SaaS Security Exposed: 265 Days of Alarming Entra ID Application Discoveries
July 2, 2024 •Alistair Pugin
Over the last seven years, I've spent considerable time in Microsoft 365 Security and Compliance solutions. What has become abundantly evident is that cloud security is not just one thing. We've seen Microsoft mature its security offerings in the cloud. At the same time, industry standards like NIST, CIS, and ISO all adopted cloud computing as the de facto IT standard for most, if not all, companies across the globe. It seems that each week, a new security acronym arrives on the scene - SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), CSPM (Cloud Security Posture Management), ASPM (Application Security Posture Management, SSPM (SaaS Security Posture Management, XDR (Extended Detection and Response).
In this evolution of cybersecurity, organizations have had to change their traditional perimeter security approach to a decentralized model. This transition has single-handedly changed how the world views IT security.
Securing data in the cloud introduces a colossal new set of challenges for organizations. Here are just a few cybersecurity challenges with managing your data within cloud platforms:
Access Management
Managing who has access to what resources can be complex, especially in enterprise organizations with numerous users and roles. Poor Identity Access Management (IAM) practices can lead to unauthorized access. Privileged account management is also critical, as mismanagement of these accounts can lead to elevated risks if these accounts are compromised.
The Shared Responsibility Model
Companies must understand who is responsible for securing what in the cloud and Microsoft has published a diagram that covers shared responsibility in the cloud. Cloud providers and customers share responsibility for some security measures, whereas other measures are the full responsibility of one or the other. A misunderstanding of this division of responsibilities can lead to security gaps. Ensuring vendor security can be another challenge. Do your vendors have robust security measures, and do you regularly assess these practices? Relying on third-party services and software in the cloud creates additional supply chain risk, but it's nearly unavoidable.
Figure 1: Microsoft's Shared Responsibility Model.
Configuration Management
Incorrectly configured cloud resources can lead to vulnerabilities, which result in data exposure and other security incidents. With cloud providers like Microsoft constantly introducing new products, features, settings, and portals, it can take time to keep up with the changes and security gaps these changes introduce.
Be it Microsoft, AWS or Google, one thing remains the same:
Identity is a top threat vector.
Hackers are no longer targeting firewalls or networks. Cloud providers have pretty much built infrastructure that manages and thwarts would-be attackers. Providers manage Denial of Service attacks and mitigate brute force attacks. Companies are not as concerned with traditional attack vectors because, for the most part, cloud providers handle that for you. It's become a misnomer of sorts. "We have solutions in the cloud that our provider protects." For the most part, traditional perimeter security is completely ubiquitous to the consumer.
However, identities are one of the world's most significant compromised attack vectors right now. Just have a look at some of the following statistics:
- The Verizon Data Breach Investigations Report (DBIR) 2023 indicated 61% of breaches involved credentials.
- The IBM Cost of a Data Breach Report 2023 reported that stolen or compromised credentials were the most common cause of data breaches, highlighting the critical role of identity in security incidents.
- Microsoft's Digital Defense Report 2023 cited that 4,000 identity authentication threats are blocked per second.
- The FBI's Internet Crime Report 2023 states that Business Email Compromise (BEC) accounts for nearly $3 billion in losses.
Even Microsoft fell prey to hackers with the now famous "Midnight Blizzard" hack announced at the beginning of 2024. In an update this week (7/1/24), Microsoft is contacting enterprise customers potentially affected by the Midnight Blizzard data breach.
Where does that leave the world of SaaS Security today?
With new security gaps come new solutions and approaches. Since its launch in the fall of 2023, ENow's AppGov Score and App Governance Accelerator have been deployed by companies worldwide, helping them assess and identify security risks in their Microsoft Entra ID application environments.
Working side-by-side with global Security MVPs, ENow has taken the message of improving identity and application security in Microsoft Entra ID to the masses, walking customers through concepts and recommended practices and publishing articles like the one I wrote about "The Anatomy of a Cyber Attack" back in February 2024. They believe this community-driven approach and knowledge sharing allow companies to better understand the exposure and risks associated with running applications in the cloud.
At the same time, ENow has been exposed to what the world looks like from a customer's perspective, and what they have seen in aggregate is startling. The thing is, it's nobody's fault. You can't blame the vendors who build based on industry needs. You can't blame organizations, as we expect them to grow and upskill at an unrealistic pace. You can't blame the partners, as the customers' requests drive their focus.
My point is that it is what it is.
Over the last year, we have been delivering webinars/blogs/white papers/eBooks with the single purpose of educating customers, engineers, partners, and consultants across the globe about what they should be:
- Thinking about,
- Doing and,
- Deploying into their environments so that they can approach SaaS security from a cloud-native perspective.
Over the last ten months, we've had a phenomenal and enlightening journey. We've experienced the weird, the bad, and the wonderful of identity and SaaS application security. Some things have fascinated us; we often ask, "How is that possible?"
In the end, the only thing that we can do is ensure that as many companies as possible have a continuous view of what the applications in their Entra ID environment are doing, their current risk profile, what it all means, and, most importantly, what they need to do to ensure that their cloud investment is adequately protected.
So many things have changed in cybersecurity in recent years. Identity Admins must worry about application security. Developers must build applications with security at the forefront of their design. Infrastructure engineers are no longer responsible for the "App," and security analysts have had to up and cross-skill in various approaches to address their SaaS security posture.
Questions on SaaS security management? Join our Community Forum and let our experts help.
The AppGov Community Forum is moderated by Microsoft Security & Identity MVPs and subject-matter experts to answer your questions around Entra ID, managing Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application's lifecycle.
Written by Alistair Pugin
M365 + Security MVP | Blogger | Podcaster | Speaker | Founder, CEO - YModernize
Alistair has worked in various capacities in multiple verticals from retail-manufacturing to government, spanning 50 to 50000 users utilizing all aspects of pure Enterprise Information Management.
Specialties: 20+ years pure IT, 16 years ECM, Livelink, Zylab, SharePoint, FileNet, etc. IT Pro dabbling in Dev, ECM Consultant, Suffering from Technophilia. Technology Architect specializing in Business Productivity Enrichment.