How unified identity and SSO enable big-time SaaS data heists

No one just walks into a successful heist. Casino robbers set up elaborate ruses involving stolen identities, secret explosives, and replica vaults. Bank thieves don’t ask to enter the vault—they conduct surveillance on bank security processes and research the staff to identify one disgruntled enough to accept a bribe. Even world-renowned spies like Mission Impossible’s Ethan Hunt need to delicately plan a specific order of operations to get things just right…

What makes a heist successful—and the magic that makes their fictional counterparts so fun to watch—isn’t the sheer talent of the burglars or the obliviousness of those protecting the coveted asset. It’s how a heist shifts from one tactic to the next, circling in on the target, until the path is finally clear.

In the cybersecurity sphere, that is a lateral movement.

Lateral movements are nothing new—in their ATT&CK framework, MITRE defines a lateral movement as techniques like “pivoting through multiple systems and accounts” or “[installing] their own remote access tools … or legitimate credentials with native network and operating system tools” to reach their target. They’re difficult to detect, and are often responsible for the most catastrophic instances of exfiltrated IP, ransomware that encrypts businesses into stasis, or “plain ‘ol” loss. Even worse, these “pivots” work just as well on-premises as they do in the cloud, given ambitious threat actors and juicy targets.

And now there is yet another risk to the space between on-premises infrastructure and SaaS providers in the cloud: the storage and management of the employee identity.

The troubles of single sign-on, SaaS, and identity

As organizations transition pieces of their infrastructure to the cloud, they cede control over how employees log-in and experience these new SaaS apps. Instead of maintaining identities and credentials locally on a service like Active Directory (AD), employees now have dozens of username/password pairs they jot down on Post-Its or keep jumbled, with much fatigue and frustration, in their heads.

That is a big problem, as they inevitably reuse the same password everywhere, chain together personal information like kids’ names and birthdays, or create “minimally-viable” passwords like Aa123456 to bypass requirements.

The answer to this SaaS-y sprawl of passwords is single sign-on (SSO), which allows employees to authenticate into any number of SaaS apps with a single set of centrally managed credentials stored with a cloud-based identity provider (IdP). SSO has ended up being a blessing for IT and DevOps teams, as it eliminates password fatigue, gives them more control, and frees them from having to constantly help hapless peers through password resets.

Still, SSO isn’t without its dangers. First, you must abstract credentials to your IdP, which reduces your visibility and more easily allows misconfigurations to creep in without being caught. Second, 67% of organizations sync their on-premises passwords to their cloud IdP using insecure methods according to Silverfort, creating an entirely new attack vector that wouldn’t exist if you didn’t need the security benefits of SSO for other reasons.

Their team writes, “This underground exposure could also provide attackers with direct access to your SaaS environment.” In other words, the connection between your on-premises identity service and cloud-based IdP is the perfect environment for lateral movement.

How threat actors move laterally toward SaaS data

Much like a good movie heist, and no matter the target or architecture threat actors are working with, the process for laying the groundwork and striking is almost always the same.

1. Compromise

First, threat actors look for the first weakness in your outer perimeter, like your people or on-premises infrastructure. They might start by sending phishing emails to your employees to gain a first set of credentials, or skip the process entirely by running malware on target systems to gather information via keylogger. If they recognize that you have an on-premises directory service installation like AD, they might run exploits against it directly, much like lock-picking the bank’s front door.

They have an angle, but the work has just begun.

2. Reconnaissance

Once threat actors can peek inside your organization, they tiptoe around and hoover up as much information as they can. What are they looking for?

• Active and legitimate accounts with administrator-level access they need to get at the true target: your SaaS data.
• More context, found across your on-premises network, as to what other services and systems the account, service, or device they compromised can access.
• Service accounts with high privileges and low levels of monitoring.
• Prolific users, which are standard user accounts with lots of access and less protection than administrator accounts.

3. Credential theft and privilege escalation

The threat actor is ready for their big move—they might have gotten in the bank’s front door after hours, but they still need a way into the vault.

In the case of laterally moving toward SaaS data, they have a few powerful options. They can send internal spear phishing messages to trick administrators into giving them higher privileges—even temporary ones—to perform a specific task. They might even reconfigure an existing service account to assign access privileges to one or more SaaS apps under your SSO umbrella.

Either way, getting into the systems you use to manage identity and credentials on-premises is more than enough for the last phase of their attack.

4. Access your SaaS data! 💀

With identity and credentials in hand, the threat actor has everything they need—not just to access a single SaaS platform, but everything you’ve conveniently tied together with SSO. The convenience you established for your IT and DevOps team also becomes convenience for the threat actor.

