Delinea, a leading provider of solutions that extend Privileged Access Management, acquires Authomize. Learn More

Authomize Blog

Bank Insider Steals and Destroys Data After Firing

This blog explores the dangers of not managing departing employees’ access properly. A former cloud engineer, caused significant damage to his former employer after being fired. We discuss how organizations can avoid such incidents by ensuring smooth offboarding processes, reducing excessive access, and using continuous monitoring to detect and prevent insider threats.

08/01/2024 • Gabriel Avner

Read more

5 Must Have Elements for Cloud Infrastructure Entitlement Management (CIEM)

In this blog, we will lay out what are some of the core features that you should look for in your CIEM solution, along with a couple of helpful questions for consideration in your search.

01/11/2023 • Gabriel Avner

Read more

3 Lessons Learned from Attacks on Okta Super Admins

Discover the latest Okta security incident, learn about identity federation abuse, and find out how to protect your Okta environment. Explore the risks and solutions.

06/09/2023 • Gabriel Avner

Read more

5 Security Leaders Weigh in on Securing Identity and Access in 2023

Security leaders discuss the challenges and priorities for identity and access security in 2023, including the transition to the cloud, the need for visibility and control over identities…

20/12/2022 • Gabriel Avner

Read more

Tackling the Rise of Insider Threat Risk After the Great Resignation

Earlier this month, the team over at security firm Kroll released its “Q3 Threat Landscape: Insider Threat the Trojan Horse of 2022” report on the rise in insider threat…

30/11/2022 • Gabriel Avner

Read more

Authomize is the ITDR Platform

Authomize announced today that we are the Identity Threat Detection and Response (ITDR) Platform. If you missed our Press Release on the announcement, take a moment to check it out…

15/11/2022 • Gabriel Avner

Read more

Integrating Authomize ITDR with Microsoft Sentinel SIEM

In response to the expanding threat surface facing identities, interoperability between identity and access management (IAM) and security operations is now understood to be a must for organizations in defending their cloud environments…

08/11/2022 • Steven Riley

Read more

3 Steps to Take to Get Started with Identity Threat Detection and Response (ITDR)

Following the new Gartner research report around Identity Threat Detection and Response (ITDR) we suggest 3 steps that help organizations get started with protecting their IAM layer from identity threats.

24/10/2022 • Maya Malevich

Read more

Third-Party Access Risks Explained

Attackers are going after third-party contractors, using their legitimate access to the targets and exploiting security gaps to break in and make off with their ill-gotten goods. But what is it about the way that organizations manage and interact with contractors that makes these third-party players such a risk? 

19/10/2022 • Gabriel Avner

Read more

Lessons Learned from Twitter Security Disclosures

In January, Twitter confused the security world by firing their head of security Peiter Zatko — or as he is more commonly known in security circles, Mudge. The severing of ties came without much of an explanation. Until recently.

29/09/2022 • Gabriel Avner

Read more

3 Tips for Mitigating the Uber Hack

 Rideshare giant Uber found themselves in the headlines yet again last week when news leaked out that they had been hacked.  This is not the first time for the company finding themselves in the headlines for being hacked or controversy.  Based on reporting — much of it coming from the claims of the person […]

19/09/2022 • Gabriel Avner

Read more

A Graph is Worth a Thousand Investigations: Authomize’s Graph Explorer Enables Unparalleled Access Visibility and Control

We here at Authomize have released an updated Access Explorer that gives security teams the highly detailed view of access to their assets that makes it easy to investigate and resolve incidents.

13/09/2022 • Yuval Inchi

Read more

Save $150,000+ and 3000+ Working Hours per Month with Authomize’s Automated Access Reviews*

Access Review campaigns don’t have to be drawn out and complicated. Deployed and configured in just a few hours, Authomize’s centralized platform will make sure you’re ready for your next…

08/09/2022 • Gabriel Avner

Read more

Securing Your Software Supply Chain from Access Privilege Risks

The hacking of SolarWinds continues to reverberate, serving as a wakeup call for organizations to take stronger steps to secure identity and access when it comes to their software supply chains.

