As enterprises accelerate the adoption of cloud technologies and expand their infrastructures, a glaring oversight is putting their organizations in jeopardy. The culprit? Their own identities.
It’s a staggering reality—according to Verizon’s 2024 Data Breach Investigations Report, 68% of data breaches involved a human element. This isn’t about software vulnerabilities or unpatched servers; it’s about identity assets entrusted to people. Similarly, a CISA report found that 54% of cyber attacks leveraged valid accounts belonging to ex-employees or dormant admin profiles. If these numbers don’t send a chill down your spine, they should. The bottom line is that identities aren’t being properly secured, and as a result, bad actors aren’t breaking in; they’re logging in.
In the fight against cyber threats, identities are both the weapons and the targets. Without vigilant protection and strategic oversight, identities become liabilities—gateways to your crown jewels. And most organizations have 80-90% more liabilities (shadow SaaS) than they realize.
The ease of setting up a Software as a Service (SaaS) subscription and employees’ constant pursuit of greater productivity have fueled the rampant spread of SaaS identity sprawl. It’s alarmingly simple for employees to create accounts on various online services, which often require only a username and password to get started. And to make the situation even more complex, preferences for SaaS tools shift constantly, adding to the sprawl.
Consider:
When employees set up accounts without IT’s knowledge, these accounts often stay active long after the employees have moved on to another SaaS application or left the company entirely, leading to accounts left unintentionally active. In fact, 31% of employees still have access to accounts from their former employers, highlighting this pervasive issue.
Without question, tracking and monitoring employee SaaS behavior can be challenging—especially for unfederated apps. Identity sprawl gives hackers a vast array of entry points, each one tied to a different system or SaaS app. Every identity becomes a target for cybercriminals, who only need to compromise one app or system to get the keys to your entire digital kingdom. Protecting these identities isn’t just important; it’s critical. If you don’t secure them, you should expect that, at some point, they will be compromised—it’s just a matter of time.
Because of the growing reliance on SaaS tools, the identity problem is enormous, and no company is exempt. Many organizations have lulled themselves into a false sense of security, relying on outdated access management systems or CASBs and neglecting to keep pace with the complexities of their growing infrastructures. When identities and dangling account access are left to linger, it’s an open invitation to any opportunistic intruder.
Remember the Midnight Blizzard attack against Microsoft? This incident reminds us of the dangers when test accounts are forgotten and left unprotected.
Or take the Change Healthcare breach, for instance: an older organization using outdated technology, which left a server unprotected. This oversight led to a massive system shutdown and a hefty ransom payment.
The 2024 Verizon Data Breach Report warns of the growing dangers as organizations continue to overlook these glaring vulnerabilities, inviting breaches that could be avoided with the right proactive measures.
CISA, in collaboration with the U.S. Coast Guard, mapped out a typical attack path that cybercriminals might use to infiltrate an organization based on vulnerabilities identified in the FY22 Risk and Vulnerability Assessments (RVAs). This attack path is mapped to and informed by elements of the MITRE ATT&CK framework, showcasing how threat actors exploit known weaknesses. While it doesn’t capture every possible step in an attack, it illustrates the most effective tactics commonly used by skilled cybercriminals to breach networks.
The first step in any successful cyberattack is gaining initial access to an organization’s network. Threat actors often achieve this by employing tactics such as targeted spear-phishing or exploiting valid accounts, representing 54% of successful attacks in CISA’s analysis. “Valid accounts” can include accounts of former employees not removed from the active directory or default administrator accounts with unchanged passwords.
During execution, threat actors deploy tools to execute malicious code. They use this code to establish backdoors, modify account privileges, and infect multiple devices, allowing them to maintain access and control over the network.
Threat actors often gain initial access through standard user accounts with limited access. They then escalate privileges to explore networks or access sensitive data, ensuring successful exploitation. Many attacks target employees, who can be either unaware users or opportunistic targets, allowing attackers to begin internal activities with basic user access.
Threat actors steal credentials to access internal resources, bypass security measures, and steal critical data. Using legitimate credentials allows them to conceal their activities, create additional accounts, and move through systems unnoticed to achieve their objectives.
During the discovery phase, attackers gather information about a network, its systems, and data. They use various techniques to understand system behavior and identify opportunities for data exfiltration, setting the stage for further exploitation.
