Right Sizing Permissions Across the SaaS Stack

Arye Zacks, Sr. Technical Content Specialist

Overpermissioning is one of the seven deadly SaaS sins. It paves a path straight to data leakage and catastrophic data breaches, and unnecessarily stretches resources that would be better served addressing other cyber threats.

This phenomenon happens for any number of reasons. Some admins decide to grant users all access so they aren’t bothered by future requests to increase access or to ensure productivity isn’t disrupted because a team member can’t access a key resource. In other cases, admins create multiple high-privilege accounts within their team to ensure access if the regular admin is OOO.

To truly secure SaaS data, organizations need to right-size their permissions, and develop a policy that follows the principle of least privilege.

What is the Principle of Least Privilege?

When you consider that every user account makes up the perimeter of the app’s security fence, limiting access to individual accounts makes a lot of sense. Should high-privileged account credentials be compromised, the results could be disastrous.

A skilled threat actor that accesses a high-privilege account can move laterally through the application to accomplish its nefarious agenda.

The principle of least privilege maintains that users should only have access to the data, resources, and applications required to do their job. By right-sizing permission levels to the needs of the user, organizations limit their single points of exposure. Threat actors are limited to the permissions of the compromised account.

Right-Sizing Permissions

Customizing permission sets that match the needs of employees is not always easy. While almost all SaaS applications offer some form of role-based access control, these settings should be fine-tuned through the application’s configurations to meet the precise needs of the organization.

Roles should be defined for each application, making it easy for SaaS admins to assign the right level of access for each employee that uses the app.

Administrators also must be mindful of privilege creep. This takes place when employees are granted increased permissions while a co-worker is away or while working on a specific project, and then forgotten about.

Another common occurrence of privilege creep happens in Salesforce. When users are unable to access a specific file, they often fill out a ticket requesting access to the information they need. There are hundreds of different settings controlling access within that application. When administrators are unsure which configuration needs to change to provide access, they often grant the user View All Data rights. This high level of access is far greater than that which the user needs, and unnecessarily puts the company’s data at risk. Unfortunately, this type of overpermissioning is rarely closed.

Too Many Admins Means Trouble

When SaaS applications have too many admins, it becomes nearly impossible to maintain control over the application. Anyone with admin access can change settings to meet their needs at the moment, without realizing the implication of their actions.

Most admins are business users focused on getting the most value out of the application, or at least, focused on getting the job done quickly. If they feel that MFA is slowing down productivity, or want to share files with “Anyone with Link,” they have the means to make those changes.

While their intentions may be good, the consequences of removing MFA or allowing anyone to download a file can lead to serious issues, including data leakage or SaaS ransomware. The importance of right-sizing permissions and limiting the number of admins simply cannot be overstated.

Mitigating Risks

SSPMs play an important role in right-sizing permissions. They identify high-permission users, and can alert security teams when the number of users with high permissions crosses a specific threshold.

Many SSPMs contain user inventories, which provide all the user data security teams need to help design right-sizing policies. While SSPMs are not Identity and Access Management (IAM) tools and shouldn’t be used as a replacement for them, they do provide governance over IAM solutions, ensuring that they are functioning as designed.

These automated tools help ensure that users aren’t overpermissioned, and maintain the overall safety of the data within the SaaS stack

About the writer

Arye Zacks, Sr. Technical Content Specialist

Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.