than they actually need to do their job is known in the world of digital systems as Zero Trust.
When you implement Zero Trust as your security approach, you automatically reduce the scope of insider threats, because:
- Less people have access to the system or assets
- The people who do have access have it for a defined reason
When it comes to SaaS, one implication of Zero Trust is in the types of access permissions you allow users to set on data assets. While “anyone in the organization can access” is a convenient permission level for a user to give (since it eliminates their need to go back and keep authorizing access for any user in the organization who may need this asset in the future), it dramatically increases your attack surface for insider threats. This is true and even more so for “anyone with the link can access” permissions.
In an organization that uses the Zero Trust approach, broad access is given only if that is truly necessary for the accomplishment of the organization’s goals.
A Zero Trust outlook should be used not only when granting permissions, but also when revoking them. If a user’s access to an asset is no longer necessary for their job, the access should be removed. Examples include terminated employees or contractors whose project has been completed. Removing access permissions as soon as they are no longer relevant reduces the chances that the asset will be misused in the future.
Despite your best efforts at prevention, insider threats will remain a risk. An employee who has legitimate access to an asset to fulfill their job role could make a mistake or deliberately decide to misuse their privileges. This is where knowing how to detect insider threats becomes critically important.
Insider threat detection
When it comes to SaaS, the most effective method of insider threat detection is by identifying behavioral anomalies. Sudden interaction with data assets in an atypical way is a prime indicator that something is amiss.
Examples of behavioral anomalies for which to monitor include:
- Excessive spikes in data downloads or sending large amounts of data outside the company
- Unusual increases in public or external sharing of assets, especially sensitive assets
- Attempts to access data not related to a user’s job function
- Renamed files where the file extension doesn’t match the content
- Increasing requests for escalated privileges or permissions
- Logins from abnormal locations or at unusual times
- Multiple login attempts, password changes or account resets
For any of these examples, bear in mind that it’s not certain that a changed pattern of interaction indicates a problem. There are often legitimate reasons why an insider’s data access patterns might have changed, for example, they were put in charge of supplying data to an external organization conducting due diligence in light of a potential acquisition. That’s why it’s helpful to be able to take business and HR contextual information into account when analyzing behavioral anomalies.
