Software as a Service (SaaS) platforms allow enterprises to outsource many of today’s administrative demands. A SaaS platform can provide customer relations tools for sales and marketing staff, tax tools for the financial team, and the very foundation of a development process.
Now that AI tools have joined the fray, the sheer quantity of corporate information being handled by external companies and the processes by which that information is retrieved from internal networks represent a key threat to data security.
SaaS is any software that is managed and delivered by an external organization: the organization pays on a per-usage basis through a software license, and in return, they’re granted access to the software.
Because this software is managed remotely, all the organization needs is money, a compatible device, and an internet connection.
While SaaS offers convenience, it also raises significant security concerns:
Due to the sensitive nature of SaaS data processing, organizations increasingly demand proof of strong security measures from their providers. One key certification is ISO 27001, which verifies that a SaaS provider’s security controls can identify and mitigate risks such as:
As businesses continue to integrate SaaS into their operations, understanding these risks and verifying a provider’s security posture is essential for protecting sensitive data and maintaining compliance.
Because SaaS providers store enterprise data on their servers, the data is subject to their own data protection controls. These controls are often too lax – so much so that entire Advanced Persistent Threat groups have earned reputations from stealing from SaaS providers’ databases.
UNC3944 – also known as Scattered Spider – is one of these APTs. UNC3944 uses social engineering attacks, leveraged at SaaS providers’ help desks:
This often proves enough to fool the SaaS provider’s systems into mistaking them for the real customer.
They then test what protections the customer has placed around their SaaS environments, and start exfiltrating data from those left lacking. In earlier attacks, Scattered Spider used to deploy ransomware – they have since started skipping this and got straight to exfiltration.
Most SaaS providers boast the ability to simply plug-and-play – to easily and quickly begin moving data from an organization’s own network(s). This is facilitated by Application Programming Interfaces (APIs). To differentiate the forms that enterprise data can take, consider its two categories:
The former describes how data is transmitted – which is where APIs come into play. Allowing different applications to share data often relies on the apps’ APIs – and when a user is authenticated on one application, it would be a significant drain to re-input login details every time an app accesses data from another app via its API.
The answer is Oauth.
Oauth allows an application to share an app’s credentials. However, if the API is not well protected, it’s possible for an attacker to intercept and steal the authentication token. This would allow an attacker to access the corresponding database, just as if they had stolen a username/password combo.
And because these APIs are managed by the SaaS provider it can be difficult to determine their security from a client’s perspective.
It’s not just data at rest that can be mishandled: whenever an API retrieves information from a database and delivers it to a destination service, gaps can arise. Broken object property-level authorization is a very common risk, and sees an API unwittingly ‘leak’ data about the organization’s underlying architecture.
Training generative AI models involves exposing them to vast amounts of data, enabling them to identify patterns and trends relevant to their intended applications. For effective training, the data should accurately reflect the specific use cases the model is designed to support.
However, if the training data contains sensitive information, such as personally identifiable information (PII), the model may inadvertently retain and disclose this data in its outputs, exposing it to unauthorized users.
Testing this is even harder – large language models (LLMs) can generate varying outputs for the same input, making them far less predictable than traditional software. While this fosters creativity and diverse content generation, it also makes testing for consistent outputs difficult.
As a result, GenAI models can unintentionally leak sensitive information during outputs, compromising any confidential information they’re trained on.
A blanket ban of SaaS integration would risk compromising an organization’s innovation – and drastically increase the cost of development.
To balance the risk against SaaS’ rewards, organizations need to secure the entire data pipeline.
The number of SaaS applications – and their corresponding variety of API plugins – make keeping track of every API’s permissions and data handling processes almost impossible.
The answer to this is a security approach that discovers and tracks every asset and connected API, which involves:
Automated tools are able to track what APIs access which data, therefore giving you full visibility into the data pathways your organization relies on.
Most organizations spend considerable time and energy securing their own networks. The foundation of security visibility is logs – small files that are generated whenever a network device or application does anything. They’re typically used in Security Incident and Event Management (SIEM) tools, to monitor the real-time actions of network-connected devices and users.
Other internal security tools – like firewalls – also keep ongoing logs of the access and deny decisions they make. All logs represent valuable security data – and given the extended nature of today’s SaaS applications – it’s vital that this visibility extends into the databases you’re renting off each SaaS provider.
Rather than managing logs in multiple dashboards, organizations should adopt centralized log management to:
SaaS applications rely on tight integration with an organization’s wider data ecosystem.
While this could be seen as risky, it also represents a great use case for machine-learning-based protection. Because SaaS applications generate logs upon every single API call and transfer process, machine learning is uniquely well-positioned to ingest all of this access and handling metadata, and transform it into usable analytics.
All parameters can now be tracked:
Over time, this application behavior is tracked and a baseline of normal behavior is created (sometimes this is expedited by the ingestion of historical logs, allowing for a new security solution to begin identifying behavioral abnormalities immediately).
It’s not just individual applications’ behaviors that can be monitored for abnormalities – user accounts can also benefit from it. If an account suddenly exhibits unusual behavior, such as logging in from an unfamiliar location or performing high-risk actions, behavioral analysis can trigger alerts or enforce additional security.
App and SaaS users’ behaviors aren’t the only things that greatly benefit from automation.
The security of SaaS tools’ code is the core product that a SaaS customer is paying for; this code is managed by the provider, whose DevOps teams work on maintaining it and removing bugs and flaws. These fixes are implemented via patches, which almost always need to be installed as quickly as possible.
Failure to apply patches promptly can leave systems exposed to known exploits. because of the quantity of SaaS applications that most organizations use, installing new patches can quickly become delayed.
Proper patch management should use automation that checks for available updates, and prioritizes them.
Check Point’s SASE focuses on securing the entire data pipeline regardless of where that data is generated and stored. Harmony SaaS takes an ecosystem-wide approach to SaaS risk, mapping the full extent of your applications and APIs’ interactions from a single central console.
Our product dramatically increases your security teams’ performance thanks to its visibility into all connected cloud services, allowing IT teams to universally enforce policies that prevent data leakage – even for GenAI. Once application activity is discovered and mapped, IT and security teams are able to remediate SaaS security misconfigurations with a single click.
Install in just a few clicks, gain rapid insight, and remediate gaps right from the console. Explore Check Point’s SASE with a demo today and start securing your SaaS ecosystem.
