[{"data":1,"prerenderedAt":2404},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/report-on-identity-based-attacks":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":958,"faqItemsCollection":959,"faqTitle":62,"featured":6,"hashTags":62,"meta":961,"metaTitle":962,"ogImage":62,"publishedDate":963,"relatedBlogPostsCollection":964,"slug":2378,"stem":2379,"subtitle":62,"summary":2380,"synopsis":2391,"sys":2392,"tagsCollection":2395,"__hash__":2403},"blog/blog/report-on-identity-based-attacks.json","6 surprising takeaways from a recent report on identity-based attacks ",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Sally Soulliere","Sally","Head of Brand & Content",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7Gh4SbbEj6Zsbd6OzGto8Q/885041a4ddeccc5ef3045c0e22975ef4/T016S22KZ96-U036FPETQRH-330f87708d26-192.jpeg",{"json":238,"links":886},{"nodeType":239,"data":240,"content":241},"document",{},[242,268,275,283,290,297,317,324,331,348,355,362,369,376,384,391,398,423,453,460,467,474,493,514,521,527,546,553,560,567,574,581,606,613,620,627,633,640,647,654,661,669,690,707,714,722,729,741,748,759,766,785,792,799,806,813,819,826,833,839,857,863,874,880],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246,251,264],{"nodeType":247,"value":248,"marks":249,"data":250},"text","Identity Defined Security Alliance (IDSA) recently released their 2023 report: ",[],{},{"nodeType":252,"data":253,"content":255},"hyperlink",{"uri":254},"https://www.idsalliance.org/white-paper/2023-trends-in-securing-digital-identities/",[256],{"nodeType":247,"value":257,"marks":258,"data":263},"Trends in Securing Digital Identities",[259,261],{"type":260},"underline",{"type":262},"italic",{},{"nodeType":247,"value":265,"marks":266,"data":267},", which had some interesting data to consider as you think about securing identities in the cloud for your organization.",[],{},{"nodeType":243,"data":269,"content":270},{},[271],{"nodeType":247,"value":272,"marks":273,"data":274},"Identities have quickly become the new perimeter, leading attackers to target identities as the primary way to access sensitive corporate data. Organizations and security professionals are considering identity security top of mind, as a result. The report found that 68% of companies say identity-related attacks directly impacted their business in 2023. ",[],{},{"nodeType":276,"data":277,"content":278},"heading-1",{},[279],{"nodeType":247,"value":280,"marks":281,"data":282},"1. Passwords are (still) the weakest link ",[],{},{"nodeType":243,"data":284,"content":285},{},[286],{"nodeType":247,"value":287,"marks":288,"data":289},"It’s no surprise that this survey found that phishing is the most common identity security-related attack, reported by 57% of survey respondents. Poor password hygiene like employees reusing passwords across work and personal accounts was often reported (by 37%) as a weakness that could lead to identity-based attacks.. ",[],{},{"nodeType":243,"data":291,"content":292},{},[293],{"nodeType":247,"value":294,"marks":295,"data":296},"Further exacerbating this issue, employees often reuse passwords across many the cloud and SaaS applications they’re using, and 31% reported that employees share login credentials with their colleagues for work cloud and SaaS apps. ",[],{},{"nodeType":243,"data":298,"content":299},{},[300,304,313],{"nodeType":247,"value":301,"marks":302,"data":303},"The risk of these security shortcomings is real and a concern today, not just a future problem. Our recent ",[],{},{"nodeType":252,"data":305,"content":307},{"uri":306},"https://pushsecurity.com/blog/saas-attack-techniques/",[308],{"nodeType":247,"value":309,"marks":310,"data":312},"open-source research on SaaS attacks",[311],{"type":260},{},{"nodeType":247,"value":314,"marks":315,"data":316}," demonstrated how attackers will take advantage of those weak and/or reused login credentials as an entry point for attack chains, allowing them to move laterally within the organization and across apps to get to the data they’re targeting.",[],{},{"nodeType":243,"data":318,"content":319},{},[320],{"nodeType":247,"value":321,"marks":322,"data":323},"None of these finds are shocking for anyone in security. However, what may be new is where identities start and end. Let’s dig into that.",[],{},{"nodeType":276,"data":325,"content":326},{},[327],{"nodeType":247,"value":328,"marks":329,"data":330},"2. Identity security sprawl makes it a challenge to manage digital identities and data sprawl ",[],{},{"nodeType":243,"data":332,"content":333},{},[334,338,344],{"nodeType":247,"value":335,"marks":336,"data":337},"Many readers may think of identity as an employee’s SSO identity first, but it’s important to consider identity sprawl - anytime an employee signs up to a cloud application with a password, they’ve created a new account ",[],{},{"nodeType":247,"value":339,"marks":340,"data":343},"and ",[341],{"type":342},"bold",{},{"nodeType":247,"value":345,"marks":346,"data":347},"a new identity on that app. ",[],{},{"nodeType":243,"data":349,"content":350},{},[351],{"nodeType":247,"value":352,"marks":353,"data":354},"This happens because they’re using a username and password to sign up, which has created a new identity that only exists on that app. If, on the other hand, they clicked “Signup with Google” or “Signup with Microsoft,” they would have created a new account, but used their Google and Microsoft identity that already exists and is managed by the organization they work for.",[],{},{"nodeType":276,"data":356,"content":357},{},[358],{"nodeType":247,"value":359,"marks":360,"data":361},"3. More SaaS = More identities = More opportunities for attackers",[],{},{"nodeType":243,"data":363,"content":364},{},[365],{"nodeType":247,"value":366,"marks":367,"data":368},"Another finding from the survey is that 52% of respondents said the adoption of more cloud applications is driving an increase in the number of identities. As employees sign up for SaaS and cloud applications on their own, they’re adding more assets and identities to your attack surface. They’re also adding more third-party vendors to your supply chain. ",[],{},{"nodeType":243,"data":370,"content":371},{},[372],{"nodeType":247,"value":373,"marks":374,"data":375},"You can see how quickly identity management can become difficult to manage and a really juicy new attack surface for attackers. On average, teams use 40-60 apps for work. If they’re not using a social login (“Signup with Google” or “Signup with Microsoft”), it’s not just the SaaS accounts that are exploding but also the number of identities security and IT have to track, monitor, and secure. Add in sharing credentials across the team and password reuse that was mentioned earlier, and the scope of the problem explodes pretty quickly.",[],{},{"nodeType":377,"data":378,"content":379},"heading-2",{},[380],{"nodeType":247,"value":381,"marks":382,"data":383},"Doesn’t SSO solve this?",[],{},{"nodeType":243,"data":385,"content":386},{},[387],{"nodeType":247,"value":388,"marks":389,"data":390},"SSO is