Yoni Shohet is the Co-Founder & CEO at Valence Security.
Today’s business thrives on automation and seamless integration. Organizations leverage a vast ecosystem of SaaS applications and often integrate their business-critical applications and data with other SaaS using SaaS-to-SaaS integrations, creating a complex web of non-human identities (NHIs).
These NHIs or machine identities—mainly service accounts, API keys and OAuth tokens—are the silent workhorses that keep the digital engine running. However, this convenience comes at a cost. Security teams must closely monitor these NHIs, which vastly outnumber human identities.
The 2024 State of SaaS Security Report reveals the scale of the challenge. In certain cases, for every human identity, there are 8.6 non-human identities (pg. 18). These third-party SaaS integrations, and the NHIs that power them, create several new security challenges for organizations.
The Ever-Expanding World Of Third-Party Integrations
The power of SaaS lies in its ability to easily connect and automate workflows between applications with third-party integrations. These integrations leverage NHIs to exchange data and functionality and make tasks faster for everyone. Examples of popular SaaS integrations connected to core platforms include Superhuman with Google Workspace, Calendly with Microsoft 365 and Gong with Salesforce.
While these integrations enhance productivity and collaboration, they also introduce security risks.
• Reduced Visibility Due To Distributed Ownership: Many SaaS applications are adopted by business units independently to address specific needs. For example, HR may administer Workday, sales teams manage Salesforce, the R&D team has control over GitHub and so on. If security teams don't have administrative ownership over those platforms, they also lack visibility into integrations the business user might add.
• Over-Privileged Access: When a SaaS user adopts a new integration, part of the process is enabling access privileges to the core SaaS platform. Granting third-party integrations more access than necessary can expose sensitive data. The 2024 State of SaaS Security Report identified that one-third of integrations have access to sensitive data, often exceeding their actual needs (pg. 19). With the average organization using many hundreds, if not thousands of integrations, the potential for data exposure through compromised or misconfigured integrations is immense.
• Inactive Integrations: Third-party SaaS integrations require ongoing management throughout their lifecycle, from initial adoption to eventual retirement, but a significant portion of integrations become inactive over time. Imagine that a department enthusiastically adopts a new project management tool and integrates it with its existing CRM. Months later, the project stalls, and the new tool falls out of favor. The integration, however, may still be active, with valid access privileges lingering in the background. This creates a potential security risk, as an attacker could exploit these forgotten credentials to gain unauthorized access to sensitive data.
• Third-Party Risk: The security posture of the third-party application itself and the vendor behind it can impact the overall security of the integration and of the SaaS application it’s integrated with. If the third-party application has poor security hygiene, data handling procedures, access controls and incident response protocols, a security incident can easily impact your SaaS environment.
Non-Human Identities: Prime Attack Vectors
Traditional identity security best practices don’t typically work for non-human identities.
Interestingly, the State of SaaS Security Report found that 94% of security executives believe they have a process in place to manage NHIs (pg. 18). Yet, a few high-profile breaches in the past few months alone demonstrate a critical gap between perception and reality.
• Midnight Blizzard's Attack On Microsoft (January 2024): According to Microsoft, nation-state attackers "utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled." Then, they "leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment."
• Dropbox Sign (April 2024): Attackers compromised a service account used by Dropbox Sign, gaining access to user data, including emails, usernames and general account settings. They also were able to access customer API keys and OAuth tokens, which could potentially impact Dropbox Sign customers. The incident highlights the vulnerability of NHIs, such as service accounts, which often lack strong security controls. Implementing robust security measures for service accounts is essential to prevent similar breaches.