How to Control (Maneuver) the Post-IdP Wasteland
Originally published by DoControl.
Written by Tony Klor, DoControl.
In a world where digital transformation is the new normal and employees are more mobile than ever, organizations are inundated with managing often highly sensitive Software as a Service (SaaS) application data. To meet these demands, businesses have turned to Identity Provider (IdP) solutions to help them manage user permissions and data access.
Once an employee accesses their IdP they are now able to get into the applications they need to perform their job function. In this piece we’ll explore what enterprises have to lose by defaulting to an IdP provider to secure SaaS application data. This becomes a single point of failure in the case of insider threats and account takeover attacks. In fact, a significant number of Fortune 5000 companies have suffered from major data leaks in the past couple of years.
What is the Post-IdP Wasteland and Why Does it Matter?
Most modern enterprises secure SaaS data at two focus points. The first is their IdP. In its most basic form, IdP is the system used to control user access to data within an organization. IdP is designed to integrate with other corporate applications such as Zoom, Google Drive, OneDrive, and Slack. As great as the IdP solutions are at providing data access, they are not focused on monitoring (or controlling) SaaS data.
The second is the SaaS application file permissions. These sharing permissions are often accessible by anyone with a link which could include past employees, former partners, or even competitors. Enforcing file permissions manually is beyond an insurmountable task. On average, companies have 10k files per 50 employees. Securing SaaS data which could contain IP and employee PII must be done with precision and care.
Common methods to secure SaaS data include company rules and sharing policies, Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions. All of these post-IdP solutions act retroactively in order to exfiltrate exposure in SaaS files. With this, modern enterprises are at high risk of a data leak as once a file is exposed it is difficult to remediate.
How to Control the Post-IdP Wasteland
Protecting against these blind spot attacks requires a shift of focus. Existing solutions ask the following questions at the two choke points referenced above. At the IdP, solutions ask, “Are you who you say you are” and “do you have the right credentials?” On document permissions solutions ask, “Would you like to share this information with someone internally, anyone with a link or a specific person?” The question they need to ask is “should you have access to this data?” By applying this framework to defending SaaS data, organizations can more effectively secure sensitive data and files within business-critical SaaS applications.
The key to solving this challenge is to better analyze document permissions with automated, self-service tools for SaaS application data access monitoring, orchestration, and remediation. In addition, IT security teams should adopt a more comprehensive view of all SaaS users, 3rd party collaborators, assets/metadata, OAuth apps, groups, events and activities.
This in turn will assist enterprises to understand how much data is exposed, remediate it quickly, and automatically remediate over time through granular, no-code workflows. In doing so, it will reduce risk, prevent data breaches, and mitigate insider risk without slowing down business enablement.
This approach can help to identify a spike in file exports and additional party sharing. It will recognize behavior that is high risk or anomalous, and enforce policies that protect sensitive internal data – the life blood for most modern businesses.
Change The Focus to Adapt for the Future
Answering the question of “should you have access to this file?” is a business critical challenge for organizations. In doing so, companies can provide a strong compliment to their existing IdP solutions and internal document sharing policies. From there, security teams can create granular data access control policies to reduce the risk of data overexposure and exfiltration. This approach enables enterprises to be more nimble and deter vulnerability.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.