Software as a service, or SaaS, is continuing to change the way companies do business. There was a time when all of your data lived in silos on individual systems, and your ERP system was running on a stack of 1U servers in your data center. This meant all your data was contained within on-premise walls. However, SaaS has changed that process. While SaaS-native applications offer huge efficiencies for companies in terms of cost and scalability, does it come at the expense of data exposure?
For example, ERP systems are now connected to online expense accounts and reimbursement updates are done in real time. This integration accounts for a significant boost in productivity. In fact, the ease of account management alone is a huge help to security.
As you probably know, many apps use your hosted G-Suite account as a single sign on service. Many cloud services now allow users to use G-Suite accounts to register for new services like cloud native support ticket systems. Similarly, sites like LinkedIn allow you to apply to jobs using your profile as a linked application. While this makes actions like signing up, applying, and so on easier, it’s important to consider the data you’re offering up. Some of these apps are much more invasive than you could ever imagine. Today, we’ll look at two specific access examples. The first wants access to add and delete users in your domain, and the second requests access to post as you on LinkedIn.
Recently, I went to sign up for a Zendesk account. For those not familiar with Zendesk, it is a SaaS support ticket system. I was shocked by the access the application required from my G-Suite credentials:
Access to view some of these pieces of information, I completely understand. But in this case, the application wants the ability to view, create, update and delete the users on your domain. Why does a help desk app need permission to access and manage all of this?
I contacted Zendesk support and they replied with a link to their FAQ:
Really, you want to manage our DKIM and SPF records? This CISO is not a fan.
Apply With LinkedIn
Similarly, if you have applied for a job in the last few years, you have probably seen a box that says “Apply with your LinkedIn profile”. Usually this is innocuous; it simply wants your headline, job titles, etc.:
However, some require a little more:
If you can believe it, some go even further, asking for access to view your feed and even to post on your behalf! I think we can all agree that this is a step too far simply to apply for a job.
These are just two examples that highlight the need to check the permissions of connected apps, and to understand exactly what each requirement means from a security perspective. These overreaching permissions are an example of 3rd party risk that should be unacceptable to most organizations. As always if you have any questions feel free to email me at firstname.lastname@example.org.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.