Organizations often focus on protecting sensitive data within their core applications — such as Salesforce, Microsoft365, ServiceNow, and Google Workspace — assuming these are the exclusive repositories of critical information. However, this mindset creates a dangerous and rather large blind spot for bad actors to exploit. Sensitive data doesn’t just reside in core applications; it is spread across the entire digital ecosystem in lesser-known apps, unsanctioned apps, and interconnected third-party apps.
Expanding Beyond Core Applications
The misconception that sensitive data exists solely in core apps stems from the traditional approach to data management. Once upon a time, core applications were considered the primary holders of valuable information. However, as organizations adopted cloud services, integrated third-party applications, and automated workflows, sensitive data began spreading into a wide variety of “non-core” apps. In recent years we’ve seen an increasing amount of breaches from non-core apps, targeted through various vulnerabilities and attacks.
One example is the breach at Snowflake, which led to the exposure of personally identifiable information (PII), including names, email addresses, physical addresses, and even partial credit card numbers. Similarly, Sumo Logic experienced a breach where compromised credentials were used to access the company’s Amazon Web Services account.
The long tail of smaller SaaS applications is also highly susceptible to breaches. In 2022, HubSpot suffered a breach when malicious actors compromised an employee account used for customer support, allowing them to access and export customer contact data from several HubSpot accounts. In another case, a misconfiguration in the JIRA collaboration tool exposed the internal data of major corporations and even NASA to potential leaks.
These breaches show that threats often originate from both simple security oversights and complex attack methods, highlighting the need for a proactive approach to SaaS security.
Which Applications Should be Monitored and Secured?
The challenge for organizations that adopt a strategy of monitoring only their core apps while leaving all their other apps to periodic manual audits is determining which applications require monitoring.
Almost every security professional would agree on the need to secure HR information, customer data, product roadmaps, go-to-market strategies, and legal documents. Applications that interact with sensitive databases would also require monitoring.
Despite that universal agreement on the need to secure that data, many organizations rely on manual audits to secure Adobe Sign (legal document repository), DropBox (company resources), Looker (business intelligence containing sensitive data), HiBob and Bamboo HR (HR applications with sensitive employee data), Chorus and Gong (applications containing sensitive customer data), and PowerApps (LCNC app builder with access to sensitive databases).
Nearly every SaaS application contains data that needs to be protected. Relying on a “core apps” strategy means leaving terabytes of sensitive data exposed to misconfigurations, configuration drifts, and poor access controls.
How Shadow Apps Increase Risk
Shadow apps, which are SaaS applications that the security team is unaware of, extends the issue further. This typically happens when employees adopt tools that simplify their workflow and are often not done so maliciously by employees. These tools, however, lack enterprise-level security measures, making them targets for cyberattacks. Without centralized oversight and monitoring, it becomes nearly impossible to control where sensitive data might end up.
Take a Full Stack Approach
To truly secure corporate data, security teams need to start from the premise that every application must be secured. Securing the full SaaS stack requires investment in a SaaS Security Posture Management (SSPM) platform and commitment from app owners and the security team to collaborate on SaaS security. While it can be challenging to introduce full-stack SaaS security, failure to do so will simply leave too much sensitive data exposed.
About the Author
After completing her BA in Communications, Zehava began her career diving into the world of content writing. She recently joined Adaptive Shield as Content Manager, bursting with ideas to create engaging discussion around SaaS security and the rapidly developing world of SSPM. She also does portrait drawings.
Zehava can be reached online at her LinkedIn and at our company website https://www.adaptive-shield.com/.