the ideal, gold standard solution for managing your SaaS security risks. The big issue is that very, very few apps, particularly the smaller ones most of the employees in your company will be signing up for, offer SSO integrations. ",[],{},{"nodeType":243,"data":392,"content":393},{},[394],{"nodeType":247,"value":395,"marks":396,"data":397},"When we looked at the apps we cover, only 30% of them offered SAML SSO integrations. For the other 70% of apps, SSO isn’t even an option.",[],{},{"nodeType":243,"data":399,"content":400},{},[401,405,419],{"nodeType":247,"value":402,"marks":403,"data":404},"Making things worse, of those few apps that did offer SAML SSO as a feature, they offered it as a paid feature that you can only access at a high pricing tier, typically Enterprise or the highest pricing tier. This is known in the industry as the “SSO tax.” So, at the moment, this means SAML SSO isn’t a practical option for most apps. We wrote much more on this ",[],{},{"nodeType":406,"data":407,"content":413},"entry-hyperlink",{"target":408},{"sys":409},{"id":410,"type":411,"linkType":412},"tkUfN6TKuYyVNYDpsGWrE","Link","Entry",[414],{"nodeType":247,"value":415,"marks":416,"data":418},"here",[417],{"type":260},{},{"nodeType":247,"value":420,"marks":421,"data":422}," as well.",[],{},{"nodeType":243,"data":424,"content":425},{},[426,430,435,439,449],{"nodeType":247,"value":427,"marks":428,"data":429},"Many more apps offer social logins (“Login with Google” - aka OIDC SSO), and while this isn’t quite as good as SAML, it’s a far better option than local passwords for each SaaS app. ",[],{},{"nodeType":247,"value":431,"marks":432,"data":434},"Our advice is you should prefer social logins over usernames and passwords wherever possible",[433],{"type":342},{},{"nodeType":247,"value":436,"marks":437,"data":438},". Read more about that ",[],{},{"nodeType":406,"data":440,"content":444},{"target":441},{"sys":442},{"id":443,"type":411,"linkType":412},"1pbtctbbJRqLuz8dOsecOt",[445],{"nodeType":247,"value":415,"marks":446,"data":448},[447],{"type":260},{},{"nodeType":247,"value":450,"marks":451,"data":452},".",[],{},{"nodeType":276,"data":454,"content":455},{},[456],{"nodeType":247,"value":457,"marks":458,"data":459},"4. Organizations know they need to secure identities, but struggle to stay ahead of the sprawl",[],{},{"nodeType":243,"data":461,"content":462},{},[463],{"nodeType":247,"value":464,"marks":465,"data":466},"In the IDSA report, survey respondents were asked to consider how they would improve identity security going forward, after experiencing damage to the business from attack(s). ",[],{},{"nodeType":468,"data":469,"content":473},"embedded-entry-block",{"target":470},{"sys":471},{"id":472,"type":411,"linkType":412},"1xmO3ndyH1Px7BWKcUYpz9",[],{"nodeType":243,"data":475,"content":476},{},[477,482,490],{"nodeType":247,"value":478,"marks":479,"data":481},"Source: ",[480],{"type":262},{},{"nodeType":252,"data":483,"content":484},{"uri":254},[485],{"nodeType":247,"value":254,"marks":486,"data":489},[487,488],{"type":260},{"type":262},{},{"nodeType":247,"value":29,"marks":491,"data":492},[],{},{"nodeType":243,"data":494,"content":495},{},[496,500,510],{"nodeType":247,"value":497,"marks":498,"data":499},"At the top of that list (42%) was basic multi-factor authentication (MFA) implementation for all employees. That sounds like a simple task, but when you’re staring down a list of all of your IT-managed cloud apps and adding all those work apps that employees have signed up for on their own (each of these unmanaged employee-adopted SaaS applications are known as a shadow identity, more on that ",[],{},{"nodeType":406,"data":501,"content":505},{"target":502},{"sys":503},{"id":504,"type":411,"linkType":412},"1I9skXuLjbdjnc6rAVkaS3",[506],{"nodeType":247,"value":415,"marks":507,"data":509},[508],{"type":260},{},{"nodeType":247,"value":511,"marks":512,"data":513},"), it can feel like an impossible task.",[],{},{"nodeType":243,"data":515,"content":516},{},[517],{"nodeType":247,"value":518,"marks":519,"data":520},"That’s where tools (like Push) can help. We work directly with employees via ChatOps to help them harden their identities by turning on MFA and creating stronger, unique passwords for the apps they’ve signed up for with credentials. ",[],{},{"nodeType":468,"data":522,"content":526},{"target":523},{"sys":524},{"id":525,"type":411,"linkType":412},"7sDZGdgD6auvjWvFKvpNUJ",[],{"nodeType":243,"data":528,"content":529},{},[530,534,542],{"nodeType":247,"value":531,"marks":532,"data":533},"Read more about this feature ",[],{},{"nodeType":252,"data":535,"content":537},{"uri":536},"https://pushsecurity.com/uc/mfa-and-password-manager-adoption/",[538],{"nodeType":247,"value":415,"marks":539,"data":541},[540],{"type":260},{},{"nodeType":247,"value":543,"marks":544,"data":545},". ",[],{},{"nodeType":276,"data":547,"content":548},{},[549],{"nodeType":247,"value":550,"marks":551,"data":552},"5. Reviewing who and what can access corporate data is a top concern",[],{},{"nodeType":243,"data":554,"content":555},{},[556],{"nodeType":247,"value":557,"marks":558,"data":559},"The next priority on that list of how to mitigate identity-related attacks was “more timely reviews of access to sensitive data.”",[],{},{"nodeType":243,"data":561,"content":562},{},[563],{"nodeType":247,"value":564,"marks":565,"data":566},"Each SaaS app, cloud app, and OAuth integration needs to interact with business data and systems in some way, either by the employee granting access in initial permissions consent flows during signup or by administrators consenting as part of onboarding centralized cloud platforms for the organization.",[],{},{"nodeType":243,"data":568,"content":569},{},[570],{"nodeType":247,"value":571,"marks":572,"data":573},"Similar to MFA adoption across all the apps, tracking and managing all the accounts, applications, and integrations to your core work platforms can feel overwhelming. ",[],{},{"nodeType":243,"data":575,"content":576},{},[577],{"nodeType":247,"value":578,"marks":579,"data":580},"In order to access risk and review access to sensitive data, you need an automated way to:",[],{},{"nodeType":582,"data":583,"content":584},"unordered-list",{},[585,596],{"nodeType":586,"data":587,"content":588},"list-item",{},[589],{"nodeType":243,"data":590,"content":591},{},[592],{"nodeType":247,"value":593,"marks":594,"data":595},"Find the work apps employees are using because they interact with corporate data and,",[],{},{"nodeType":586,"data":597,"content":598},{},[599],{"nodeType":243,"data":600,"content":601},{},[602],{"nodeType":247,"value":603,"marks":604,"data":605},"Quickly understand what data each app or integration can access",[],{},{"nodeType":243,"data":607,"content":608},{},[609],{"nodeType":247,"value":610,"marks":611,"data":612},"With this information, you can make better decisions about whether to accept the risk these apps and integrations present to their business - balancing security risk and internal resources for auditing, monitoring and hardening