Zero-Trust Needs to be a Priority – For SaaS, Too

By Misha Seltzer, Co-Founder and CTO of Atmosec

Call it a sign of the times; you can’t trust anyone these days, even the most loyal members of your organization. As a result, enterprises have embraced the zero trust model of security – where all users connecting to a network are assumed to be untrustworthy, requiring vetting such as 2FA authentication.

But threats sometimes come from unexpected quarters, such as some of the most popular cloud-based applications, as evidenced by the increase in supply-chain attacks. Organizations tend to focus their security on malware transferred via email, as well as other exploits connected to users. The ubiquitous SaaS  “trusted application platforms” need to be looked upon as potential security risks as well – and included in zero-trust policies. Indeed, some of the most “trusted” platforms and services – including Okta, Mailchimp, Heroku, TravisCI and Hubspot – have been hacked and/or subject to security breaches in recent weeks. Such incidents show that even major platforms – which presumably have extensive internal security – need to be included in zero-trust policies.

Platforms, like users, cannot be treated as “trusted.” To protect against these threats, organizations need to set up systems that will examine all connections between users,SaaS platforms, and data, as well as evaluating and vetting the increasingly popular third-party apps used by employees.

Security flaws in these platforms could be weaponized by hackers who take advantage of them via third-party apps that connect to platforms. The SaaS platform itself may be usually safe, but security flaws – that even the platform isn’t aware of – could enable bad actors to get a foothold on the platform, and from there to an organization’s network, or the data stored on the SaaS platform itself. And because these SaaS third-party applications are widely used to enhance platform capabilities, both by employees in the office and those working remotely, stemming the threats presented by these connections can be a difficult challenge for security teams.

The problem for organizations – even those with zero-trust security policies – is that most cannot vet the connections within these trusted SaaS platforms. Hackers can thus take advantage of SaaS vulnerabilities to steal organization or personal employee data from the platform – and the security team won’t know about it until it’s too late. In fact, the security flaw may not even be that; it may be a “feature” of the SaaS platform, designed to help users be more productive – but such third-party apps that are often not vetted as well for security could provide hackers with the opportunity they need.

For example, researchers in 2020 discovered a bug that utilized a Request Smuggling exploit on the Slack SaaS platform, which would allow hackers to send rogue requests through an online application – perhaps a request to pass malware through to a client, or to siphon data off a connected cloud account. According to researchers, the vulnerability was discovered in an unnamed asset “that could be used to force users into open redirects, leading to a CL.TE-based hijack and the theft of secret user session cookies. These cookies could then be stolen, leading to the compromise of arbitrary Slack customer accounts and sessions.”

It should be noted that the bug was actually designed to speed up user requests, and make the platform more efficient; but bad actors, as they often do, were able to hijack the feature for nefarious purposes. The Slack asset may or may not have been utilized by one of the many third-party applications on the Slack Marketplace, all of which utilize APIs and assets within the platform to provide assistance, shortcuts, and greater efficiency for Slack users; but it certainly could have been used in that way. The vulnerability was discovered by a bug bounty hunter before hackers could get hold of it – but there’s no guarantee that others don’t exist. And the same story could be told about other platforms – such as SalesForce, where researchers discovered that third-party applications that rely on the platform’s OAuth protocol could open the door to bad actors.

The point is that there is no way for organization security teams to know about these potential problems in advance of their being discovered – possibly by hackers. The resolution of issues like these is in the hands of the SaaS platform that allows these third-party applications to utilize its resources, some of which may have security issues – but if any damage does ensue, it will be strictly the problem of the end-user victim. The task for security teams, then, is to ensure that their organization does not end up on that victim list – despite the fact that they would have no way of knowing about SaaS platform security flaws, or any way of doing anything about it, even if they did know.

Some organizations might try to impose a whitelist, allowing the use of only those SaaS platforms and third-party apps that have been thoroughly vetted. But that could be difficult to implement, especially if employees have a lot of assets and data invested in those platforms and applications – and yet another reason to implement zero-trust policies.

A better strategy might be to implement an automated system that will examine connections and logs for anomalies and other issues, utilizing techniques like AI, machine learning, neural networks, and other advanced data systems that will alert security teams of potential problems. If suspicious behavior is detected, teams can intervene to prevent or limit damage, ensuring that the organization’s most important assets are protected.

Additional protections, also built on the zero-trust model, could include tighter policies for SaaS within the organization, including requiring frequent password changes, implementing 2FA, rotating APIs, and ensuring that SaaS accounts are closed when employees leave or take different jobs in the organization. Advanced data systems can help security teams keep up with changes as they occur, ensuring that all security risks are accounted for.

SaaS platforms have enhanced productivity for untold numbers of organizations – and have been essential to ensuring business success during the Covid and post-Covid periods, when many employees did (and continue to do) their work from home. The capabilities – and convenience – of SaaS platforms and their third-party apps will continue to be essential. Security teams that handle them correctly can ensure that organization employees remain productive – and safe.

About the Author

Misha Seltzer is the Co-Founder and CTO of Atmosec. He’s driven by helping companies confidently secure the adoption, usage and management of any business application across their organization. Misha can be reached online on LinkedIn and at our company website https://www.atmosec.com/