15/08/2022 • Ariel Zaretsky

Read more

3 Trends from Verizon’s 2022 Data Breach Investigations Report

The Verizon Data Breach Investigations Report is essentially infosec’s report card. 

23/06/2022 • Gabriel Avner

Read more

AWS is Under Threat from Unused Privileges

Amazon Web Services (AWS) provides the backbone infrastructure for many organizations, making it a vital resource that needs to be protected. Sprawling across a wide range of apps and services, AWS is home to large swathes of an organization’s data and operations.

09/05/2022 • Gabriel Avner

Read more

How Authomize Addresses Gartner’s Security Trends for 2022

For the better part of the past ten years, organizations have been speaking about how moving their business to the cloud was a core part of their roadmap. 

28/04/2022 • Gabriel Avner

Read more

Okta Breach Mitigation and Updates

According to reports, authentication and Identity and Access Management (IAM) solutions provider Okta was breached by the Lapsus$ hacking group…

22/03/2022 • Gabriel Avner

Read more

3 Steps for Avoiding Unintentional Exposure

Being the subject of any data leak can leave you feeling a little bit naked, having your private information exposed for all to see.

28/11/2021 • Gabriel Avner

Read more

Data Security is Physical Security

Online streaming platform Twitch was hacked last week and the memes were fantastic. In case you missed it, a hacker reportedly stole 125 GB of valuable data from the Amazon-owned streaming service.

14/10/2021 • Gabriel Avner

Read more

It’s OWASP Top 10 2021 Official — Access Control Tops the List

The crew over at the Open Web Application Security Project (OWASP) has come out with a surprising winner for their OWASP Top 10 list of web application security…

22/09/2021 • Gabriel Avner

Read more

Identity-First Security is the New Perimeter

Identity is at the center of how we approach protecting our cloud assets, making it essential to confirm that each identity…

12/08/2021 • Gabriel Avner

Read more

Solving the AWS Roles Mystery

In the AWS environment, permissions to access your organization’s resources are tied to your identity. This makes your identity incredibly valuable, your keys to the kingdom as it were.

25/04/2021 • Michael Sheinkman

Read more

6 Top Emerging IAM Security Risks

As security breaches become a bigger reality, it is crucial that cloud protectors consider the importance of safeguarding their information and strengthening their Identity and Access Management, all while recognizing the top security risks that have risen to the surface

01/02/2021 • Gabriel Avner

Read more

Lessons Learned for the Next SolarWinds Attack

Nothing is ever truly unhackable. Saying otherwise is asking for trouble. The question is when a breach occurs, how do we plan for our systems to fail gracefully increase our…

30/12/2020 • Gabriel Avner

Read more

Reassessing How to Protect Our Crown Jewels in the Cloud

This has been a year that calls for breaking with complacency and taking steps to define and protect the assets that are most critical to our organizations To say that 2020 has been a year of change would…

10/11/2020 • Dotan Bar Noy

Read more

Everyone Should Care About SaaS Security — But it’s Your Responsibility

A lot of (digital) ink has been spilled about how the cloud is going to change the way that we work — and for once, the marketers have really undersold how big the impact is…

05/08/2020 • Dotan Bar Noy

Read more

Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations


Listen to this Post

A lot of (digital) ink has been spilled about how the cloud is going to change the way that we work — and for once, the marketers have really undersold how big the impact is going to be.

Don’t get me wrong, some parts of our businesses are going to stay on-prem for a while, but they will be negligible. Even before COVID-19 made most of us remote workers by default, we had already been hurtling towards a reality where all of our work (computing, storage, platforms, and the rest of the “X as a Service) is essentially done on someone else’s computer.

For most organizations, this shifting of their IT infrastructure to Amazon, Google, Microsoft, and the million other cloud services providers has been a good thing. It allows them to do more without growing their IT teams, making the job of keeping everything running like it should someone else’s responsibility.

However, when it comes to security, the question of who is responsible for what is far less clear and leaves many organizations potentially exposed to leaks or attacks.