these identities, while not becoming a blocker to the overall business.",[],{},{"nodeType":276,"data":614,"content":615},{},[616],{"nodeType":247,"value":617,"marks":618,"data":619},"6. Organizations perceive internal hurdles to secure identities",[],{},{"nodeType":243,"data":621,"content":622},{},[623],{"nodeType":247,"value":624,"marks":625,"data":626},"One of the more telling takeaways from the report is that respondents don’t feel that they’re armed and ready to secure identities. They cited the following concerns:",[],{},{"nodeType":468,"data":628,"content":632},{"target":629},{"sys":630},{"id":631,"type":411,"linkType":412},"5Db5gG8JeV3U6tT2eHFmvh",[],{"nodeType":243,"data":634,"content":635},{},[636],{"nodeType":247,"value":637,"marks":638,"data":639},"The top two issues identified were issues of complexity, both in the identity frameworks themselves and with the organization’s technology stack.",[],{},{"nodeType":243,"data":641,"content":642},{},[643],{"nodeType":247,"value":644,"marks":645,"data":646},"The other issues are concerns we hear fairly often in this industry: no budget, not enough internal expertise, and not enough manpower and time.",[],{},{"nodeType":243,"data":648,"content":649},{},[650],{"nodeType":247,"value":651,"marks":652,"data":653},"In the next section, we’ll explore how Push can help address each of these barriers to securing identities.",[],{},{"nodeType":276,"data":655,"content":656},{},[657],{"nodeType":247,"value":658,"marks":659,"data":660},"Overcome these barriers with Push",[],{},{"nodeType":243,"data":662,"content":663},{},[664],{"nodeType":247,"value":665,"marks":666,"data":668},"Barrier #1: Identity frameworks are complicated with multiple vendors and different architectures",[667],{"type":342},{},{"nodeType":243,"data":670,"content":671},{},[672,676,686],{"nodeType":247,"value":673,"marks":674,"data":675},"Push tracks where your identity providers (IdPs) are being used across your cloud environment, including popular managed IdPs like Google, Microsoft and Okta that use SAML and OIDC (",[],{},{"nodeType":406,"data":677,"content":680},{"target":678},{"sys":679},{"id":443,"type":411,"linkType":412},[681],{"nodeType":247,"value":682,"marks":683,"data":685},"aka “social login”",[684],{"type":260},{},{"nodeType":247,"value":687,"marks":688,"data":689},") SSO, as well as custom or self-hosted IdPs like Active Directory Federation Services (ADFS).",[],{},{"nodeType":243,"data":691,"content":692},{},[693,698,702],{"nodeType":247,"value":694,"marks":695,"data":697},"Barrier #2:",[696],{"type":342},{},{"nodeType":247,"value":699,"marks":700,"data":701}," ",[],{},{"nodeType":247,"value":703,"marks":704,"data":706},"Our technology environment is very complex",[705],{"type":342},{},{"nodeType":243,"data":708,"content":709},{},[710],{"nodeType":247,"value":711,"marks":712,"data":713},"Push gives you visibility of all your cloud identities, no matter how decentralized or interconnected your cloud environment is.",[],{},{"nodeType":243,"data":715,"content":716},{},[717],{"nodeType":247,"value":718,"marks":719,"data":721},"Barrier #3: Insufficient budget",[720],{"type":342},{},{"nodeType":243,"data":723,"content":724},{},[725],{"nodeType":247,"value":726,"marks":727,"data":728},"Push is cost effective for organizations of all sizes. You pay per employee, regardless of how many identities they have or apps they use. Many organizations have purchased Push before getting an IdP like Okta because it is a more cost effective way of securing identities.",[],{},{"nodeType":243,"data":730,"content":731},{},[732,737],{"nodeType":247,"value":733,"marks":734,"data":736},"Barrier #4: Lack of expertise",[735],{"type":342},{},{"nodeType":247,"value":738,"marks":739,"data":740}," ",[],{},{"nodeType":243,"data":742,"content":743},{},[744],{"nodeType":247,"value":745,"marks":746,"data":747},"Push is surprisingly simple to use. Roll out the browser extension using MDM, Push will give you instant visibility. You just need to decide which automated remediation workflows you want to turn on.",[],{},{"nodeType":243,"data":749,"content":750},{},[751,756],{"nodeType":247,"value":752,"marks":753,"data":755},"Barrier #5: Not enough people",[754],{"type":342},{},{"nodeType":247,"value":738,"marks":757,"data":758},[],{},{"nodeType":243,"data":760,"content":761},{},[762],{"nodeType":247,"value":763,"marks":764,"data":765},"Push doesn’t just find more issues, it also fixes them. When Push detects a security issue, it automatically engages the identity owner and guides them to self-remediate the issue. This makes Push totally scalable and frees-up your security team.",[],{},{"nodeType":243,"data":767,"content":768},{},[769,772,781],{"nodeType":247,"value":29,"marks":770,"data":771},[],{},{"nodeType":252,"data":773,"content":775},{"uri":774},"https://pushsecurity.com/product/#top",[776],{"nodeType":247,"value":777,"marks":778,"data":780},"Learn more about how we can help",[779],{"type":260},{},{"nodeType":247,"value":782,"marks":783,"data":784},"!",[],{},{"nodeType":276,"data":786,"content":787},{},[788],{"nodeType":247,"value":789,"marks":790,"data":791},"Push helps you see which third parties have access to your data ",[],{},{"nodeType":243,"data":793,"content":794},{},[795],{"nodeType":247,"value":796,"marks":797,"data":798},"To manage both identity and data sprawl, lean on a good identity security solution like Push to: ",[],{},{"nodeType":377,"data":800,"content":801},{},[802],{"nodeType":247,"value":803,"marks":804,"data":805},"Track which apps have access to your corporate data ",[],{},{"nodeType":243,"data":807,"content":808},{},[809],{"nodeType":247,"value":810,"marks":811,"data":812},"Find the apps your employees are using, testing, or trialing and the associated digital identities they’ve created, and then see what data those apps were given access to by the employee:",[],{},{"nodeType":468,"data":814,"content":818},{"target":815},{"sys":816},{"id":817,"type":411,"linkType":412},"7kdGdM2MAn7HezkvUYlBP1",[],{"nodeType":377,"data":820,"content":821},{},[822],{"nodeType":247,"value":823,"marks":824,"data":825},"Detect new apps employees sign up for",[],{},{"nodeType":243,"data":827,"content":828},{},[829],{"nodeType":247,"value":830,"marks":831,"data":832},"By catching these signups early, you can quickly check out the third-party app vendor before employees give those apps even more corporate data than they did just by signing up and testing the app:",[],{},{"nodeType":468,"data":834,"content":838},{"target":835},{"sys":836},{"id":837,"type":411,"linkType":412},"1jIJX2NQZWcE6IMX85P2q6",[],{"nodeType":243,"data":840,"content":841},{},[842,846,854],{"nodeType":247,"value":843,"marks":844,"data":845},"You can then also use Push to work automatically with your employees to harden their accounts. Much more information on there ",[],{},{"nodeType":252,"data":847,"content":849},{"uri":848},"https://pushsecurity.com/uc/cloud-data-sprawl/",[850],{"nodeType":247,"value":415,"marks":851,"data":853},[852],{"type":260},{},{"nodeType":247,"value":450,"marks":855,"data":856},[],{},{"nodeType":468,"data":858,"content":862},{"target":859},{"sys":860},{"id":861,"type":411,"linkType":412},"3PpYZZ4DSBZqykD0zYF8QI",[],{"nodeType":243,"data":864,"content":865},{},[866,870],{"nodeType":247,"value":867,"marks":868,"data":869},"G",[],{},{"nodeType":247,"value":871,"marks":872,"data":873},"rab a spot in our calendars so we can run through how Push can help with your specific needs and requirements by booking a quick demo.",[],{},{"nodeType":468,"data":875,"content":879},{"target":876},{"sys":877},{"id":878,"type":411,"linkType":412},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":243,"data":881,"content":882},{},[883],{"nodeType":247,"value":29,"marks":884,"data":885},[],{},{"entries":887},{"inline":888,"hyperlink":889,"block":903},[],[890,895,899],{"sys":891,"__typename":892,"title":893,"slug":894},{"id":410},"BlogPosts","The no-jargon guide to solving shadow SaaS ","protect-your-data-across-all-your-apps-even-the-ones-employees-use-without",{"sys":896,"__typename":892,"title":897,"slug":898},{"id":443},"Should I let my employees login with their work Google account?","should-i-let-my-employees-login-with-their-work-google-account",{"sys":900,"__typename":892,"title":901,"slug":902},{"id":504},"Get out of the dark: Manage the risk of shadow identities","what-are-shadow-identities",[904,912,919,927,935,943,951],{"sys":905,"__typename":906,"title":907,"caption":62,"layoutMode":62,"file":908},{"id":472},"Image","Identity solutions survey",{"url":909,"width":910,"height":911},"https://images.ctfassets.net/y1cdw1ablpvd/4ZYf1bG2qXgbJmobA8E9sd/ebba20b5fb48cd86cf5e89c8ce27b30f/image1.png",1432,870,{"sys":913,"__typename":906,"title":914,"caption":915,"layoutMode":62,"file":916},{"id":525},"ChatOps for MFA O365","Push message to an employee who hasn’t enabled MFA on their account",{"url":917,"width":32,"height":918},"https://images.ctfassets.net/y1cdw1ablpvd/6VOROrUEfy4WGtwTd75Wrx/55e58fca286d08ef337542f8c93139eb/image3.png",187,{"sys":920,"__typename":906,"title":921,"caption":922,"layoutMode":62,"file":923},{"id":631},"IDSA identity security barriers","Survey respondents perceive these barriers as restricting how much they can do for identity security in their organization",{"url":924,"width":925,"height":926},"https://images.ctfassets.net/y1cdw1ablpvd/54GsdMeP1NGPtTDwqLMdig/19a76d323db84b812409a702565ab9e1/Screenshot_2023-09-25_at_13.52.07.png",1840,660,{"sys":928,"__typename":906,"title":929,"caption":930,"layoutMode":62,"file":931},{"id":817},"SaaS dash for IDSA blog","SaaS dashboard with app owner and accounts in the organization",{"url":932,"width":933,"height":934},"https://images.ctfassets.net/y1cdw1ablpvd/VSE6jxxgzRxWl3orrYOD8/126b89e9767c1860405c5c7adcf9d2e7/image7.png",1234,914,{"sys":936,"__typename":906,"title":937,"caption":938,"layoutMode":62,"file":939},{"id":837},"New SaaS channel message ","Get channel messages to your team when an employee signs up for a new SaaS app or creates a new identity",{"url":940,"width":941,"height":942},"https://images.ctfassets.net/y1cdw1ablpvd/7F7AHs0NO5c89q827QFxQK/be73dc7359bc0087dcf5f7e9a1bcf394/image4.png",1216,862,{"sys":944,"__typename":906,"title":945,"caption":946,"layoutMode":62,"file":947},{"id":861},"Account dashboard + Chatops MFA","See all accounts in your organization and allow Push to work directly with employees to harden their accounts",{"url":948,"width":949,"height":950},"https://images.ctfassets.net/y1cdw1ablpvd/4L3L4o9Hyf7kUWbcShsxoZ/8e6ed95c833fb42418d5dd886543ba5a/image2.png",1388,1113,{"sys":952,"__typename":953,"type":954,"ctaText":955,"buttonLabel":956,"buttonColour":957,"buttonUrl":62},{"id":878},"CtaWidget","Demo","Learn how Push can help you secure identities across your org","Book a demo!","sunny orange","json",{"items":960},[],{},"Surprising takeaways from an identity-based attacks report","2023-10-03T00:00:00.000Z",{"items":965},[966,1498],{"__typename":892,"sys":967,"content":968,"title":901,"synopsis":1478,"hashTags":62,"publishedDate":1479,"slug":902,"tagsCollection":1480,"authorsCollection":1490},{"id":504},{"json":969},{"nodeType":239,"data":970,"content":971},{},[972,979,986,993,1000,1007,1032,1044,1066,1073,1080,1095,1102,1109,1116,1123,1130,1137,1143,1150,1228,1235,1241,1248,1255,1276,1283,1290,1313,1333,1340,1347,1380,1386,1393,1414,1421,1428,1450,1457,1464,1471],{"nodeType":276,"data":973,"content":974},{},[975],{"nodeType":247,"value":976,"marks":977,"data":978},"Introduction",[],{},{"nodeType":243,"data":980,"content":981},{},[982],{"nodeType":247,"value":983,"marks":984,"data":985},"Employees are signing up to cloud apps on their own every day in their organizations. When they sign up with a password, they have created a new account and a new identity on that app. ",[],{},{"nodeType":243,"data":987,"content":988},{},[989],{"nodeType":247,"value":990,"marks":991,"data":992},"Why both? If they had instead clicked on “Signup with Google,” they would have created a new account, but would have been using their Google identity that already exists. ",[],{},{"nodeType":377,"data":994,"content":995},{},[996],{"nodeType":247,"value":997,"marks":998,"data":999},"Types of identities",[],{},{"nodeType":243,"data":1001,"content":1002},{},[1003],{"nodeType":247,"value":1004,"marks":1005,"data":1006},"This informally introduces the concept of an identity provider - a place that stores primary identity information (including email address, password and other profile information).",[],{},{"nodeType":243,"data":1008,"content":1009},{},[1010,1014,1019,1023,1028],{"nodeType":247,"value":1011,"marks":1012,"data":1013},"When someone creates a new account with a password, a new ",[],{},{"nodeType":247,"value":1015,"marks":1016,"data":1018},"local identity",[1017],{"type":262},{},{"nodeType":247,"value":1020,"marks":1021,"data":1022}," has been created. In contrast, they probably use a ",[],{},{"nodeType":247,"value":1024,"marks":1025,"data":1027},"centralized identity",[1026],{"type":262},{},{"nodeType":247,"value":1029,"marks":1030,"data":1031}," to access business email and other core business apps. This means that the number of accounts and number of identities that an employee has are probably different.",[],{},{"nodeType":243,"data":1033,"content":1034},{},[1035,1040],{"nodeType":247,"value":1036,"marks":1037,"data":1039},"Local identities",[1038],{"type":262},{},{"nodeType":247,"value":1041,"marks":1042,"data":1043}," are often unknown by security/IT teams as there are no easy observation points for them. These local identities, which employees create to sign up for new tools that help them with their job, can also open the door to potential breaches if not secured properly. ",[],{},{"nodeType":243,"data":1045,"content":1046},{},[1047,1051,1062],{"nodeType":247,"value":1048,"marks":1049,"data":1050},"In the ",[],{},{"nodeType":406,"data":1052,"content":1056},{"target":1053},{"sys":1054},{"id":1055,"type":411,"linkType":412},"3eCWNBg1avThJNsZSwaq1y",[1057],{"nodeType":247,"value":1058,"marks":1059,"data":1061},"shared