Earlier this year, attackers infiltrated mail chimp, is a popular SaaS email marketing platform. They viewed over 300 Mailchimp customer accounts and exported audience data from 102 of them. This breach was preceded by successful phishing attacks and malicious attacks against end users of Mailchimp customers.
Three months later, Mailchimp underwent another attack another attackOnce again, an employee’s account was compromised after a successful phishing attempt.
Although the identities of the compromised Mailchimp accounts have not been made public, it is easy to see what role the user’s permission settings played in the attack. Once the threat detector got into the system, it had the necessary access to utilize internal tools that could find the data it was looking for. The attack ended when the security team was able to stop the user’s access, but the already downloaded data remained in the attacker’s hands.
The introduction of user rights through role-based account control (RBAC) could have greatly reduced the damage of a breach. If least-privilege rules were enforced, the compromised account may not have allowed access to the internal tools used in the attack. Additionally, restricting access may have prevented the attack entirely or limited the number of affected accounts to far fewer than the 100 that were ultimately compromised.
Protect your SaaS data like your company’s future is at stake. Please schedule a demo for more information.
What are user permissions?
SaaS user permissions allow app owners to restrict a user’s resources and actions based on the user’s role. A set of permissions, known as RBAC, that grants read or write access, assigns privileges to high-level users, and determines the level of access to corporate data.
What is the purpose of the “least privilege rule”?
The least privilege rule is an important security concept that provides users with the minimum access necessary to perform their job duties. In effect, restricting high-level access to a few privileged individuals reduces the attack surface. A low-privileged user If her account is compromised, the attacker will lose access to sensitive data contained within the application.
Do SaaS apps follow least privilege rules? Please schedule a demo for more information.
Why User Privileges Are Important to Security
App admins often grant full access to team members, especially when dealing with small groups of users. As a business her user rather than a security professional, I am not always aware of the degree of risk in granting these permissions. Additionally, I prefer to give full permission rather than being asked for specific permissions later.
Unfortunately, this approach can compromise sensitive data records. User permissions help define what data is exposed in the event of a violation. By protecting the data behind the permission set, an attacker with access to user identities is limited to the data available to the victim.
Also, loose user permissions make it easier for attackers to carry out automated attacks. Having multiple users with broad API permissions makes it easier for cybercriminals to break into her SaaS apps, automate ransomware, and steal data.
Why User Access Reviews Matter
A user access review is essentially an audit that examines users and their access. Security team members and app owners can indicate how much access each user has and adjust permission levels as needed.
This helps identify users who may have switched roles or teams within the company but still have unnecessary levels of permissions. It also helps alert security teams when employee behavior deviates from normal behavior and includes suspicious behavior. Additionally, it helps identify former employees who still have access and high privileges.
Access reviews should be conducted at defined intervals to identify unnecessary permissions within a set period of time.
User rights are an often misunderstood security feature. Protect your organization from both external attacks and internal data sharing errors.
An SSPM solution like Adaptive Shield enables effective user rights management, giving security personnel and app owners the confidence to know the scope of user rights and to verify the SaaS security hygiene of their users. This real-time view of users is much more effective than user access auditing, which only shows a snapshot view of a user’s permissions at a specific point in time.
Want more visibility into your SaaS users? Schedule a demo now for full visibility.