How businesses can protect their SaaS: cloud security tips from a former NSA agent

As businesses grow in their cloud journeys, so too do their costly SaaS subscriptions, and when employees leave, many still have access to multiple accounts.

Companies big and small are making the trek to the cloud in droves, but the quest for rapid innovation carries with it risks and responsibilities that come with ever-growing SaaS subscriptions and who has access to those accounts.

The Sociable caught up with Ben Johnson, former NSA agent and current CTO of SaaS application security firm, Obsidian Security, who outlined how companies are vulnerable to exploitation and some very simple steps on how companies can cover their SaaS.

According to the Obsidian CTO, most of the breaches that occur come from people logging in, not breaking in, to SaaS accounts.

“We see a lot of straight up account compromise where either you’re getting phished or socially engineered, or you’re reusing your credentials, and they are just trying them in these various SaaS apps and getting in that way,” said Johnson.

“The number one surprise I’ve had in the Obsidian journey so far is how disconnected the security team is from the application team that owns the SaaS applications” — Ben Johnson

When companies have multiple SaaS accounts with different logins and user access, it can be difficult to understand who has access to which and how much money is being spent every month on those subscriptions.

“I think businesses try to move so fast and be productive (especially in 2020 still), and share data and work with outside parties and contractors that it’s incredibly hard to keep track of who is logging in and who has access — who’s getting files shared and all these other things — and I do think that companies tend to give out accounts like candy,” said the former NSA agent.

The first thing that companies need to do in order to mitigate the costs and risks, according to Johnson, is to figure out exactly which SaaS applications they are using.

From there, protecting your SaaS becomes a lot easier.

How companies can protect themselves

In general, companies need to do a bit of cleaning up, and it starts with understanding what SaaS apps they are using and then getting their security teams into the conversation.

“It’s not really breaking in, they’re trying to get in by logging in”

“First and foremost, security needs a seat at the table,” said Johnson.

“The number one surprise I’ve had in the Obsidian journey so far is how disconnected the security team is from the application team that owns the SaaS applications,” he added.

Companies should figure out which SaaS apps they are using, get security teams involved, and then follow these simple steps:

Step 1: Use a Single Sign-On Point

The first step to protecting your SaaS is to use a single sign-on point, which is an authentication mechanism where one login is used to access multiple apps and services.

“Try to use an application where, regardless of which app you want to go to, you’re going through this single sign-on point” — Ben Johnson

“Try to get to single sign-on,” Johnson advised.

“Try to use an application where, regardless of which app you want to go to, you’re going through this single sign-on point.”

Providers such as Google, Microsoft, and Octa all offer single sign-on that “makes it easier to monitor and manage” your accounts.

You may be thinking that a single sign-on would be easier to breach because intruders would only need one credential to login with, and that leads us to the second step, multi-factor authentication.

Step 2:  Apply Multi-factor Authentication

Having one login to rule them all helps eliminate many risks of unknown user access, but a single sign-on alone is not enough.

“If you are funneling everything through one login, you can make sure that that is protected by requiring multi-factor authentication” — Ben Johnson

You’re probably already familiar with multi-factor authentication. Gmail, Facebook, Twitter, and many other apps sometimes require you to add your phone number, so they can text you a code to input before logging in. That’s one example of a multi-factor authentication.

“If you are funneling everything through one login, you can make sure that that is protected by requiring multi-factor authentication and having that one app that generates the code,” said Johnson.

“So, now you are forcing all of your employees through one spot to log in.

“If you only do those two things, you’re in a much better place.”

Let us recap:

1. Identify which SaaS applications your company is using
2. Give your security team a seat at the table
3. Use single sign-on
4. Apply multi-factor authentication

“From there it starts to get more specific into what you care about,” said Johnson

“Do you set setting so that by default you can’t forward mail, or do you have settings where by default you can’t share a file externally?” — things like that.

So far we’ve seen how companies can better cover their SaaS, but what exactly are they covering it from? How vulnerable are businesses to SaaS breaches and where do these exploits most often occur?

Where companies are vulnerable

Sometimes an employee leaves a company, but they still have access to the SaaS accounts, and from there they can download sensitive intellectual property, send fraudulent emails, or even steal money from the company if they so desired.

“What we see, is usually on the order of like 40 percent of SaaS accounts are just idle” — Ben Johnson

“When people leave, that account is still sitting there. That account might even still be costing you money,” said Johnson.

“What we see [at Obsidian], is usually on the order of like 40 percent of SaaS accounts are just idle.”

The former NSA agent pointed out that there were two things wrong with idle SaaS accounts.

1. That’s a bigger risk than you need
2. Not all of those accounts are necessarily licensed accounts, but often a lot of them are, so that’s just money that’s going out every month for your SaaS subscriptions.

Former employees need no hacking experience. They simply log in.

Other bad actors, like those who phish, can pose as agents from legit companies, and simply ask for a login as a security measure while the unassuming employee hands over the password without a second thought.

“A lot of it starts with strange account activity or strange logins” — Ben Johnson

“It’s not really breaking in, they’re trying to get in by logging in,” said Johnson.

“A lot of it starts with strange account activity or strange logins,” he added.

And then once you’re in, there’s lots of ways to persist:

• Business Email Compromise: Where someone takes over your mailbox and uses it to try to solicit invoices, access all of the documents, or worse.
• Insider Threat: There’s always an insider threat concern, but during the pandemic people are being laid off and are frustrated, which can lead to disgruntled ex-employees wreaking havoc on their former companies.
• Third-Party Applications: Where credentials are used to log into a platform like G Suite, and they are granted certain privileges, like giving away full Google Drive access.

“Clouds talk to clouds. People integrate Salesforce into G Suite, into Box, into Slack, and now you have all these different ways in to these different applications — basically these doors into them,” said the former NSA agent.

“Maybe you have really good security around Slack, but if Slack has a way to communicate with Gmail or with Salesforce, and maybe that isn’t as well-protected — that’s another door,” he added.

“I do think that companies tend to give out accounts like candy” — Ben Johnson

Companies are quickly adopting cloud solutions without always taking the time to think about the security implications that come with bundling SaaS applications.

However, as businesses become more aware of the vulnerabilities, they can heed Johnson’s advice, follow a few simple steps, and be in a much better position to protect themselves.

As Johnson points out:

“I think companies are trying to figure out the whole cloud journey, and they have basically already made the journey, and now they’re trying to figure out how to protect the journey, or how to defend themselves.”