Lateral movement involves shifting from one host or user account to another to expand access within a network. After gaining initial access, threat actors move through different accounts and systems to reach specific targets, compromising accounts and navigating through the environment until they access the desired network or data for further attacks.
Once threat actors infiltrate a network, they can collect sensitive data. According to CISA, 33% of successful data access attempts came from network shared drives, often due to misconfigured permissions, while 29% were from local systems, including file systems and databases.
Implementing an effective identity risk management strategy is not without its challenges. Some of the biggest inhibitors include:
1. Shadow SaaS. The greatest danger of shadow SaaS is that it’s unknown and unpredictable. Without awareness of what’s being created outside of IT visibility, enforcing proper security controls becomes challenging, leaving hidden threats unaddressed. This lack of visibility and control transforms shadow SaaS into a significant unmanaged risk for any organization.
2. Manual Processes. Many organizations still rely on manual processes to keep an inventory of the SaaS used in their organizations, an approach fraught with the potential for human error. As an example, a large healthcare provider relied on employees to self-report their use of SaaS applications. However, employees were inconsistent in their reporting, which resulted in an increase in shadow SaaS and an inability to identify SaaS applications for authentication.
3. Machine Identities and Test Accounts. Test accounts and machine identities—service accounts, API tokens, and shared credentials—often exist outside the realm of traditional governance. If stored insecurely or inadequately monitored, these high-privilege identities become low-hanging fruit for cybercriminals seeking easy access to sensitive data—the Microsoft breach of an overlooked non-production test account is a prime example.
The transition from a tightly controlled IT environment to one where employees can freely adopt technology requires a new approach to protecting SaaS identities—one that reflects how SaaS is acquired and consumed today. SaaS-native organizations must enhance visibility, control, and security compliance across all their applications—including the SaaS initiated outside of IT’s visibility. This is where the SaaS Identity Risk Management (SIRM) framework comes into play, offering a strategic solution to the challenges posed by widespread SaaS adoption.
While traditional security frameworks are inadequate in a decentralized IT landscape and miss the nuances of shadow IT or are difficult to operationalize, the SIRM framework provides a comprehensive means to securing identities and SaaS access, maintaining compliance, and protecting data within a rapidly shifting digital ecosystem. SIRM ensures that organizations can harness the benefits of SaaS while effectively mitigating the associated risks. The foundational elements of a SIRM program include:
Identity Lifecycle Risk Governance: Establish and enforce policies for managing the digital identity lifecycle, including discovering and revoking user access to SaaS applications as necessary.
Access Management: Implement and manage secure access controls such as single sign-on (SSO), multi-factor authentication (MFA), and robotic process automation (RPA) to ensure that only authorized users can access SaaS applications.
Compliance Management: Ensure adherence to relevant regulatory and industry standards, such as HITECH, HIPAA, NIST, SOC2, ISO27001, Gramm-Leach-Bliley Act (GLBA), NYDFS Cybersecurity Regulations, GDPR, and others, particularly concerning securing access to applications and data. Read more about how shadow SaaS jeopardizes cybersecurity compliance standards.
Security Incident Management and Response: Establish comprehensive procedures for detecting, analyzing, and responding to security incidents affecting SaaS applications.
Enterprise Risk Management: Evaluate and control risks posed by a SaaS application to the enterprise, distinct from assessing the risk profile of the SaaS vendor.
The SIRM framework enables organizations to overcome identity sprawl, shadow IT, and identity-related risks by systematically uncovering and managing the risks from SaaS applications. Pioneered by Grip, SIRM is the most comprehensive solution for securing SaaS applications today.
The data is irrefutable: identity-based vulnerabilities are the weak link in modern cybersecurity. As organizations race towards a cloud-first, SaaS-native future, the integrity of identities cannot be an afterthought. CISOs and CIOs must champion a proactive identity-centric security strategy, ensuring that identities empower rather than endanger their organizations. In this digital age, securing identities is not just a defensive maneuver—it’s a strategic advantage. Embrace it, or risk becoming the next cautionary tale in cybersecurity history.
Take the first step in understanding your SaaS identity risks. Grip offers a no-obligation shadow SaaS assessment to give you a complete view of SaaS usage across your enterprise. Every organization has some level of shadow SaaS; uncover the extent of yours and pinpoint your potential risks. Book your free assessment now.