responsibility model",[1060],{"type":260},{},{"nodeType":247,"value":1063,"marks":1064,"data":1065}," of cloud security, most apps only require that organizations secure user accounts and the vendor takes care of the rest. But how do security teams secure identities that they don’t even know about? ",[],{},{"nodeType":243,"data":1067,"content":1068},{},[1069],{"nodeType":247,"value":1070,"marks":1071,"data":1072},"In this blog post, we'll delve into the world of shadow identities and how security teams can find and secure them.",[],{},{"nodeType":276,"data":1074,"content":1075},{},[1076],{"nodeType":247,"value":1077,"marks":1078,"data":1079},"What is a shadow identity? ",[],{},{"nodeType":243,"data":1081,"content":1082},{},[1083,1087,1091],{"nodeType":247,"value":1084,"marks":1085,"data":1086},"A shadow identity",[],{},{"nodeType":247,"value":699,"marks":1088,"data":1090},[1089],{"type":342},{},{"nodeType":247,"value":1092,"marks":1093,"data":1094},"is an identity a security/IT team is not aware of. Most often (but not exclusively) these exist outside IT-managed identity providers as local accounts on SaaS apps. ",[],{},{"nodeType":243,"data":1096,"content":1097},{},[1098],{"nodeType":247,"value":1099,"marks":1100,"data":1101},"These shadow identities introduce risk to the organization. However, once an organization’s security/IT function has visibility of an identity on an ongoing basis it is no-longer a \"shadow identity,\" and becomes just a normal identity - even if it’s on a third-party app.",[],{},{"nodeType":377,"data":1103,"content":1104},{},[1105],{"nodeType":247,"value":1106,"marks":1107,"data":1108},"Where do centralized identities fit in? ",[],{},{"nodeType":243,"data":1110,"content":1111},{},[1112],{"nodeType":247,"value":1113,"marks":1114,"data":1115},"Most organizations have a central identity provider (e.g. AzureAD/Google Directory/Okta) that stores login credentials and profile information for each employee. Most organizations strive to connect their identity provider (IdP) to all the apps they use. ",[],{},{"nodeType":243,"data":1117,"content":1118},{},[1119],{"nodeType":247,"value":1120,"marks":1121,"data":1122},"It’s a noble goal because it allows efforts to be focused on securing only a single set of credentials and MFA per employee. However, the reality is that this isn’t practical and there are many reasons why each employee only having only a single identity is only a dream (it’s a good one though!). More on this later.",[],{},{"nodeType":276,"data":1124,"content":1125},{},[1126],{"nodeType":247,"value":1127,"marks":1128,"data":1129},"Understanding shadow identity security risks",[],{},{"nodeType":243,"data":1131,"content":1132},{},[1133],{"nodeType":247,"value":1134,"marks":1135,"data":1136},"Since shadow identities (or shadow cloud identities) cannot get the same level of security attention as IT-managed identities because they’re unknown, they’re usually not as tightly secured as other identities in the business. ",[],{},{"nodeType":468,"data":1138,"content":1142},{"target":1139},{"sys":1140},{"id":1141,"type":411,"linkType":412},"35WMjPHXP2v0qtEaUMIBAS",[],{"nodeType":243,"data":1144,"content":1145},{},[1146],{"nodeType":247,"value":1147,"marks":1148,"data":1149},"Common security risks in shadow identities:",[],{},{"nodeType":582,"data":1151,"content":1152},{},[1153,1168,1183,1198,1213],{"nodeType":586,"data":1154,"content":1155},{},[1156],{"nodeType":243,"data":1157,"content":1158},{},[1159,1164],{"nodeType":247,"value":1160,"marks":1161,"data":1163},"Weak password",[1162],{"type":342},{},{"nodeType":247,"value":1165,"marks":1166,"data":1167}," - they could be using a really basic password like the person’s name or some other dictionary word (or some combination that gets accepted by the complexity checks on the app e.g. Password1!).",[],{},{"nodeType":586,"data":1169,"content":1170},{},[1171],{"nodeType":243,"data":1172,"content":1173},{},[1174,1179],{"nodeType":247,"value":1175,"marks":1176,"data":1178},"Leaked password",[1177],{"type":342},{},{"nodeType":247,"value":1180,"marks":1181,"data":1182}," - the password used has been leaked in a public data breach. Attackers often attempt to gain access to accounts using leaked passwords. This attack is called “credential stuffing.”",[],{},{"nodeType":586,"data":1184,"content":1185},{},[1186],{"nodeType":243,"data":1187,"content":1188},{},[1189,1194],{"nodeType":247,"value":1190,"marks":1191,"data":1193},"Reused passwords",[1192],{"type":342},{},{"nodeType":247,"value":1195,"marks":1196,"data":1197}," - the password set is used across other identities. This means that if an attacker got access to one password (via phishing or other means), they would be able to access more than one identity or app.",[],{},{"nodeType":586,"data":1199,"content":1200},{},[1201],{"nodeType":243,"data":1202,"content":1203},{},[1204,1209],{"nodeType":247,"value":1205,"marks":1206,"data":1208},"No MFA",[1207],{"type":342},{},{"nodeType":247,"value":1210,"marks":1211,"data":1212}," - no multifactor authentication is enabled on the account. This means that any of the above problems could lead to a direct compromise without any additional hindrances.",[],{},{"nodeType":586,"data":1214,"content":1215},{},[1216],{"nodeType":243,"data":1217,"content":1218},{},[1219,1224],{"nodeType":247,"value":1220,"marks":1221,"data":1223},"No authentication logs ",[1222],{"type":342},{},{"nodeType":247,"value":1225,"marks":1226,"data":1227},"- on centralized identities, it’s possible to see the app an identity was used on, the geographical location of the user and even the device. Contextual information like this would obviously not be available to the security/IT team for a shadow identity, so detecting compromises from unusual or suspicious activity is not possible.",[],{},{"nodeType":276,"data":1229,"content":1230},{},[1231],{"nodeType":247,"value":1232,"marks":1233,"data":1234},"Managing shadow identity and shadow cloud identity risk ",[],{},{"nodeType":468,"data":1236,"content":1240},{"target":1237},{"sys":1238},{"id":1239,"type":411,"linkType":412},"34SORjKga52MSgBaZddxGJ",[],{"nodeType":377,"data":1242,"content":1243},{},[1244],{"nodeType":247,"value":1245,"marks":1246,"data":1247},"Get visibility to bring identities out of the shadows",[],{},{"nodeType":243,"data":1249,"content":1250},{},[1251],{"nodeType":247,"value":1252,"marks":1253,"data":1254},"This goes for existing identities or new ones being created. Having visibility is the first step - nothing can be secured if neither security nor IT can see them. Visibility allows organizations to start managing the risks these identities introduce.",[],{},{"nodeType":243,"data":1256,"content":1257},{},[1258,1262,1272],{"nodeType":247,"value":1259,"marks":1260,"data":1261},"We think the best source of discovering identities is a browser extension. Read ",[],{},{"nodeType":406,"data":1263,"content":1267},{"target":1264},{"sys":1265},{"id":1266,"type":411,"linkType":412},"19dT3oWX2H3EYtZIT3J5UO",[1268],{"nodeType":247,"value":1269,"marks":1270,"data":1271},"our