Securing SaaS

Obsidian Security recently discussed the complexity of enforcing Single Sign-On (SSO) within Salesforce and frequently encountering misconfigurations. Notably, 60% of Obsidian’s customers initially have local access without Multi-Factor Authentication (MFA) configured for Salesforce, highlighting a significant security gap that Obsidian diligently works to secure. Securing SaaS.

Thank you for reading this post, don't forget to subscribe!

The Hidden Vulnerability

Application owners who manage Salesforce daily often remain unaware of this misconfiguration. Despite their deep knowledge of Salesforce management, local access without MFA presents an overlooked vulnerability. This situation raises concerns about the security of other SaaS applications, especially those without developed expertise or knowledge. If you have concerns about your configuration, Tectonic can help.

Attacker Focus and Trends

Attackers have historically targeted the Identity Provider (IdP) space, focusing on providers like Okta, Microsoft Entra, and Ping. This strategy offers maximal impact, as compromising an IdP grants broad access across multiple applications. Developing expertise to breach a few IdPs is more efficient than learning the diverse local access pathways of numerous SaaS vendors.

Over the past 12 months, nearly 100% of the breaches that required Obsidian’s intervention through CrowdStrike or other incident response partners were IdP-focused. Notably, 70% of these breaches involved subverting MFA, often through methods like SIM swapping. In instances where local access bypasses the IdP, 95% of the time it lacks MFA.

Recent discussions around Snowflake have brought attention to “shadow authentication,” defined as unsanctioned means to authenticate a user within an application. Obsidian Security has observed an increase in brute force attacks against SaaS applications via local access pathways over the last two weeks, indicating a growing awareness of this attack vector.

Future Expectations

Attackers continually seek easy and efficient pathways. Over the next 12 months, local access or shadow authentication is expected to become a major attack vector. Organizations must proactively secure these pathways as attackers shift their focus.

What You Can Do

Discover SaaS Applications: Establish a program to discover SaaS applications, especially those containing sensitive data or integrating with applications holding sensitive data.
Evaluate and Secure: Decide whether to eliminate or integrate these applications into your IdP. If retained, ensure that SSO and MFA are enforced for the majority of users. Document the reasons for any accounts that do not align with the policies, and provide additional monitoring for these high-risk accounts.

How Obsidian Helps

Salesforce Security partners offers robust solutions to address these challenges:

Discovery: Utilizing a browser extension, email header scanning, and OAuth integration to detect SaaS applications early in their lifecycle.
Monitoring: A patented browser extension monitors when users access applications locally, bypassing the IdP.
Prevention: Early detection enables identifying and blocking potential attack pathways before exploitation. This includes locking down local access and adding layers of data governance and application hardening.

By leveraging partner capabilities, organizations can enhance their security posture, protecting against evolving threats targeting local access and shadow authentication.

The post “The Growing Importance of Securing Local Access in SaaS Applications” appeared first on Obsidian Security.