Security Experts:

Zombie SaaS Accounts Put Enterprises at Risk: Report

SaaS security company Adallom has released a report which analyzes the security gaps and risks associated with the usage of cloud applications.

Adallom analyzed over one million enterprise SaaS accounts on Salesforce, Box, Google Apps and Microsoft Office 365, between October 2013 and October 2014.

The company determined that 11% of accounts have not been active over a period of three months. These accounts, which Adallom calls "zombies," are problematic for two reasons: organizations unnecessarily pay licenses for them, and they increase the attack surface. The most dangerous are "zombie" accounts with high privileges, which can be leveraged by attackers to gain access to valuable corporate information.

Zombie Account RisksPrivileged accounts that are not active could exist in many organizations. Adallom has found that there are, on average, seven administrators to every 100 users. In the case of one enterprise, the SaaS security firm found over 100 Salesforce users with administrative privileges.

The report shows that there are many companies which fail to ensure that their former employees' SaaS application credentials are revoked. According to Adallom, 80% of the companies they have monitored have at least one former employee whose login credentials have not been disabled.

As far as files are concerned, 5% of an average organization's private files are publicly accessible, the report said. Furthermore, 29% of employees share an average of 98 work-related files with their personal email accounts, a practice which according to Adallom poses both governance and security risks.

 Sharing files with third parties is one of the advantages of cloud-based applications. However, there are also risks that need to be taken into consideration.

"Some SaaS providers install a local device agent in order to synchronize between user devices and the Web, which often means users are unaware of the full spectrum of data being synchronized to the SaaS provider," the report said. "Inadvertent sharing is a real danger for enterprises with an increased uptake of services such as Office 365, Box and Google Drive. For governance and security purposes, it’s crucial to understand where corporate files are stored and who they are being shared with."

Another issue is "orphan" files, or files that don't have an owner. Adallom found that 6% of files are orphans, 70% of which have been created by users outside the company, while the other 30% by former contractors or terminated employees.

The problem with these files is that they are owned by a non-existent user or group ID which might be assigned to a newly created user or group at some point, automatically giving them access to the files.

"Orphan files also create a governance problem because they don’t have a clear provenance and attestation trail, which means that they might violate retention policies. In the event of an eDiscovery query or regulatory compliance audit, orphan files could be troublesome, especially if they contain privileged data," the report said.

Storing files in the cloud is convenient, but some organizations don't seem to know precisely where their cloud data is stored. The report shows that 37% of Adallom's customers discovered that they stored more data in Salesforce than in any other SaaS application. Salesforce has a secure storage layer, but for proper file management enterprises need to integrate it with a dedicated enterprise storage governance solution.

"As companies continue to realize the enormous cost and productivity gains that come with SaaS adoption, they should concurrently understand and address the inherent risks and take necessary precautions to protect data and brand integrity," noted Assaf Rappaport, co-founder and CEO of Adallom. "Accounting for cloud data governance and shared responsibility for security are of paramount importance.  Legacy controls like firewalls and mobile device management are ineffective at protecting users when they access SaaS applications from unmanaged devices outside the corporate network."

The complete Cloud Usage Risk report from Adallom is available online.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.