Blog
>
SaaS Security and IaaS Security - Why You Need Both

SaaS Security and IaaS Security - Why You Need Both

Jason Silberman
January 6, 2025
Time icon
xxx
min read
Share
SaaS Security and IaaS Security - Why You Need Both

The rapid adoption of cloud computing over the past decade SaaS (Software-as-a-Service) and IaaS (Infrastructure-as-a-Service) has revolutionized how businesses operate. However, with this transformation comes a dual-edged sword: while these platforms offer unmatched flexibility and scalability, they also expose organizations to a growing array of security risks. Modern enterprises must navigate a complex ecosystem where misconfigurations, identity management issues, and data exposure can lead to devastating breaches. Addressing these challenges requires understanding the unique—and sometimes overlapping—risks associated with SaaS and IaaS environments.

Key Risks and Challenges in SaaS and IaaS Security

Identity Risks: Human and Non-Human

One of the most significant security challenges lies in managing identities—both human and non-human.

Human Identities: Implementing the Principle of Least Privilege (PoLP) is critical but notoriously difficult. In IaaS environments, roles and permissions often become overly permissive due to evolving business needs or fear of disrupting operations. IAM (Identity and Access Management) roles, which are intended to be scoped to specific resources, frequently expand beyond their intended boundaries, creating security risks. In SaaS environments, fragmented ownership and administration by business units complicate visibility and enforcement of access controls, leaving gaps that attackers can exploit. Weak or unenrolled authentication mechanisms - such as multi-factor authentication (MFA) - represents a significant risk of cloud identity security, both at the infrastructure level and SaaS level. 

Non-Human Identities: Service accounts, API keys, and integration tokens introduce a different set of challenges. These non-human identities often operate without MFA or SSO protections, making them prime targets for attackers. Their always-on nature and high privilege levels mean that a single compromised token can have far-reaching consequences, including lateral movement across interconnected applications. Additionally, organizations struggle to detect anomalous activity in these accounts due to their continuous operation and broad access across multiple systems. For example, non-human accounts often have extensive permissions, which, if not regularly reviewed, can allow attackers to compromise sensitive systems undetected.

Misconfigurations

Misconfigurations are a persistent issue in both SaaS and IaaS environments. In IaaS, improper setup of storage buckets, overly permissive network access rules, and insufficient monitoring can expose sensitive data or allow attackers to gain unauthorized access. Similarly, in SaaS, misconfigured sharing settings or excessive user permissions can lead to unintended data exposure. As cloud environments become more dynamic, keeping configurations secure requires constant vigilance and automation.

Data Exposure

Data exposure is another critical risk, exacerbated by the decentralized nature of SaaS and IaaS. In SaaS platforms, external data shares often remain active long after their intended use, creating persistent vulnerabilities. For IaaS, sensitive data stored in improperly secured storage buckets or mismanaged databases can be accessed by unauthorized parties. These risks highlight the importance of continuous monitoring and lifecycle management for shared data.

Dynamic Cloud Environments

The speed and scale at which cloud environments evolve present additional challenges. Applications and integrations are frequently added, updated, or deprecated, often without security teams’ knowledge. This lack of visibility makes it difficult to identify potential vulnerabilities or ensure compliance with organizational policies.

Breach Examples: Lessons from the Field

Real-world breaches underscore the importance of robust SaaS and IaaS security practices. These incidents fall into three distinct categories:

Cloud/IaaS Breaches

  1. Capital One: A misconfigured AWS S3 bucket allowed a threat actor to exploit a vulnerability and access sensitive customer data, resulting in one of the largest breaches in financial services history. This incident revealed the critical importance of properly securing cloud storage and continuously auditing permissions.
  2. Toyota: Multiple data breaches stemming from cloud misconfigurations exposed customer and vehicle data. Toyota’s issues involved both insecure storage configurations and overly broad access permissions. For more details, see the summaries provided by CSO Online and SecurityWeek.

SaaS Breaches

  1. Microsoft Midnight Blizzard: One account without MFA
in a test environment led
to abused OAuth tokens and unauthorized access to Microsoft’s senior leadership’s corporate email in Microsoft 365. The Microsoft Midnight Blizzard breach is notable as it combines misconfigurations in both human and non-human identities, illustrating how multiple risks can combine to create dangerous attack paths. 
  2. Snowflake Customer Breaches: Misconfigured authentication controls (lack of MFA) and weak access controls led to data exposure for multiple Snowflake customers. These Snowflake customer breaches emphasize the need for stringent access management and regular reviews of SaaS configurations.
  3. Learn more about the top 2024 SaaS breaches in this Valence Security blog.

Hybrid Breaches Exploiting SaaS and IaaS Gaps

  1. UNC3944 Attack: Attackers from UNC3944 exploited misconfigurations in an Okta SSO environment to breach both SaaS and IaaS layers. By leveraging gaps in both environments, the attackers demonstrated the importance of unified cloud security practices.
  2. GitHub OAuth Token Breach: ‍ Attackers had stolen OAuth user tokens issued to third-party vendors, Heroku and Travis-CI. These tokens were then used to download private data repositories from dozens of GitHub customers, including GitHub itself and npm, who had been using Heroku and Travis-CI-maintained OAuth applications. 

These examples highlight the interconnected nature of cloud security and the need for comprehensive strategies to protect against evolving threats.

Understanding the SaaS and IaaS Security Landscape

SaaS Security: SaaS platforms deliver prebuilt applications via the cloud, managed almost entirely by the provider. Users are responsible for securing configurations, managing access controls, and safeguarding data shared or stored within these applications. Popular examples include Microsoft 365, Salesforce, and Slack.

