An estimated 44% of cloud user privileges are misconfigured, leaving companies at risk, according to Varonis’s 2021 SaaS Risk Report.

Varonis gathered and analyzed data from over 200,000 cloud identities and hundreds of millions of cloud assets for the report. The report covers key trends, and challenges organizations face when trying to control unsupervised identities and shadow privileges that can put data at risk across a fragmented SaaS & IaaS environment.

Brendan O’Connor, CEO and Co-Founder at AppOmni, says, “The misconfiguration and access problems we see now are not new - we are just now waking up to them. When it comes to SaaS applications, the landscape is far more heterogeneous than the consolidated on-prem technologies organizations may have used in the past. Unlike focusing on just a couple of key technologies, like Windows and Mac, or Android and iPhone, most enterprises use dozens or even hundreds of different SaaS applications. This means that security teams will not be able to specialize in these technologies in the same way.”

Another challenge for security teams is the dynamic nature of cloud and SaaS platforms, says O’Connor. “In addition to standard business updates - like adding or removing users or changing permissions - there are also frequent vendor releases that often include both new functionality and new security settings. The constant change inherent in cloud and SaaS platforms makes them especially vulnerable to configuration drift.”

AppOmni’s research has revealed results similar to Varonis’s data. AppOmni data has shown that more than 95% of businesses have external users that are over-provisioned with access to sensitive data. Additionally, more than 55% of businesses have sensitive data exposed to the anonymous internet. O’Connor adds, “These numbers are unacceptable and should be a red flag to all CISOs and CIOs. As major SaaS platforms like Salesforce, Workday, ServiceNow, and Microsoft 365 evolve and grow in functionality and complexity, businesses should be using automated tools and processes to monitor and manage user permissions and configurations continuously.”

Here are just a few key findings in the Varonis study:

  • Nearly 44% of cloud privileges are misconfigured.
  • 3 out of 4 cloud identities for external contractors remain active after they leave.
  • 3 out of 5 users are shadow admins.
  • 15% of employees transfer business-critical data to their personal cloud accounts.

“This report both underscores the difficulty of managing privilege and identity from a top-down view, built on static perspectives of granted privilege, as well as the challenges faced by IT and Security teams whose mode of operation is an overreliance on preventative hardening in the face of the immense velocity behind cloud adoption,” says Tim Wade, Technical Director, CTO Team at Vectra. “Visibility is the lever that strategic decision-makers need to pull to start reclaiming confidence in the face of risk – not just visibility into how privilege is granted, but the observed privilege of dynamic use, to spot account dormancy, to spot deviations from least privilege, to spot practices that place sensitive data, assets, and services at risk. The takeaway is not that the enterprise needs more centrally managed enforcement; the takeaway is that IT and Security programs need visibility to match the speed and scale at which the business is evolving.

Similarly, Vectra has observed a familiar trend around cloud accounts abusing privilege, Joe Malenfant, Vice President at Vectra, says. “In 2019, 40% of organizations suffered O365 account takeovers, and with the rapid adoption of cloud services during the global pandemic, that number skyrocketed to 71% having seven or more account takeovers in 2020. Based on what we have observed in O365, we have expanded our research to include AWS. Many of the recent ransomware campaigns that have made headlines (and those that have not) are credential-based attacks. That is why it is important to focus on detecting malicious use of legitimate applications and services.”