Strengthening SaaS Applications with Secure Non-Human Identity Management

Non-human identities (NHIs), such as service accounts, API keys, and OAuth tokens, are an essential yet often overlooked part of the digital workforce. As SaaS applications grow more complex, so too does the network of NHIs linking different platforms. While these identities automate workflows, they also pose unique challenges for SaaS security teams, especially as their volume and interconnectedness increase.

The rise of decentralized ownership of SaaS applications—where different business units, such as marketing, sales, human resources and R&D independently manage their own tools—has further complicated this problem. As business units adopt SaaS solutions like HubSpot, Salesforce, Workday, or GitHub without involving IT or security teams, organizations face fragmented visibility and control, increasing their vulnerability to threats.

Security teams must closely monitor these NHIs, which vastly outnumber human identities. The 2024 State of SaaS Security Report reveals the scale of the challenge: for every human identity, there are 8.6 non-human identities on average! These third-party SaaS integrations, and the NHIs that power them, create several new security challenges for organizations.

NOTE: A slightly different version of this article first appeared in Forbes in June 2024 and can be read here.

‍

Expanding Complexity - Managing SaaS-to-SaaS Integrations in An Increasingly Connected Ecosystem

The power of SaaS lies in its ability to easily connect and automate workflows between applications with third-party integrations. These SaaS integrations leverage NHIs to exchange data and functionality, making tasks faster for everyone. Examples of popular SaaS integrations connected to core platforms include Superhuman with Google Workspace, Calendly with Microsoft 365, and Gong with Salesforce.  

While these integrations improve the efficiency of business operations, they add complexity to SaaS security.

‍

The Distributed Ownership Challenge

In many organizations, each department is responsible for selecting and managing the SaaS tools it relies on. While this approach fosters innovation and agility, it can also create gaps in security. 

This distributed ownership is particularly problematic for SaaS-to-SaaS integrations. Often occurring without security team involvement, these integrations result in fragmented visibility over which applications are interconnected, in addition to access control challenges. Security teams struggle to protect these integrations and, in some cases, are unaware of critical misconfigurations or other risks.

Non-human identities often sit at the intersection of these integrations. These identities enable applications to communicate with one another automatically, yet they rarely receive the same attention as human accounts. Inadequate visibility into these non-human identities exacerbates the issue. When service accounts are misconfigured or left unchecked, they can expose an organization's infrastructure to risk without detection.

Moreover, non-IT SaaS administrators often lack the expertise to configure integrations securely, while business users may overlook security risks altogether.

‍

Key Risks in SaaS-to-SaaS Integrations

• Over-Privileged Access: When a SaaS user adopts a new integration, part of the process is enabling access privileges to the core SaaS platform. Granting third-party integrations more access than necessary can expose sensitive data. The 2024 State of SaaS Security Report identified that 33% of integrations have access to sensitive data, often exceeding their actual needs. With nearly 2,000 integrations in the average organization, this presents significant risk.
• Inactive Integrations: Third-party SaaS integrations require ongoing lifecycle management, from initial adoption to eventual retirement, but a significant portion of integrations become inactive over time. This means that an API key or OAuth token is valid, but not used by the connected application. This leaves unused integrations with valid access privileges, creating security risks.
• Supply Chain Risk: The security posture of the vendor behind a third-party application can impact overall security. If a third-party application has poor security hygiene, data handling procedures, access controls, and incident response protocols, a security incident can easily compromise the SaaS environment.

‍

High-Impact SaaS Breaches That Targeted Non-Human Identities

Traditional identity security best practices don’t typically work for non-human identities. Unlike human users, NHIs often lack robust security measures like multi-factor authentication. 

Interestingly, the State of SaaS Security Report found that 94% of security executives believe they have a process in place to manage NHIs. Yet, recent high-profile breaches demonstrate a critical gap between perception and reality

• Microsoft Midnight Blizzard - Nation-state attackers exploited a legacy OAuth application with full permissions to Microsoft's production environment, granting them access to sensitive data, including emails and documents from senior leadership.
• Cloudflare - Following a breach at Okta, attackers used stolen service tokens and credentials to gain administrative access to Cloudflare's Atlassian instance. Cloudflare’s security team had performed a forensics analysis and rotation of 5,000+ production credentials, yet missed 4 credentials of a service token/account that belonged to SaaS applications. The attackers were able to expose source code despite these extensive credential rotations.
• Dropbox Sign - Attackers compromised a service account used by Dropbox Sign, gaining access to a treasure trove of user data, including emails, usernames, and general account settings. They also were able to access customer API keys and OAuth tokens, potentially impacting customers. 

