NOTE: This is the sixth entry in my blog series based on the 2023 State of SaaS Security Report. The first introduced the report. The second focused on SaaS breaches. The third focused on data security. The fourth opined on SaaS identities. The fifth explores SaaS misconfigurations. This post explores the very messy interrelated mesh of SaaS integrations.
Integrations are nearly as old as software itself. In fact, one of the very first plugins for Adobe Photoshop, Kai’s Power Tools (KPT), was considered indispensable. Back in 1992, you weren’t considered a serious Photoshop user if you didn’t have it. Software vendors understand the value of allowing integrations and plugins - by allowing third parties to add-on and connect to their application, the value of their product increases. SaaS-to-SaaS integrations come in many shapes and forms - OAuth tokens, API keys, marketplace 3rd party apps, low-code/no-code automation platforms, and more.
Most SaaS applications today allow some form of integration. Everything from Google Docs to Zoom to Notion, and of course ChatGPT/OpenAI allow customers to extend the capabilities of this software by connecting third-party code. Writing integrations, for example, range from simple tools to count the number of words or characters selected, to complex tools that check grammar, spelling, or even write entire essays for you.
Modern integrations are more than just add-ons. One of the biggest SaaS productivity challenges is sharing data across applications and with other collaborators. Imagine sales tools like Hubspot and Salesforce without the ability to integrate into your email system and contacts. Some tools, like the Superhuman mail client, can’t function at all without integrating into other SaaS applications. No-code automation platforms like Zapier and Workato are useless without integrations.
Attackers are also recognizing the potential of leveraging SaaS integrations to either gain access to unauthorized data or to move laterally between enterprise applications. These non-human identities typically don’t have the same security controls and monitoring systems. For example, such tokens don’t use managed devices and can’t authenticate with MFA. In various cases, such as the CircleCI, Heroku and Travis-CI breaches, theft of third-party tokens granted to legitimate vendors led to unauthorized access to sensitive data such as GitHub code repositories. In other cases, attackers created malicious third-party apps and tricked users to install them through OAuth consent flows, taking advantage of their access to sensitive data.
Convenience Debt
Like their historical predecessor, plugins, integrations have always been focused on making the user’s work easier. In the enterprise, there’s often some distance between the user, the SaaS admin, IT, and security. The user is just trying to get work done. If they can enable an integration that saves some time, effort, or solves a problem, they’ll just enable or install it. Those responsible for SaaS governance may not even be aware it’s happening.
There’s nothing wrong with convenience, and this isn’t about undoing all the productivity gains employees have found in enabling various integrations. On the path to discovering productivity, there tend to be a lot of abandoned experiments. Trials that didn’t work out. Betas that were too buggy. We’ve learned from experience that these failed experiments don’t get offboarded, creating convenience debt.
Report Findings
You might be wondering, “how bad does convenience debt get”? We’ve got some stats on that for you.
First, however, it is important to understand two types of integrations:
- There are those that entangle data and applications at the individual account level. This is the type most of us are familiar with.
- There are also ‘tenant-wide’ integrations. These integrations have the same level of access that a SaaS administrator would - for example, access to all users, their data, email, calendars, and/or all other related data within the SaaS application in question.
When it comes to individual-level integrations, over half (51%) of an organization’s SaaS third-party integrations are inactive, on average. That’s some serious convenience debt! The good news is that no one is going to miss inactive integrations, so they’re low-hanging fruit from a governance perspective. The even better news is that Valence’s SaaS Security Platform makes it easy to do large one-time cleanups or set automated policies that continuously clean up inactive integrations as they get old and gather dust.
On average, 10% of an organization’s integrations can be traced back to ex-employees, suggesting a missing component in sunsetting employee accounts in many organizations.
When it comes to tenant-wide integrations - every company we’ve worked with has granted full read/write access to email, files, and calendars to at least one third-party. The surprising stat is that, on average, there were 21 integrations per organization with tenant-wide access. That’s potentially 21 different third parties with full control over one company’s data, accounts, email, sales leads, and/or source code? That’s a LOT of administrative control trusted to third parties.
In the State of SaaS Security Report, one of our predictions was a boom in SaaS applications and integrations. We’re already seeing that boom today. Generative AI is great at creating, analyzing, polishing, and summarizing content. Nearly every SaaS platform or application out there could benefit in some way from this ability. There’s a Chrome plugin that can give you a 60 second summary of any YouTube video. Any word processor, slide sharing, or other content creation application can benefit from GenAI’s ability to address the ‘blank page problem’. Any meeting software that can generate a transcript can benefit from GenAI to create a summary of a meeting.
Check out the 2023 State of SaaS Security Report
These are just a few highlights from this year’s State of SaaS Security report by Valence Threat Labs! This blog series will continue to explore and share interesting insights from the report, but why wait? Check out the full report for more details, real-world examples of SaaS integration security challenges and recommendations on how to manage integrations!