IaaS Security: In contrast, IaaS solutions like AWS, Google Cloud Platform, and Microsoft Azure provide foundational computing resources, such as servers, storage, and networking, for users to build and run applications. Organizations bear significant responsibility for securing workloads, configurations, and data in these environments.

Both SaaS and IaaS platforms support critical business operations, but their security approaches vary due to differences in control, responsibility, and functionality.

Why SaaS Security Often Gets Less Attention

Despite the increasing reliance on SaaS for business operations, organizations often focus more on IaaS security. This disparity stems from several factors:

  • IaaS Lacks Native Security Tools - While IaaS platforms grant organizations extensive control over their cloud infrastructure, SaaS platforms often create a false sense of security. Vendors manage application security, leading users to assume their data is inherently protected. However, this misconception can result in overlooked risks. Misconfigurations, which is the SaaS customer’s security responsibility, can expose sensitive information to breaches and exploitation. 
  • SaaS Often Lacks a Clear Owner - IaaS is typically managed by centralized IT teams with dedicated budgets for security tools, making it easier to assign ownership and accountability. SaaS, by contrast, is often purchased and managed by individual business units. Security responsibilities are fragmented, leaving IT or security teams to manage risks without clear ownership or budget alignment. This decentralized approach complicates SaaS security, as app owners often lack expertise in managing security configurations, third-party integrations, or user permissions.
  • Organizations Rely on Inadequate SaaS Security Tools - Many businesses assume that existing tools like Single Sign-On (SSO) or Cloud Access Security Brokers (CASBs) sufficiently address SaaS security. While these tools play roles in managing access or monitoring certain configurations, they fall short of providing comprehensive visibility into SaaS risks. Dedicated SaaS Security Posture Management (SSPM) solutions are essential for monitoring configurations, third-party app integrations, and unused accounts.

Complementary Roles of SSPM and CSPM

To address security needs, organizations adopt solutions like Cloud Security Posture Management (CSPM) for IaaS and SaaS Security Posture Management (SSPM) for SaaS. These tools provide complementary benefits:

  • CSPM: Automates the identification and remediation of misconfigurations in IaaS environments, ensuring compliance with security best practices.
  • SSPM: Monitors SaaS environments for misconfigurations, unused data shares, and risky third-party app integrations, empowering organizations to secure SaaS ecosystems.

Together, these solutions enable businesses to address the full spectrum of cloud security risks.

Bridging the Gap in SaaS and IaaS Security

To mitigate these risks, organizations must adopt a proactive and holistic approach to cloud security. This includes implementing robust identity management practices, continuously monitoring for misconfigurations, and managing the lifecycle of data and integrations.

A More Holistic Approach to Cloud Security

A comprehensive strategy must address both human and non-human identity risks. For human identities, organizations should enforce MFA and integrate SSO wherever possible to reduce the attack surface. Regularly reviewing permissions and adhering to the Principle of Least Privilege are also crucial. For non-human identities, implementing token expiration policies, monitoring API activity, and restricting permissions to only what is necessary can significantly reduce risk.

In addition to identity management, organizations must prioritize visibility into both SaaS and IaaS environments. Tools that provide a unified view of configurations, permissions, and activity across platforms are essential. Automation plays a critical role in detecting and remediating issues quickly, minimizing the risk of breaches caused by misconfigurations or stale permissions.

Conclusion: Building Resilience in the Cloud

By focusing on the unique risks of both SaaS and IaaS, organizations can build a resilient cloud security strategy that protects critical assets and enables business growth. Real-world breaches offer valuable lessons, emphasizing the need for proactive measures and comprehensive tools to address the dynamic nature of cloud environments.

Learn more about Valence’s SaaS security capabilities today.

Latest Blogs

Top Security Recommendations for SaaS Applications

Top Security Recommendations for SaaS Applications

Secure SaaS to SaaS Supply chain Today | Valence security
Read more
Cloudflare Hacked Following Okta Compromise

Cloudflare Hacked Following Okta Compromise

Secure SaaS to SaaS Supply chain Today | Valence security
Read more
Empowering SaaS Incident Response with Valence and Microsoft Sentinel

Empowering SaaS Incident Response with Valence and Microsoft Sentinel

Secure SaaS to SaaS Supply chain Today | Valence security
Read more
Valence Security: Collaboratively remediate your SaaS security risks.
611 Gateway Blvd Ste 120, South San Francisco, CA 94080
Platform
Platform Overview
SaaS Security Posture Management (SSPM)
SaaS Risk Remediation
Identity Threat Detection and Response (ITDR)
Use Cases
SaaS Configuration Management
Manage Misconfigurations and Drift
Comply with Industry Standards
SaaS Identity Security
Ensure Strong Authentication
Review User Access
SaaS-to-SaaS Governance
Govern Non-human Identities
Discover Shadow AI
SaaS Data Protection
Reduce Data Exposure
Identify Exposed Data
SaaS Threat Detection
Detect SaaS Threats
Hunt SaaS Threats
Resources
About
Schedule a Demo
Contact Us
info@valencesecurity.com
Login
Valence Linkedin profileValence Facebook profile
Copyright © 2024 Valence Security | All rights Reserved | Privacy Policy | Terms of Use |
SaaS to SaaS Supply chain security | Valence security-Close
Free SaaS Security Risk Assessment

Our SaaS Security experts will help you identify risks and recommend actions to secure your SaaS now.

Request Assessment