Check your privilege: The critical principle for keeping your SaaS data safe

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!

The type of breach recently declared by Octa can never be completely prevented, while the Minimum Privilege Principle (PoLP) is a simple but powerful mitigation that can dramatically reduce the severity of events. However, a robust PoLP approach can only be implemented if the tools and products we use support the required capabilities. The widely reported breach is an excellent opportunity to take a closer look at what SaaS products should do to protect their customers and end users in 2022.

Wait, what happened?

Octa experienced a breach by the Lapsus $ hacker group in late January, which had not been detected for nearly a week, and was finally revealed on March 22. The weak link used by Lapsus હતી was allegedly Sitel’s Sykes Enterprises, a third-party customer support vendor.

Sitel Support Engineer’s laptop was accessed by attackers, then Lapsus $ started a Remote Desktop Protocol (RDP) session with Okta. While, according to Octa, the attackers could not manage to achieve account takeover due to Multifactor Authentication (MFA), the company acknowledged that more than 300 customers could be affected and that some user data was used by hackers.

Unlike traditional hacking groups that exploit vulnerabilities in code or misconfiguration, the Lapsus $ preferred approach is to bribe the company’s insiders or third parties who have been granted access. With unconventional tactics like this, as well as the ever-present risk of social engineering attacks and common human error, it is not possible for any organization to be 100% secure. That is why it is crucial that we take steps that reduce the “blast radius” from violation. This is where PoLP comes into play.

The principle of minimum privilege mentality

POLP is a best practice that minimizes the severity of potential attacks by limiting the permissions of a given user to the lowest level they need to perform their work.

This approach ensures that even if the attacker gains access, it does not give them superuser powers like Dev to automatically extract or manipulate users’ data. The capabilities that an attacker can unlock are limited according to the job requirements of the employee whose account is used. When PoLP is properly implemented, most employees will have strict limits on their account, so most breaches will result in very little damage.

Okta said in his post on the incident that the application used by the attackers was “at least privileged.” While details on the capabilities assigned to third-party support engineers raise some questions about this statement, the PoLP reference is appropriate because this approach is central to minimizing such attacks.

The growing number of privileges

The Okta-Sitel relationship is not uncommon. Digital transformation initiatives have accelerated the adoption of a large number of SaaS tools, increased integration across platforms, and outsourced services to external vendors. Allowing third parties to access SaaS product accounts has become very common for many companies. But due to the nature of the services provided, third-party vendors are often given access to a large number of customer accounts. If the subsidiary vendor is hacked, the impact can be severe if PoLP is not followed.

Transferring your company to the PoLP mindset requires the participation of the entire organization. Like all attempts at change, it involves people, processes and tools. But SaaS products today often lack the capabilities that people and PoLP adoption processes need to support.

The current standard provides a minimal if any role split. Most apps today have only super admin roles, which can take any action in the product. More advanced people will also add a read-only role in the later stages of their evolution. But this is not enough to stop an unethical employee or a fake laptop from having disastrous consequences.

As SaaS builders and consumers, we must ensure that the products we manufacture and use support strict PoLP implementation that can help protect our customers’ data.

SaaS Product Requirements for PoLP

The following PoLP fundamentals should apply to any modern application:

Minimal privileges for new users

The default role of the new user should have a minimum amount of permissions. This ensures that after creation, users’ accounts automatically stick to PoLP without the need for any action. Create a new user with limited reading rights and upgrade as a pick-in option to suit the user’s position.

Granular permissions for maximum control

Admin-only and read-only access makes things much easier. The reality is that most users will need some level of access in the middle, which will result in everyone getting admin access. The ability to have granular control over the permissions granted to users is key to a more dynamic approach to POLP.

Temporary entry for permanent security

PoLP not only allows the lowest level of access, but also allows for as little time as possible. Encouraging the use of provisional access protocols addresses the risk of forgetting to withdraw access to an account for a one-time requirement. In addition, the provisional access protocol may enable automatic access to a regular schedule; Further damage can be minimized, for example, by restricting access to third-party support vendors only during operating hours.

Auditing activity on an ongoing basis

Products should be constantly audited so that suspicious activity can be detected in a timely manner. This requires that the team develop audit practice and put in place appropriate procedures, but also support production through a simple-to-control audit log mechanism.

Frictionless UX for permission management

For a strong PoLP approach, you need to have a frictionless user experience (UX) that allows users to easily manage their roles and permissions. Canceling, replacing, and giving access should be easy – making this operation difficult makes it an incentive to grant additional permissions without having to deal with it on the road. These capabilities should be given to customers and end users, who can then take full control of their accounts and reduce the level of attack.

RBAC: The main requirement for large organizations

In addition to the basic minimum requirements specified, additional capabilities are required to allow large organizations to manage permissions on a scale. With thousands or thousands of employees, and complex products that can be approved with hundreds or thousands of individual permissions, it is no longer possible to manage permissions at the individual employee level.

For companies of this size, role-based access control (RBAC) is crucial in SaaS applications. RBAC allows you to define roles within a product that match the functions within the organization. Each role is given the necessary permissions for its function in the product, and users are assigned roles according to their function.

The safest principle

With the changing nature of the threats and the growing attack surface driven by trends that will only get stronger over time, the violation is inevitable. Therefore, businesses need to move towards an approach that prioritizes mitigation strategies; The principle of minimum privilege is central to this. SaaS products today often fall short in providing key capabilities for PoLP. As SaaS creators and consumers, we need to do more and better demand to protect our users’ accounts.

Sagi Rodin is the CEO and co-founder of Fronteg,


Welcome to the VentureBeat community!

DataDecisionMakers is a place where experts, including tech people working on data, can share data-related insights and innovations.

If you would like to read about the latest ideas and latest information, best practices and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing to your own article!

Read more from DataDecisionMakers

Similar Posts

Leave a Reply

Your email address will not be published.