SaaS applications present a unique challenge due to the way apps assign access permissions, known as entitlements. Unlike traditional on-premises software with a centralized control system, SaaS applications have their own permission structures, often complex and dispersed. This creates what many might call “a labyrinth” for security teams and app owners trying to maintain a secure and compliant environment.
The root of the problem lies in the heterogeneity of SaaS solutions. The likes of Salesforce, Workday, M365, Zendesk and Google Workspace have their own terminology for user roles and permissions, displayed through varying UIs. This inconsistency makes it difficult for security teams to understand and audit access controls across the entire SaaS landscape.
The lack of standardization is a problem. Complex permission structures become breeding grounds for misconfigurations, where access is accidentally granted or left overly broad. Auditing these configurations requires security teams to become experts on each individual platform. Furthermore, with entitlements spread across various applications, the big picture of user permissions gets lost, which hinders efforts to identify potential security weaknesses.
Compounding the issue is the challenge of managing data entitlements. SaaS applications often allow for easy external sharing of documents, boards and repositories. While this does create that sense of collaboration, it also creates a vulnerability.
Security teams lack comprehensive visibility into external sharing activities. This makes it difficult to detect whether data is being shared inadvertently or maliciously and can lead to sensitive information falling into the wrong hands, potentially causing financial and reputational damage.
To secure emerging SaaS attack surfaces, Adaptive Shield extended the capabilities of its SaaS Security Posture Management, or SSPM, unified platform to cover complex permissions and shared data.
Adaptive Shield is an SSPM platform that integrated with over 150 applications and fully automated security management at depth throughout the increasingly complex SaaS app stack.
The first of the new capabilities, the Permission Inventory feature, gives customers deep visibility into permission structures at the SaaS stack level through an automated approach. Core capabilities include permissions consolidation from multiple areas within the application, normalization of permissions across multiple tenants and applications and centralized discovery of roles and aggregated permissions.
The Data Inventory feature enables customers to prevent data leakage. Key among the benefits:
- Identify all publicly shared data from SaaS apps such as Microsoft OneDrive, Google Drive and more, and determine which needs to be further protected.
- Find outlived data or those no longer being used and revoke.
- Recognize which resources are shared externally and sort by user, date, department and former employees.
- Receive alerts to suspicious connections from external domains.
“SaaS security impacts the entire organization, affecting security teams, auditors and app owners,” said Maor Bin, CEO and co-founder of Adaptive Shield. “Our platform consolidates and unifies all threat prevention and detection efforts, allowing enterprises to safely rely on both out-of-the-box and homegrown SaaS applications.”
