In today's rapidly evolving cybersecurity landscape, the surge in cyber threats and the wealth of available data on cyber posture and incidents have posed a unique challenge for the cyber insurance industry. As the number of attacks continues to rise, insurers face the daunting task of assessing and helping its clients mitigate cyber risks efficiently. To address this challenge, insurers have sought to distill their risk analysis into a concise set of 5 to 12 statistically significant key controls. While these controls provide a valuable framework, they’re no guarantee that organizations will implement controls effectively.
While these key controls serve as a starting point to identify critical technology needs, they frequently result in a binary checklist approach during the risk assessment process. This approach often overlooks the vital aspect of verifying whether these technologies are not only in place but also effectively deployed. Complicating matters further, cyber attackers routinely exploit multiple vulnerabilities to execute successful breaches. As such, assessing risk reduction through isolated controls and technologies becomes inadequate. Instead, a comprehensive risk assessment is needed - one that centers on safeguarding an organization's critical assets.
For insurers to conduct a thorough risk assessment, they must grapple with two fundamental challenges. First, they must identify where an organization's critical assets are located. Second, they must ensure that cybersecurity technologies are deployed to protect these core assets. Unfortunately, obtaining information about critical assets and security deployments is often an arduous process, conflicting with the speed at which underwriting processes operate.
One of the commonly overlooked critical IT assets is SaaS applications. SaaS applications have become integral components of the IT infrastructure, often hosting valuable company intellectual property, sensitive employee personally identifiable information (PII), and customer data. The accelerated adoption of SaaS applications, especially during the widespread transition to remote work, has been remarkable, with a 41% increase in just 2 years. However, anything with a web interface, from email and core business applications like Workday, Salesforce, and NetSuite to cloud infrastructure management consoles and cybersecurity tools, can be vulnerable to misconfigurations. Misconfigurations accounted for a staggering 55% of cloud data breaches in 2022, mainly attributed to human error.
SaaS Security risks manifest in several critical ways, underscoring the complexity of securing these applications.
- Gaps in identity security and access management
- Spaghetti web of third-party integrations and SaaS-to-SaaS interconnectivity
- SaaS security misconfigurations leaving apps open to attacks or misuse
- Unmanaged external shares of files, code, and other data asses
Implementing a comprehensive SaaS security platform that includes SaaS Security Posture Management (SSPM) capabilities, such as Valence, is key to addressing these pressing challenges. Valence equips enterprises with the tools needed to provide security validation for the critical cybersecurity controls outlined earlier.
- Multi-Factor Authentication (MFA): Our 2023 State of SaaS Security Research has revealed a surprising fact - at least 1% of assets within each organization lack MFA coverage. It's a common assumption that a centralized Identity Provider (IdP) with enterprise MFA should cover all assets, especially cloud-based ones. However, the reality is that unmanaged local accounts are often created in SaaS applications which could lead to unsecured dormant accounts. Valence's SaaS security platform can not only ensure that MFA authentication is properly configured on your SaaS applications, but also helps to ensure that all applications are enrolled within your Single Sign-On (SSO) deployments.
- Zero Trust Principles: In SaaS, applying zero trust principles means ensuring least privilege access to business-critical applications and data. Access can be granted in many shapes and forms - from adding users with administrative access, creating a new third-party API integration with sensitive access, or just sharing a file with the native collaboration options. Ensuring that any identity - internal employees, external collaborators or non-human identities have only the required level of access is key to improve SaaS security posture. With Valence, security teams can monitor the actual level of access granted to both human and non-human identities and collaborate with business users as they remove unnecessary permissions, accounts, tokens and data shares to apply zero trust principles.
- Vendor/Digital Supply Chain Risk Management: In 2022, third-party breaches took the lead as the primary cause of data breaches, surpassing ransomware-based breaches by 40%. OAuth-based SaaS-to-SaaS integrations can leave organizations vulnerable to third-party attacks, where attackers can exploit valid third-party tokens and non-human identities to access core SaaS apps directly. Shockingly, over 50% of integrations within organizations are inactive, adding significant and unnecessary attack surface. Valence's platform not only detects a comprehensive set of integrations but also flags high-privilege and tenant-wide integrations. Organizations can swiftly reduce their risk by utilizing our automated remediation workflows to remove inactive integrations.
As cyber insurance claims surged in 2023, the urgency to strengthen cybersecurity defenses became abundantly clear. SaaS applications, holding a central position within an organization's IT infrastructure, demand meticulous attention to identities, security configurations and third-party integrations. Valence Security is your strategic partner in implementing and fortifying these critical cybersecurity controls, ensuring that your organization is well-prepared to navigate the ever-evolving cyber risk landscape.