The rapid rise of Software-as-a-Service (SaaS) has transformed business operations, offering unprecedented flexibility and scalability. However, this shift brings its own set of security challenges, particularly when it comes to managing the lifecycle of SaaS applications and their associated resources such as identities. Effective lifecycle management is crucial in safeguarding against threats and ensuring that security measures keep pace with the evolving landscape of SaaS.
This blog post delves into the key challenges of account deprovisioning, dormant SaaS-to-SaaS integrations and non-human identities, and unused but still available external data shares, and explores how Valence Security can help alleviate these challenges and strengthen your SaaS security posture.
The Importance of Lifecycle Management in SaaS Security
Lifecycle management encompasses the entire span of an application's existence, from initial deployment to eventual decommissioning. In the context of SaaS security, it involves managing user access, integrations, and data sharing throughout their lifecycle. Poor lifecycle management can leave organizations exposed to significant security risks, including unauthorized access, data breaches, and compliance violations.
A recent Gartner report stresses that lifecycle management in SaaS security simply cannot be ignored. Industry experts are increasingly emphasizing the critical nature of addressing lifecycle management comprehensively to prevent security gaps.
Challenges in SaaS Security Lifecycle Management
1. Account Deprovisioning and Offboarding
One of the most critical aspects of SaaS lifecycle management is timely account deprovisioning. The infamous 2020 Drizly data breach, where an attacker exploited an un-revoked GitHub account intended to be granted for one-day access from a 2018 hackathon, serves as a stark reminder of the consequences of lax offboarding practices. When employees or contractors leave an organization, their access to SaaS applications must be promptly revoked to prevent potential misuse. Despite the availability of automated offboarding processes, gaps often persist, and just offboarding from the corporate SSO is typically insufficient due to direct local access granted in SaaS applications.
According to the 2024 State of SaaS Security report, 93% of security teams claim to have automated processes for offboarding ex-employees and contractors. However, data reveals a different reality: In platforms like Google Workspace, about 6% of accounts remain inactive without any recent logins, and 4% of these have admin privileges. This creates a window of opportunity for attackers to exploit dormant accounts.
A significant challenge in this area is managing "Shadow IAM," which refers to unmanaged or local accounts that are not linked to the company's Single Sign-On (SSO) system or identity provider (IdP). When users create accounts directly within SaaS applications without going through SSO, these accounts can remain unmanaged if the IT team focuses only on accounts tied to the corporate IdP. Consequently, when an employee is offboarded, their SSO-linked accounts may be deactivated, but these unmanaged, local accounts can be left untouched. This oversight can create security risks, as these accounts, which may retain access privileges, remain active and unmonitored.
2. Inactive Non-Human Identities
Non-human identities, such as service accounts and API keys, play a vital role in integrating various SaaS applications. However, inactive or unused non-human identities can pose serious security risks. The 2024 State of SaaS Security report highlights that 65% of integrations in platforms like Microsoft 365 are inactive but still hold valid API keys or OAuth tokens. These forgotten integrations often become entry points for attackers.
In the Cloudflare breach publicized in February 2024, attackers exploited overlooked service tokens and accounts that were compromised during a previous Okta breach. Despite rotating more than 5,000 production credentials and performing an in-depth forensic analysis, the Cloudflare security team missed one service token and three service accounts that were presumed to be unused. This oversight, involving only four out of 5,000+ credentials, ultimately contributed to the breach, illustrating that every credential counts in maintaining security.
Similarly, the Microsoft Midnight Blizzard attack further exemplifies the risks associated with unmanaged non-human identities. AAmong the numerous attack vectors, attackers exploited a legacy test OAuth application—a non-human identity—that had full access to Microsoft’s corporate production Microsoft 365 tenant, including the ability to read emails. This demonstrates how even outdated or seemingly benign non-human identities can become significant security liabilities if not properly managed.
Inactive integrations often result from failed Proofs of Concept (PoCs). When organizations trial new SaaS solutions, they grant temporary access which, if not properly decommissioned, can leave lingering vulnerabilities. Managing and auditing these integrations is crucial to prevent unauthorized access and potential breaches.