Who Owns Security in SaaS?

The question of who is responsible for security when it comes to SaaS, PaaS, IaaS, et al is a tricky one, and probably the subject of nearly as many marketing posts after the “Why you need to move to the cloud” genre. For our purposes, and in the interest of length, let’s focus on SaaS.

In short, the answer is that security is everybody’s responsibility, and you need to take it seriously. The problem is that as an industry of service providers and consumers, we have generally done a bad job of defining who is responsible for which aspects of managing security in this arrangement.

Personally, I like this graphic representation of the shared security responsibility model taken from the folks at Microsoft’s Azure Security team. Not only is it clear about when the responsibility is wholly supposed to be owned by the cloud provider or customer, but it also highlights examples where they share responsibility.

For instance, we see here below that matters of identity and directory infrastructure are shared between the customer and the provider without a clear delineation of who is that actual owner here.

source: Microsoft

Challenges to Getting SaaS Security Right

The SaaS environment is by definition highly distributed and easily accessible from nearly anywhere. Managing who can access what requires constant tracking of permissions. Especially in larger organizations where people join, move within, and leave, this can become a difficult challenge to overcome.

There is also a visibility challenge in that the more services we use, the more we grow our threat surface and slip into permission chaos. Part of the problem is that we are not doing a very good job of keeping track of what we are using and where. In practical terms, this means that we might be exposed or vulnerable to attack and not even be aware of the threat vector.

But for an attacker that is putting in the work of scanning for an opening, that hole through the side door is just as good as going in through the front.

To be fair to all parties, SaaS security is hard to manage. A leap of faith is required to hand over so much control to an outside provider that theoretically can make changes to important settings and controls without your involvement.

A SaaS vendor can unwittingly make changes to your app and create an exposure that your team needs to deal with. These changes can also alter the way you monitor and control your security, and that should remind us of the compromise that comes with shifting responsibilities.

So what does a good SaaS security overview have to take into account if we want to do this better?

A few Tips for Working More Securely with SaaS

For starters, take the time to understand who is responsible for what in your relationship with your SaaS provider. I suggest starting with an assumption of TRUST NO ONE.

In the event of a breach or leak, it is your organization that will feel the brunt of the blame for any damages. So even if your SaaS vendor promises you the moon and the stars, it is still your responsibility to double-check and triple-check (and continuously monitor) to the best of your ability, even if control rests in someone else’s system.

With skepticism as your starting point, do your own risk assessment of your exposure with the vendor and address it with them. You should still be setting expectations with them for what they are supposed to be responsible for — even if you don’t fully trust them.

After you have done your assessment, take your findings and start hardening your organization to the extent possible. While never foolproof because everything can and will be hackable, denying an attacker the low hanging fruit with a bit of hardening now can go a long way in avoiding heartache later.

Finally, make security a part of the process of onboarding and managing new SaaS applications or the use of IaaS. Stick to the principle of least privilege wherein you grant just enough permissions to allow your people to do what they need to do, but stop short of it becoming a liability. Chances are that you are probably giving out way more authorizations than you need to or can realistically keep track of.

The way to make this successful is to empower your team by making it as easy as possible for them. Automate where available, especially those that will help them track and monitor who has what authorizations are out there in use. Authorization management, which is key to limiting your exposure, will always be your responsibility to manage and monitor, so take it easy on yourself and use the right tools for the job.

Thinking Big Picture

SaaS is simply the way that businesses will continue to operate in the years to come, so it is up to us to work with it responsibly.

This means knowing what we are using and utilizing technology to manage it better, but also implementing the right kind of policies that will help us to avoid forehead-smacking mistakes.

Yes, the SaaS providers should simplify their management systems, especially around security. Current measures often require the admin to be a human compiler in order to understand what’s going on.

But we in the industry need to think about how we are granting access to people in our organizations. Are we asking questions like if the employee really needs access to as many systems as they do? Or how often do we require that those permissions be reauthorized, thus preventing zombie accounts from living on long after they have any right or reason to?

At the end of the day, we are the owners of our own security, so we’d better act like it.