post ",[],{},{"nodeType":247,"value":1273,"marks":1274,"data":1275},"on the pros and cons of this approach. ",[],{},{"nodeType":377,"data":1277,"content":1278},{},[1279],{"nodeType":247,"value":1280,"marks":1281,"data":1282},"Centralize identities as far as possible",[],{},{"nodeType":243,"data":1284,"content":1285},{},[1286],{"nodeType":247,"value":1287,"marks":1288,"data":1289},"The ideal number of identities per employee is 1. However, there are quite a few reasons why this will not be possible. Here’s just a few:",[],{},{"nodeType":582,"data":1291,"content":1292},{},[1293,1303],{"nodeType":586,"data":1294,"content":1295},{},[1296],{"nodeType":243,"data":1297,"content":1298},{},[1299],{"nodeType":247,"value":1300,"marks":1301,"data":1302},"SSO tax - a practice where vendors put SSO support as part of their “Enterprise” tiers which are a lot more expensive (and usually bundled with unneeded features)",[],{},{"nodeType":586,"data":1304,"content":1305},{},[1306],{"nodeType":243,"data":1307,"content":1308},{},[1309],{"nodeType":247,"value":1310,"marks":1311,"data":1312},"Lack of support - our research shows that 69% of the top 500 apps don’t even offer SAML SSO support at any license tier.",[],{},{"nodeType":243,"data":1314,"content":1315},{},[1316,1320,1329],{"nodeType":247,"value":1317,"marks":1318,"data":1319},"On apps where SAML SSO support is not possible, we encourage organizations to make use of OIDC logins (“Login with Google” for Google Workspace customers). This lacks some of the manageability of SAML, but still makes use of the company’s Google identity - which is MUCH better than creating a new local identity using a password. We’ve written about this in more detail ",[],{},{"nodeType":406,"data":1321,"content":1324},{"target":1322},{"sys":1323},{"id":443,"type":411,"linkType":412},[1325],{"nodeType":247,"value":415,"marks":1326,"data":1328},[1327],{"type":260},{},{"nodeType":247,"value":1330,"marks":1331,"data":1332},". Centralizing identities is an essential part of a good IAM governance and compliance initiative.",[],{},{"nodeType":377,"data":1334,"content":1335},{},[1336],{"nodeType":247,"value":1337,"marks":1338,"data":1339},"If centralizing isn’t an option, secure them",[],{},{"nodeType":243,"data":1341,"content":1342},{},[1343],{"nodeType":247,"value":1344,"marks":1345,"data":1346},"If security teams can’t use a centralized identity for whatever reason, ensure the newly created one is secured to reduce risk. To do this:",[],{},{"nodeType":582,"data":1348,"content":1349},{},[1350,1360,1370],{"nodeType":586,"data":1351,"content":1352},{},[1353],{"nodeType":243,"data":1354,"content":1355},{},[1356],{"nodeType":247,"value":1357,"marks":1358,"data":1359},"Use a strong, unique password stored in a password manager",[],{},{"nodeType":586,"data":1361,"content":1362},{},[1363],{"nodeType":243,"data":1364,"content":1365},{},[1366],{"nodeType":247,"value":1367,"marks":1368,"data":1369},"Enable MFA. Bonus points for a strong method like WebAuthn (if you have a Mac, look at that lovely fingerprint reader). TOTP is still totally fine.",[],{},{"nodeType":586,"data":1371,"content":1372},{},[1373],{"nodeType":243,"data":1374,"content":1375},{},[1376],{"nodeType":247,"value":1377,"marks":1378,"data":1379},"Engage directly with employees to help them do the above. We recommend that this process be automated to make it manageable for security and IT teams. For example:",[],{},{"nodeType":468,"data":1381,"content":1385},{"target":1382},{"sys":1383},{"id":1384,"type":411,"linkType":412},"6LlNqtWam4jtXbxMcEbabB",[],{"nodeType":377,"data":1387,"content":1388},{},[1389],{"nodeType":247,"value":1390,"marks":1391,"data":1392},"Keep authentication logs centrally",[],{},{"nodeType":243,"data":1394,"content":1395},{},[1396,1400,1410],{"nodeType":247,"value":1397,"marks":1398,"data":1399},"The ability to see what app a user has logged into, from which device and location is invaluable during an incident. Identity providers allow security teams to stream logs to their favorite security analytics tools, but identities outside of it will not be possible to monitor. Unless Security have a separate data source that allows them to see authentication activity (I’m looking at you, ",[],{},{"nodeType":406,"data":1401,"content":1404},{"target":1402},{"sys":1403},{"id":1266,"type":411,"linkType":412},[1405],{"nodeType":247,"value":1406,"marks":1407,"data":1409},"browser extension",[1408],{"type":260},{},{"nodeType":247,"value":1411,"marks":1412,"data":1413},"). ",[],{},{"nodeType":243,"data":1415,"content":1416},{},[1417],{"nodeType":247,"value":1418,"marks":1419,"data":1420},"Expanding coverage to shadow identities will allow organizations to expand their monitoring use cases and better cover risks on apps that can’t be hooked into SSO. This will also go a long way in helping with compliance and IAM governance, so it’s a win-win.",[],{},{"nodeType":377,"data":1422,"content":1423},{},[1424],{"nodeType":247,"value":1425,"marks":1426,"data":1427},"Have an incident response plan ",[],{},{"nodeType":243,"data":1429,"content":1430},{},[1431,1435,1446],{"nodeType":247,"value":1432,"marks":1433,"data":1434},"Develop a comprehensive incident response (IR) plan that outlines steps to take if a shadow identity has been compromised. This will help Security respond swiftly and mitigate damage. Here’s ",[],{},{"nodeType":406,"data":1436,"content":1440},{"target":1437},{"sys":1438},{"id":1439,"type":411,"linkType":412},"14NiRrBrLFVkR8h05RCD7F",[1441],{"nodeType":247,"value":1442,"marks":1443,"data":1445},"some guidance",[1444],{"type":260},{},{"nodeType":247,"value":1447,"marks":1448,"data":1449}," on how to create one for SaaS accounts. ",[],{},{"nodeType":276,"data":1451,"content":1452},{},[1453],{"nodeType":247,"value":1454,"marks":1455,"data":1456},"Conclusion",[],{},{"nodeType":243,"data":1458,"content":1459},{},[1460],{"nodeType":247,"value":1461,"marks":1462,"data":1463},"Shadow identities and shadow cloud identities are a risk to the business simply because they’re unknown to the security/IT team. If these groups lack visibility on identities outside of their main identity provider, their impact on the company’s overall security posture is unknown. ",[],{},{"nodeType":243,"data":1465,"content":1466},{},[1467],{"nodeType":247,"value":1468,"marks":1469,"data":1470},"However, once spotted using the right data source, identities and accounts that were previously unknown can be monitored just like any other asset.",[],{},{"nodeType":243,"data":1472,"content":1473},{},[1474],{"nodeType":247,"value":1475,"marks":1476,"data":1477},"By understanding what shadow identities are and implementing proactive security measures, security teams can minimize the risks they pose to their organizations and customers.",[],{},"Employees sign up to cloud apps on their own every day. Each time, they create a new account and a new identity on that app. How do you find and secure