‍

SaaS Security as an Enabler - Shifting the IT and Security Mindset

I recently discussed SaaS security with Andy Ellis, Partner at YL Ventures and former CSO at Akamai. He emphasized the importance of security teams adopting an enabling mindset where they act as collaborators, rather than gatekeepers.

Rather than adopting a "gatekeeper" mentality—where the security team’s job is to block access to third-party SaaS applications—Andy suggested security teams should embrace a more collaborative, "enabler" role. In this model, security teams actively support the business by providing tools, guidance, and best practices for adopting and integrating new SaaS tools securely.

Andy shared:

"The security team should focus on being a business enabler. For example, instead of blocking third-party SaaS integrations, provide employees with an onboarding tool that helps them understand which applications are essential—and already supported—for their role. This tool could include a curated list of SaaS tools they’re likely to need, with instructions on how to access them securely and set up proper integrations. Shifting to a proactive, enabling model helps employees feel supported rather than restricted. When the security team is seen as a resource rather than a roadblock—helping employees set up and configure integrations securely—it fosters collaboration, not conflict."

When employees know they can turn to security for guidance on how to use SaaS applications safely, it reduces the tendency to bypass security protocols altogether. This shift transforms security teams into trusted partners, promoting secure productivity in everyday business operations, while reducing risks tied to SaaS integrations.

‍

Building Robust Defenses Against Non-Human Identity Risks

Non-human identities often fall into the cracks between traditional identity management systems and SaaS application environments. Without proper oversight, these identities can quickly accumulate, with service accounts or integration keys being granted broad access across systems. Solutions must focus on addressing this challenge from multiple angles:

The reliance on third-party integrations’ non-human identities necessitates a shift in how we approach SaaS security. Some recommendations include:

• Visibility and Discovery: The first step in securing non-human identities is identifying and mapping out where they exist within the SaaS ecosystem. Organizations need tools that can automatically detect these identities and catalog their associated permissions.
• Lead with Least Privilege: Just like with human users, the principle of least privilege should apply to NHIs. Grant only the minimum access required for each NHI to function.
• Focus On Lifecycle Management: Ensure unnecessary access of vendors with API and service accounts access is promptly removed upon termination—leverage automated tools to enforce such removal. 
• Vet Third-Party Vendors: Conduct rigorous assessments of vendors behind SaaS-to-SaaS integrations. Inquire about their security practices, data handling procedures, access controls, and incident response protocols. Prioritize vendors with a proven track record of security hygiene.
• Continuous Monitoring: Regularly monitor NHI activity for suspicious behavior. Security teams should implement robust SaaS Security Posture Management (SSPM) practices to detect misconfiguration and configuration drift related to NHIs as well as SaaS Identity Threat Detection and Response (ITDR) capabilities to detect abnormal behavior which could potentially indicate a security incident. Failing to manage these machine identities exposes organizations to significant SaaS risks such as data breaches and unauthorized access.
• Educate and Empower: Foster open communication between security teams, SaaS administrators, and business users. Create clear security policies and work with the business units to ensure they properly enable the business, while keeping the data secure, including proper management of NHIs.

‍

How Valence Helps Secure Non-Human Identities

Valence provides a powerful solution for managing the growing security risks associated with non-human identities across SaaS applications. By offering comprehensive visibility into NHIs, SaaS-to-SaaS integrations, and their access privileges, Valence enables organizations to reduce their SaaS security risks and implement an effective SaaS Security Posture Management strategy.

Valence’s platform identifies over-privileged, inactive, or risky NHIs within SaaS-to-SaaS integrations, ensuring access controls adhere to the principle of least privilege. Through automated insights and real-time monitoring, Valence detects and mitigates risks before they lead to a breach, safeguarding your organization’s SaaS data security.

By collaborating with SaaS admins and business users, Valence also provides the context needed to properly manage and remediate security gaps within these critical integrations. A great example of this is how Lionbridge leveraged Valence to streamline its security processes around NHIs. Using Valence’s remediation workflows, the company was able to revoke 95% of obsolete or inactive tokens almost immediately. Notably, more than 20% of these tokens were revoked directly by business users with guidance provided through Valence’s platform. Business users provided justification for an additional 5% of tokens, and 75% were automatically revoked after the security team deemed them obsolete. 

With Valence, your organization can:

• Gain comprehensive visibility into NHIs across your SaaS applications
• Identify and remediate over-privileged, inactive, or risky integrations
• Reduce your organization's attack surface and improve overall SaaS security
• Collaborate effectively with SaaS admins and business users

Ready to see how Valence can help your team manage non-human-identity risk in SaaS applications? Schedule a demo!