What lateral movement angles should you be most aware of?

In the roadmap above, we mentioned two types of accounts often found on on-premises identity and access solutions like AD, which create significant risk to your SaaS data.

• Service accounts: These accounts, which perform automated machine-to-machine (M2M) communications, typically have high privilege access to perform their automation but often fly under the radar of administrators tasked with monitoring identity and access. According to Silverfort, small companies have as many service accounts as user accounts, creating ample opportunities for threat actors. Even scarier: a whitepaper from Osterman Research found that a mere 5.7% of organizations have full visibility into their service accounts, and only 22% can prevent malicious access.
  
• Prolific users: For one reason or another, these accounts have access to far more than they should, making them perfect targets for lateral attacks. Since they’re not full-on admins, IT and security teams give them less scrutiny, which means they operate under the radar—both in normal usage, and under the thumb of a threat actor. According to Silverfort, the ratio of prolific accounts rises steadily with your organization’s size, since they are tied to misconfigurations, lack of visibility, and an accumulation of poor administrative decisions.

Even sophisticated organizations lack the monitoring and security systems required to adequately protect these accounts from laterally-ambitious threat actors—much like trying to protect a bank from being robbed, installing the most advanced security system in the world only matters if you remember to lock the doors when you leave for the night.

Real-world examples based on lateral movement and identity

Speaking of sophisticated (or at least large) organizations that fell victim to lateral movement—if you’re curious about the implications and impact of abusing an identity, here are a few costly examples:

• SolarWinds hack explained: Everything you need to know
• Target Settles 2013 Hacked Customer Data Breach For $18.5 Million
• WannaCry ransomware attack

Why you still need centralized identity for your mission-critical SaaS

If your response to learning about lateral movements through identity is that you should batten down the hatches and ditch SaaS altogether, now is a good time to take a deep breath. Despite all the risks to SSO and your many SaaS instances, they are still a net win for a few good reasons:

1. SaaS makes your employees more productive, especially in hybrid or remote workplaces, and lessens the burden on IT teams who would otherwise carry the responsibility of setting up employee devices, maintaining VPNs, and connecting to remote desktops for technical support.
   
2. SSO creates a dramatically better log-in experience for your employees while simplifying the operational burden of protecting these valuable credentials.
   
3. Your people are still your no. 1 threat, and better identity management is a fantastic mitigation step you can take by simplifying your path to SSO, hardware-based keys, and more. They’re also an easy path toward multi-factor authentication (MFA), which is a powerful step toward protecting lateral movements—as long as you don’t use SMS codes! Twilio just announced that 33 million phone numbers were stolen from their Authy tool, which means threat actors can more easily attack individuals with social engineering for SIM swaps.
   
4. Centralized user and permissions can help you identify troublesome accounts and take corrective action, like eliminating shadow admins, removing the extraneous privileges associated with prolific users. Configuring permissions once helps prevent leaked tokens, and hooks you into not just SSO capabilities, but also helps you better implement zero-trust security, which requires that all requests for data or access are authorized and authenticated.
   
5. Despite the risks mentioned above, service accounts simplify how you manage SaaS accounts by not relying on an individual employee—and their associated email address—to authenticate with the service. You can link multiple people (we recommend three or more!) to a single service account, then regularly audit it, to prevent two dangerous situations: first, a broken authentication link between your company and a service you rely on; and second, a clear path for threat actors.
   
6. You can still mitigate many of the critical concerns around service accounts, prolific users, and other common places where threat actors make their first compromise and then move laterally just by creating processes for IT and identity hygiene. Make sure you audit these accounts to remove excessive privileges and remove idle accounts entirely to prevent a threat actor from commandeering them.

What’s next?

The best way to empower your people to make these big changes around managing and protecting identity is to know you protected your organization from data loss or corruption. You’re suddenly free to take action when you have a reliable restore point based on your last working configuration.

The same idea applies once you’ve brought better identity protection into working practice. If a regular cleanup process goes awry or you’re facing an active threat trying to laterally move off your AD instance, you can remediate with more gusto. You don’t have to worry about your mission-critical SaaS data getting caught in the proverbial cross-fire if you know it’s safely held elsewhere…

Like Rewind. For more than nine years we’ve been helping modern organizations with on-demand backups and restores for popular SaaS apps, like Shopify, Mailchimp, GitHub, QuickBooks, and Trello. Now, we’re adding that same functionality to the cloud-based identity providers you rely on for SSO-ifying your SaaS:

• Join the waitlist for Microsoft Entra ID.
• Claim your spot in early access for Okta.

And while you’re waiting for those, make sure to subscribe to Retro—your monthly data news retrospective.