Additionally, some security teams might offboard a SaaS user or former employee but fail to disable OAuth tokens or third-party integrations set up by the user. These overlooked integrations can continue to provide access, posing significant security risks if not properly addressed.
3. Inactive and Unused External Data Shares
External data sharing is a common feature in SaaS applications, enabling collaboration and information exchange. However, it also presents risks if not managed properly. We all have shared files, folders, and recordings, but rarely do we ever “unshare that file” beyond the time it’s needed. The 2024 State of SaaS Security report reveals that a staggering 94% of external data shares are inactive, with no recent access by external users. Additionally, 22% of these shares utilize open links, exposing sensitive information to anyone with the link.
Inactive external shares can pose significant security risks. For instance, a misconfigured Google Drive folder exposed personal data of nearly one million individuals. Ensuring that external data shares are regularly reviewed and deactivated when no longer needed is crucial for maintaining data security.
How Valence Security Can Enhance SaaS Lifecycle Management
Effective lifecycle management requires a comprehensive approach to identify and mitigate risks associated with inactive accounts, dormant integrations, and unsecured data shares. Valence Security, a recognized Leader in SaaS Security Posture Management (SSPM) capabilities, offers a robust solution to address these challenges and enhance your SaaS security posture.
1. Comprehensive User Offboarding
Valence Security streamlines the user offboarding process by identifying and eliminating security risks associated with inactive accounts and over-privileged users. Our platform detects unmanaged identities, including those not tied to corporate SSO, and ensures that access privileges are updated or revoked as needed.
As a centralized SaaS security platform, Valence is also able to correlate identity information from multiple sources, including SSO, productivity suites, HR, and business applications. This comprehensive view helps identify issues in the offboarding process and ensures a more secure user lifecycle.
In addition, Valence empowers security teams with automated offboarding workflows, including policy creation that instructs if a human account has been offboarded, then to disable all non-human identities (OAuth tokens, API keys) or external data shares created by that account. These automation capabilities, combined with visibility into account access and privileges, help organizations reduce the risks of unauthorized access, account takeover and unnecessary data exposure.
2. Managing Non-Human Identities and Integrations
Valence Security helps organizations manage non-human identities and integrations effectively. Valence tracks and identifies and remediates dormant integrations, ensuring that obsolete API keys and OAuth tokens are promptly deactivated. Valence provides both guided and automated remediation, including the ability to automatically communicate with business users to clarify if there is a necessary reason for the integrations.
Read how Lionbridge revoked 95% of inactive tokens without any manual effort.
By integrating with over 60 business-critical SaaS platforms, Valence provides visibility into integrations and facilitates their secure management.
3. Reducing Risk from External Data Shares
Valence simplifies the management of external data shares by identifying and analyzing shared data across various platforms. Our platform helps organizations identify inactive shares, assess their risk levels, and remove or notify share owners about unused shares. By providing continuous monitoring and automated cleanup, Valence reduces the risk of data exposure and promotes secure sharing practices. As demonstrated in the case of Mio Partners, Valence Security's ability to identify and eliminate dormant corporate data shares proved invaluable. Over 90% of their inactive OneDrive shares were eliminated, significantly reducing the attack surface.
Conclusion
Lifecycle management in SaaS security is a critical component of maintaining a robust security posture. Challenges such as ineffective account deprovisioning, dormant non-human identities, unmanaged integrations, and inactive external data shares can create significant security risks. Valence Security offers comprehensive solutions to address these challenges, providing organizations with the tools needed to manage user access, integrations, and data sharing effectively.
By leveraging Valence’s advanced capabilities, organizations can enhance their SaaS security posture, reduce the attack surface, and user Identity Threat Detection and Response (ITDR) capabilities to protect sensitive data from potential threats. For a demonstration of how Valence can support your SaaS security lifecycle management, schedule a demo today.
Mastering SaaS lifecycle management is not just about preventing breaches; it’s about ensuring that your security measures evolve alongside your SaaS environment. With Valence Security, you can navigate these challenges with confidence and maintain a strong, secure SaaS infrastructure.