SaaS Security Exposed: 265 Days of Alarming Entra ID Application Discoveries

Over the last seven years, I've spent considerable time in Microsoft 365 Security and Compliance solutions. What has become abundantly evident is that cloud security is not just one thing. We've seen Microsoft mature its security offerings in the cloud. At the same time, industry standards like NIST, CIS, and ISO all adopted cloud computing as the de facto IT standard for most, if not all, companies across the globe. It seems that each week, a new security acronym arrives on the scene - SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), CSPM (Cloud Security Posture Management), ASPM (Application Security Posture Management, SSPM (SaaS Security Posture Management, XDR (Extended Detection and Response). 

In this evolution of cybersecurity, organizations have had to change their traditional perimeter security approach to a decentralized model. This transition has single-handedly changed how the world views IT security. 

Securing data in the cloud introduces a colossal new set of challenges for organizations. Here are just a few cybersecurity challenges with managing your data within cloud platforms:  

Access Management 

Managing who has access to what resources can be complex, especially in enterprise organizations with numerous users and roles. Poor Identity Access Management (IAM) practices can lead to unauthorized access. Privileged account management is also critical, as mismanagement of these accounts can lead to elevated risks if these accounts are compromised.  

The Shared Responsibility Model 

Companies must understand who is responsible for securing what in the cloud and Microsoft has published a diagram that covers shared responsibility in the cloud. Cloud providers and customers share responsibility for some security measures, whereas other measures are the full responsibility of one or the other. A misunderstanding of this division of responsibilities can lead to security gaps. Ensuring vendor security can be another challenge. Do your vendors have robust security measures, and do you regularly assess these practices? Relying on third-party services and software in the cloud creates additional supply chain risk, but it's nearly unavoidable.  

Figure 1: Microsoft's Shared Responsibility Model.

Configuration Management 

Incorrectly configured cloud resources can lead to vulnerabilities, which result in data exposure and other security incidents. With cloud providers like Microsoft constantly introducing new products, features, settings, and portals, it can take time to keep up with the changes and security gaps these changes introduce.  

Be it Microsoft, AWS or Google, one thing remains the same:  

Identity is a top threat vector. 

Hackers are no longer targeting firewalls or networks. Cloud providers have pretty much built infrastructure that manages and thwarts would-be attackers. Providers manage Denial of Service attacks and mitigate brute force attacks. Companies are not as concerned with traditional attack vectors because, for the most part, cloud providers handle that for you. It's become a misnomer of sorts. "We have solutions in the cloud that our provider protects." For the most part, traditional perimeter security is completely ubiquitous to the consumer. 

However, identities are one of the world's most significant compromised attack vectors right now. Just have a look at some of the following statistics:  

• The Verizon Data Breach Investigations Report (DBIR) 2023 indicated 61% of breaches involved credentials.  
• The IBM Cost of a Data Breach Report 2023 reported that stolen or compromised credentials were the most common cause of data breaches, highlighting the critical role of identity in security incidents.  
• Microsoft's Digital Defense Report 2023 cited that 4,000 identity authentication threats are blocked per second.  
• The FBI's Internet Crime Report 2023 states that Business Email Compromise (BEC) accounts for nearly $3 billion in losses.  

Even Microsoft fell prey to hackers with the now famous "Midnight Blizzard" hack announced at the beginning of 2024. In an update this week (7/1/24), Microsoft is contacting enterprise customers potentially affected by the Midnight Blizzard data breach. 

Where does that leave the world of SaaS Security today? 

With new security gaps come new solutions and approaches. Since its launch in the fall of 2023, ENow's AppGov Score and App Governance Accelerator have been deployed by companies worldwide, helping them assess and identify security risks in their Microsoft Entra ID application environments. 

Working side-by-side with global Security MVPs, ENow has taken the message of improving identity and application security in Microsoft Entra ID to the masses, walking customers through concepts and recommended practices and publishing articles like the one I wrote about "The Anatomy of a Cyber Attack" back in February 2024. They believe this community-driven approach and knowledge sharing allow companies to better understand the exposure and risks associated with running applications in the cloud. 

At the same time, ENow has been exposed to what the world looks like from a customer's perspective, and what they have seen in aggregate is startling. The thing is, it's nobody's fault. You can't blame the vendors who build based on industry needs. You can't blame organizations, as we expect them to grow and upskill at an unrealistic pace. You can't blame the partners, as the customers' requests drive their focus.  

My point is that it is what it is. 

Over the last year, we have been delivering webinars/blogs/white papers/eBooks with the single purpose of educating customers, engineers, partners, and consultants across the globe about what they should be:  

1. Thinking about,  
2. Doing and,  
3. Deploying into their environments so that they can approach SaaS security from a cloud-native perspective. 

Over the last ten months, we've had a phenomenal and enlightening journey. We've experienced the weird, the bad, and the wonderful of identity and SaaS application security. Some things have fascinated us; we often ask, "How is that possible?"  

In the end, the only thing that we can do is ensure that as many companies as possible have a continuous view of what the applications in their Entra ID environment are doing, their current risk profile, what it all means, and, most importantly, what they need to do to ensure that their cloud investment is adequately protected. 

So many things have changed in cybersecurity in recent years. Identity Admins must worry about application security. Developers must build applications with security at the forefront of their design. Infrastructure engineers are no longer responsible for the "App," and security analysts have had to up and cross-skill in various approaches to address their SaaS security posture.

Join us for an upcoming webinar: SaaS Security Exposed

The security landscape has changed, and so should your approach to SaaS security posture management. If you're interested in the following, you should register for this month's webinar hosted by ENow: 

• What we've seen over the last year and how we see the identity and application security world 
• Our recommendations for what to do and where to start when it comes to securing Entra ID applications
• Why it is mission critical that you have a concise view into your cloud app stack 

Join me, Sander Berkouwer, and Nicolas Blank on July 10, 2024, at 1 PM ET. We have a ton to discuss on this month's webinar, focusing on 'SaaS Security Exposed: 265 Days of Alarming Entra ID Application Discoveries.' You don't want to miss out on what we've seen.