them?","2023-09-19T00:00:00.000Z",{"items":1481},[1482,1486],{"sys":1483,"name":1485},{"id":1484},"3SA5H01UkKauuiTdt0KC6q","Shadow IT",{"sys":1487,"name":1489},{"id":1488},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":1491},[1492],{"fullName":1493,"firstName":1494,"jobTitle":1495,"profilePicture":1496},"Tyrone Erasmus","Tyrone","Co-founder / CTO",{"url":1497},"https://images.ctfassets.net/y1cdw1ablpvd/5rkMblymL7lG4pZBiYzWo6/26f0da21be8fc252b13b62aacc22d19d/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-22.jpg",{"__typename":892,"sys":1499,"content":1500,"title":2362,"synopsis":2363,"hashTags":62,"publishedDate":2364,"slug":2365,"tagsCollection":2366,"authorsCollection":2374},{"id":1055},{"json":1501},{"nodeType":239,"data":1502,"content":1503},{},[1504,1511,1518,1524,1559,1566,1573,1593,1600,1607,1614,1633,1639,1646,1659,1666,1673,1680,1686,1710,1717,1724,1731,1738,1745,1752,1770,1778,1794,1801,1807,1826,1854,1870,1896,1903,1910,1917,1924,1931,1938,1945,1996,2003,2033,2078,2153,2160,2167,2174,2181,2188,2195,2202,2209,2215,2222,2229,2250,2257,2264,2271,2277,2284,2291,2298,2305,2328,2335,2341],{"nodeType":243,"data":1505,"content":1506},{},[1507],{"nodeType":247,"value":1508,"marks":1509,"data":1510},"If you’re working in security, you know you’re on the hook to secure all the assets in your organization’s attack surface – including cloud and SaaS applications. But with employees signing up and adopting SaaS applications without your oversight, the scale of your attack surface has blown up without you even knowing it - leading to a huge increase in SaaS security risks. ",[],{},{"nodeType":243,"data":1512,"content":1513},{},[1514],{"nodeType":247,"value":1515,"marks":1516,"data":1517},"You’ve probably locked down the known cloud services and cloud apps your company is using (Google Workspace, Microsoft 365, etc.) and you have policies you’re already enforcing for how employees log into, access, and input sensitive data into cloud platforms like Salesforce and Hubspot. \n\nBut what about all those other SaaS applications people in the company are using? Those apps make up a significant part of your attack surface. ",[],{},{"nodeType":468,"data":1519,"content":1523},{"target":1520},{"sys":1521},{"id":1522,"type":411,"linkType":412},"5NfrrDeIPs7TE213UYly7E",[],{"nodeType":243,"data":1525,"content":1526},{},[1527,1531,1541,1545,1555],{"nodeType":247,"value":1528,"marks":1529,"data":1530},"You need visibility into all those apps as the first step. We ",[],{},{"nodeType":406,"data":1532,"content":1536},{"target":1533},{"sys":1534},{"id":1535,"type":411,"linkType":412},"3PqX7fLrTIYhWjbEhHSRHG",[1537],{"nodeType":247,"value":1538,"marks":1539,"data":1540},"can help there",[],{},{"nodeType":247,"value":1542,"marks":1543,"data":1544}," and there are some ",[],{},{"nodeType":406,"data":1546,"content":1550},{"target":1547},{"sys":1548},{"id":1549,"type":411,"linkType":412},"45iZ69EdPF4629gZ6yf7p5",[1551],{"nodeType":247,"value":1552,"marks":1553,"data":1554},"semi-hacky ways",[],{},{"nodeType":247,"value":1556,"marks":1557,"data":1558}," you can even get this visibility on your own. ",[],{},{"nodeType":276,"data":1560,"content":1561},{},[1562],{"nodeType":247,"value":1563,"marks":1564,"data":1565},"I found all these shadow SaaS apps, now what?",[],{},{"nodeType":243,"data":1567,"content":1568},{},[1569],{"nodeType":247,"value":1570,"marks":1571,"data":1572},"Once you get the list of (likely hundreds) of SaaS applications employees have been using that you weren’t aware of, you’re probably then thinking about the next daunting task - how do I secure all these shadow SaaS or shadow IT assets across your SaaS attack surface to manage SaaS security risks?",[],{},{"nodeType":243,"data":1574,"content":1575},{},[1576,1580,1589],{"nodeType":247,"value":1577,"marks":1578,"data":1579},"That’s where the ",[],{},{"nodeType":252,"data":1581,"content":1583},{"uri":1582},"https://www.ncsc.gov.uk/collection/cloud/understanding-cloud-services/cloud-security-shared-responsibility-model",[1584],{"nodeType":247,"value":1585,"marks":1586,"data":1588},"shared responsibility model ",[1587],{"type":260},{},{"nodeType":247,"value":1590,"marks":1591,"data":1592},"comes into play. You’re not on the hook to take on every aspect of SaaS security, so let’s do a walkthrough of this model and we’ll help you hone in on where you can make the most impact when it comes to securing your sensitive data with every third-party SaaS vendor.",[],{},{"nodeType":377,"data":1594,"content":1595},{},[1596],{"nodeType":247,"value":1597,"marks":1598,"data":1599},"SaaS allows you to offload some operational security",[],{},{"nodeType":243,"data":1601,"content":1602},{},[1603],{"nodeType":247,"value":1604,"marks":1605,"data":1606},"You’re undoubtedly resource strapped, so using SaaS apps is a great way to delegate as many operational security tasks as possible to the cloud provider.",[],{},{"nodeType":243,"data":1608,"content":1609},{},[1610],{"nodeType":247,"value":1611,"marks":1612,"data":1613},"The shared-responsibility model shows you your responsibilities as the customer and which the cloud provider owns - this is one of the reasons SaaS is taking over the world.   ",[],{},{"nodeType":243,"data":1615,"content":1616},{},[1617,1621,1629],{"nodeType":247,"value":1618,"marks":1619,"data":1620},"The following table produced by the ",[],{},{"nodeType":252,"data":1622,"content":1623},{"uri":1582},[1624],{"nodeType":247,"value":1625,"marks":1626,"data":1628},"National Cyber Security Centre",[1627],{"type":260},{},{"nodeType":247,"value":1630,"marks":1631,"data":1632}," (NCSC) shows how much of the balance of security responsibility is outsourced to the SaaS provider. For reference, IaaS = infrastructure-as-a-service; PaaS = platform-as-a-service; SaaS = software-as-a-service:",[],{},{"nodeType":468,"data":1634,"content":1638},{"target":1635},{"sys":1636},{"id":1637,"type":411,"linkType":412},"17rMTpxgCAU5ropjkGIIjK",[],{"nodeType":243,"data":1640,"content":1641},{},[1642],{"nodeType":247,"value":1643,"marks":1644,"data":1645},"This table shows that in the SaaS model, you’re delegating a lot of responsibility for security to the vendor, which is great because it reduces the burden on your security team and SaaS providers are certainly best placed to secure their software. ",[],{},{"nodeType":243,"data":1647,"content":1648},{},[1649,1655],{"nodeType":247,"value":1650,"marks":1651,"data":1654},"However, this requires far greater trust in SaaS providers. ",[1652,1653],{"type":262},{"type":342},{},{"nodeType":247,"value":1656,"marks":1657,"data":1658},"Even so, this is a net positive trade off for most organizations.",[],{},{"nodeType":243,"data":1660,"content":1661},{},[1662],{"nodeType":247,"value":1663,"marks":1664,"data":1665},"While we’re offloading a lot to SaaS providers, we aren’t offloading everything. You still need to take care of your responsibilities, even though they’re now quite limited.",[],{},{"nodeType":276,"data":1667,"content":1668},{},[1669],{"nodeType":247,"value":1670,"marks":1671,"data":1672},"How to handle your responsibilities