Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
Shadowy Cloud Apps

By Steven Tamm, Strategic Advisor, Spin.AI

SaaS business applications are fantastic, and one of their major benefits is the ease of connectivity and integration into your business environment. Having all your data visible across the business life cycle with one pane of glass is straightforward when all your data is in the cloud. However, this ease of integration is increasingly being targeted by malicious actors to steal your data. Users adding an app do not know what they are clicking when accepting a random set of Oauth scopes. Understanding whether you are reauthorizing a required integration between systems or introducing malware posing as a phone app is increasingly difficult. Most companies underestimate the threat of these applications; do not fall into that trap. Examine your cloud apps and extensions, ensure they have the right privileges, and institute continuous monitoring. 

Oauth is a standard that allows an app to access the API of another service in a way where the restrictions of users access can be defined by that service. In general, this is a good thing, as the security of your data can be blocked by the app, ensuring that only the information required for the application to function. OAuth scopes have very little standardization, and the hassle of asking for them again in the middle of a workflow if you need to escalate privileges, provides an incentive to overask for privileges. Application authorizations, like Slack, can ask for dozens of scopes out of over a hundred possible ones; and the granularity of those scopes are hard to tie to business data. The ubiquity of Oauth for mobile business applications and android means, like GDPR cookie banners, we just click yes. Have you reviewed all the Oauth applications installed in your SaaS apps?

The surface area of these SaaS based attacks is hard to defend. Traditional systems for preventing Data Leak and Data Loss are hard pressed to look at the perimeter between a Google Application and your iOS device. The usual response is to lock everything down with an allow list or require prior authorization. That reduces the values of the applications, but also doesn't solve the problem as you cannot rely on including vendor-approved applications. In February of this year, hackers were able to abuse Microsoft's "Verified Publisher" Oauth apps to breach corporate email accounts. Do you have a system for managing which mobile apps can connect to your applications?

Often these attacks have knock on effects when there is a breach in a separate organization that has nothing to do with you. When I was at Salesforce, there was a major compromise of Oauth tokens across multiple organizations as Heroku and TravisCI's integration tokens were stolen, private NPM repositories containing credentials were leaked and used to compromise private GitHub orgs. Untangling this mess and remediating it was difficult across multiple multi-tenant systems. The Oauth tokens were revoked quickly, but that broke a lot of companies' ability to ship software. Thankfully, the average organization doesn't have to deal with that complexity, but you will have to deal with the fallout. Have you or your security team tested generating a new Oauth token rollover with your integrations?  

Most SaaS apps are charged per user, and each system integration usually requires a user to perform integration tasks. As the number of integrations increases, the combinatorial explosion is hard to manage to ensure each system has least privilege. The lack of permission standardization in SaaS makes it hard to reason in point to point solutions.  But the budgetary impact these user identities add up; add in the complexity of authentication and there is a large incentive to share these integration users across projects and systems. The weakest link in your system means you can overshare data in case of a breach, which in regulated industries or with PCI or HIPAA come with hefty fines. These penalties can be $10K a day or $500K per breach along with shutting down of significant portions of your business: have you weighed that cost against the cost of having separate integration users?

All this gets even more dire when you add in the flexibility and awesome power of browser extensions. Extensions are amazing boosts to productivity, allowing automation of workflows and enhancements of applications that unlock tremendous value. It's often the only way to integrate systems with expensive or incomplete APIs. But with great power comes great responsibility. Allowing any javascript on any page has inherent dangers, even with Google's recent manifest v3 improvements to remove remote code. That LassPass browser extension was probably ok in 2020, but not in 2023; are you monitoring your allowlist that closely against CVEs or the news? Do you review your integrations with every point release?

Many companies, perhaps even yours, have private extensions you tell your employees to download, install and update as part of their job. In February, Matt Frisbie published an article with a working chrome extension that can steal everything on your computer, including a keylogger and the contents of every tab without you knowing. At the end, he asks a few good questions you should be asking yourself now.

  • Without looking, can you name more than half of the extensions you have installed right now?
  • Who maintains them? Is it the same entity that maintained it when you first installed?  Are you sure?
  • Did you really scrutinize their permissions?

My recommendation is to look for a service to manage this complexity. The difference in OAuth scopes and permission systems between applications is vast. For each of your Cloud SaaS apps, look at the list of application packages and institute a process to remove ones that aren't critical: if you don't need that Salesforce Connected App, remove it. If you need it, look at its permissions and assess its risk on an ongoing basis. 

Recently, Google added better data loss prevention and other security features to Google Chrome.  Maintaining an allowlist of browser extensions is a logistical headache; find a SaaS DLP vendor integrated with Google Chrome that will review and rate the extensions in your environment and take automated actions. And keep the integration users between your systems with the least privilege possible, avoiding reuse across domains.

##

Steven-Tamm 

Steven Tamm is the former CTO of Salesforce and the Strategic Technology Advisor of Spin.AI. Tamm’s experience spans roles in sales, product strategy, and operations across a wide variety of technologies including Cloud, Cybsersecurity, SaaS and more. He holds a Master of Engineering degree from the Massachusetts Institute of Technology (MIT).

Published Wednesday, June 14, 2023 7:34 AM by David Marshall
Filed under: ,
Get This Featured White Paper: Mind the Gap: Understanding the threats to your Microsoft 365 data
You may also be interested in this white paper: Immutability out-of-the-box solved for Mirazon and their customers
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Datacenter
Global Digital
haf
DTX
DTW-NA
innovatrix
Economist Impact
GISEC
IPS MP
global-digital-cx
vExpert
Calendar
<June 2023>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678