top of page
Search

SaaS is Cloud: A Look at SSPM

I talk to a lot organization's that forget that SaaS is Cloud. Some of their most important business assets (e.g. data) reside in Snowflake, Salesforce, and more, and today their CNAPP doesn't protect them. In addition, the purchasing of new technology doesn't always go through a centralized procurement process like it used to; departments, and even employees sign-up for new SaaS applications in an ad-hoc manner all the time. These key points are why organizations need to consider SaaS as part of their attack surface going forward.

With that said, there is a rise of startups developing solutions that discover, assess, and help remediate organizational SaaS security posture, called SaaS Security Posture Management (SSPM). In this article, we learn more about this technology and the market.


As you can imagine, SSPM solutions are targeted toward the enterprise segment that have a growing and near unmanageable amount of SaaS applications. The prices are pretty steep and not suitable for most organization's down-market, however there is a need especially for fast-growing mid-market companies that rely on a number of SaaS tools to run their business.


Whereas CNAPP, an established Gartner category of solutions, focuses on the security posture of IaaS and PaaS, they currently do not extend to the 3rd major type of cloud service i.e. SaaS. I believe this could change over the next few years as CNAPP providers continue to try to differentiate themselves, and as customer's adopt more SaaS and get frustrated to have to pay for another solution.


Overview


SSPM is focused on understanding the security posture of your SaaS applications. It does this by primarily connecting to your IdP's and SaaS APIs to get the list of applications, their settings, and the ability to take action. Note that many SaaS applications do not provide logs so detection & response use-cases are limited to polling for system changes from SaaS APIs


SSPM does 4 main things


  1. Discovers your SaaS ecosystem (inventory)

    1. This includes both known SaaS (IdP connected) and unknown SaaS applications

  2. Assesses the discovered applications for security controls, configurations, and more

  3. Detects gaps in posture, compliance, and identifies malicious activity (often secondary)

  4. Ability to run remediation actions such as user offboarding, disable application in IdP, and account suspension


SSPM helps teams coordinate with their TPRM (Third Party Risk Management), SSO (Single Sign-On), and IGA (Identity, Governance, & Administration) group.


Shadow SaaS


When it comes to inventorying your SaaS applications, the simplest thing to do is ask your IdP what applications are connected. While all SSPMs do this, this is nothing special as you can find the same information logging into your IdP. What you really need is the ability to find unknown unknowns: the SaaS applications employees have signed up for with their corporate e-mail that are not connected to the IdP for example. But from that, also find the ones that matter in the sea, not the employee who has signed up for Door Dash.

Note that not all SSPMs solve for this. The ones that do generally have 3 methods:

  1. Integration to organization's mail server to scan for SaaS sign-up e-mails ("Welcome, Thank you for Signing Up for X")

    1. Despite the way it sounds, this is a time-consuming engineering problem due to noise and permutations

  2. Integration with networking tools: SASE, internet gateway, proxies, etc. to identify network traffic to SaaS applications

  3. Browser extension deployed to employees to identify SaaS such as when personal e-mail is use to log into SaaS, and assess its posture (this is a newer technology in R&D state)


Assessment

The assessment portion of SSPM technology is primarily ingestion of the metadata from SaaS applications. This includes identity, policy, permissions, security settings and more. Once the data is collected, algorithms are use to prioritize posture issues as well as run detections against metadata changes or any available logs to identify malicious behavior. Some additional assessment capabilities come from browser extensions that can answer questions that could not be asked before such as

  • Did an employee use their corporate password for their Door Dash account?

  • Did an employee use a password that is not stored in 1 Password?

Detections


Given the main focus of SSPM is on posture, and the often lacking telemetry generated by SaaS apps, there is a scantily met need for detections. Several SSPMs offer detections but it's a complimentary focus, and the signature based detections available in today's market solutions are numbered less than 20 in most cases, without making up for it with different detection methods such as baselining for anomalous behavior.


Use-Cases


Below, I share a few example use-cases that SSPMs solve, that other technologies are not well-suited for.


Data Theft: Attacker compromises a SaaS identity that had a weak password and MFA disable

Disgruntled Employee: Employee puts in 2 weeks notice, disables multi-factor on 4 of their SaaS applications and updates their recovery e-mail to a personal one.

Policy Violation: Employee is signing into personal Dropbox with corporate e-mail

Policy Violation: Identify SaaS logins that don’t go through SSO

Compliance: Are we using SaaS applications that are not SOC2 compliant?

Lateral Movement: What applications did a compromised identity log onto?

 
 
 

Comments

© 2024 by Ashton Schipp.
Powered and secured by Wix

Location

Tampa, FL

Email

jon[at]jonschipp.com

Follow

  • substack
  • GitHub
  • LinkedIn
  • Instagram
bottom of page