for managing SaaS risks in your company ",[],{},{"nodeType":243,"data":1674,"content":1675},{},[1676],{"nodeType":247,"value":1677,"marks":1678,"data":1679},"So, how do you go about handling these two responsibilities highlighted in the table below?",[],{},{"nodeType":468,"data":1681,"content":1685},{"target":1682},{"sys":1683},{"id":1684,"type":411,"linkType":412},"4jeDpoYQzPmg5TFApeopSA",[],{"nodeType":1687,"data":1688,"content":1689},"ordered-list",{},[1690,1700],{"nodeType":586,"data":1691,"content":1692},{},[1693],{"nodeType":243,"data":1694,"content":1695},{},[1696],{"nodeType":247,"value":1697,"marks":1698,"data":1699},"Configuration of the SaaS app ",[],{},{"nodeType":586,"data":1701,"content":1702},{},[1703],{"nodeType":243,"data":1704,"content":1705},{},[1706],{"nodeType":247,"value":1707,"marks":1708,"data":1709},"Manage identity and access controls provided by the app.",[],{},{"nodeType":377,"data":1711,"content":1712},{},[1713],{"nodeType":247,"value":1714,"marks":1715,"data":1716},"Configuration of the SaaS app",[],{},{"nodeType":243,"data":1718,"content":1719},{},[1720],{"nodeType":247,"value":1721,"marks":1722,"data":1723},"The way application configuration is presented in the NCSC table above is a bit of a red herring for the apps your employees will be self-adopting. The vast majority of SaaS apps (and especially self-adopted apps) allow very little, if any, security relevant configuration. ",[],{},{"nodeType":243,"data":1725,"content":1726},{},[1727],{"nodeType":247,"value":1728,"marks":1729,"data":1730},"Sure, the big core apps like Salesforce, Google Workspace, Microsoft 365 do (and often require a dedicated team or partner to run them), but they are highly unlikely to be self-adopted by employees. ",[],{},{"nodeType":243,"data":1732,"content":1733},{},[1734],{"nodeType":247,"value":1735,"marks":1736,"data":1737},"The issues that are likely to lead to a compromise are more likely to be related to the individual accounts on the app, rather than the app configuration - so in practice there may be little to do in terms of hardening most self-managed apps.",[],{},{"nodeType":377,"data":1739,"content":1740},{},[1741],{"nodeType":247,"value":1742,"marks":1743,"data":1744},"Manage identity and access controls, like MFA, provided by the app\n",[],{},{"nodeType":243,"data":1746,"content":1747},{},[1748],{"nodeType":247,"value":1749,"marks":1750,"data":1751},"You have a few options for handling this one. We’ll go through the key areas below:",[],{},{"nodeType":1687,"data":1753,"content":1754},{},[1755],{"nodeType":586,"data":1756,"content":1757},{},[1758],{"nodeType":243,"data":1759,"content":1760},{},[1761,1766],{"nodeType":247,"value":1762,"marks":1763,"data":1765},"SSO",[1764],{"type":342},{},{"nodeType":247,"value":1767,"marks":1768,"data":1769},": Better yet, if there’s a way to tuck the app behind SSO, do it! SAML SSO is the ideal, gold standard solution for managing your SaaS security risks. The big issue is that very, very few apps, particularly the smaller ones most of the employees in your company will be signing up for, offer SSO integrations. ",[],{},{"nodeType":243,"data":1771,"content":1772},{},[1773],{"nodeType":247,"value":1774,"marks":1775,"data":1777},"When we looked at the apps we cover, only 30% of them offered SAML SSO integrations. ",[1776],{"type":342},{},{"nodeType":243,"data":1779,"content":1780},{},[1781,1785,1790],{"nodeType":247,"value":1782,"marks":1783,"data":1784},"Making things worse, of those few apps that ",[],{},{"nodeType":247,"value":1786,"marks":1787,"data":1789},"did ",[1788],{"type":262},{},{"nodeType":247,"value":1791,"marks":1792,"data":1793},"offer SAML SSO as a feature, they offered it as a paid feature that you can only access at a high pricing tier, typically Enterprise or the highest pricing tier. Many more apps offer social logins (aka OIDC SSO), and while this is not quite as good as SAML, for most organizations this is a far better option compared to local passwords for each SaaS app!",[],{},{"nodeType":243,"data":1795,"content":1796},{},[1797],{"nodeType":247,"value":1798,"marks":1799,"data":1800},"You’ve probably heard mutterings about this before and it’s even got its own site, called SSO tax, which gives you a sense of the huge number of apps without SSO integrations. See a screenshot of the site below:",[],{},{"nodeType":468,"data":1802,"content":1806},{"target":1803},{"sys":1804},{"id":1805,"type":411,"linkType":412},"71LeJlkZLWAr2rMN7Izam3",[],{"nodeType":243,"data":1808,"content":1809},{},[1810,1814,1823],{"nodeType":247,"value":1811,"marks":1812,"data":1813},"At the moment, this means SAML SSO isn’t a practical option for most apps. We wrote much more on this ",[],{},{"nodeType":406,"data":1815,"content":1818},{"target":1816},{"sys":1817},{"id":410,"type":411,"linkType":412},[1819],{"nodeType":247,"value":415,"marks":1820,"data":1822},[1821],{"type":260},{},{"nodeType":247,"value":420,"marks":1824,"data":1825},[],{},{"nodeType":243,"data":1827,"content":1828},{},[1829,1833,1838,1842,1851],{"nodeType":247,"value":1830,"marks":1831,"data":1832},"2.",[],{},{"nodeType":247,"value":1834,"marks":1835,"data":1837}," Encourage the other type of SSO — social logins",[1836],{"type":342},{},{"nodeType":247,"value":1839,"marks":1840,"data":1841},": It's also smart to make your policy towards OIDC SSO a.k.a. Social Logins (“login with Google” or “login with Microsoft”) clear. Our advice is you should prefer social logins over usernames and passwords wherever possible. Read more about that ",[],{},{"nodeType":406,"data":1843,"content":1846},{"target":1844},{"sys":1845},{"id":443,"type":411,"linkType":412},[1847],{"nodeType":247,"value":415,"marks":1848,"data":1850},[1849],{"type":260},{},{"nodeType":247,"value":450,"marks":1852,"data":1853},[],{},{"nodeType":243,"data":1855,"content":1856},{},[1857,1861,1866],{"nodeType":247,"value":1858,"marks":1859,"data":1860},"3.",[],{},{"nodeType":247,"value":1862,"marks":1863,"data":1865}," Employee trainings and education: ",[1864],{"type":342},{},{"nodeType":247,"value":1867,"marks":1868,"data":1869},"Of course, you’ll want to (and typically, you’ll be required to) do regular security training for your employees.",[],{},{"nodeType":243,"data":1871,"content":1872},{},[1873,1877,1888,1892],{"nodeType":247,"value":1874,"marks":1875,"data":1876},"If nothing else, make sure employees understand ",[],{},{"nodeType":406,"data":1878,"content":1882},{"target":1879},{"sys":1880},{"id":1881,"type":411,"linkType":412},"5Zy1Kj162pY69NT6001gAa",[1883],{"nodeType":247,"value":1884,"marks":1885,"data":1887},"the value and impact of MFA",[1886],{"type":260},{},{"nodeType":247,"value":699,"marks":1889,"data":1891},[1890],{"type":342},{},{"nodeType":247,"value":1893,"marks":1894,"data":1895},"and other identity access management tools.",[],{},{"nodeType":276,"data":1897,"content":1898},{},[1899],{"nodeType":247,"value":1900,"marks":1901,"data":1902},"Doesn’t delegating my responsibility increase SaaS security risks?",[],{},{"nodeType":243,"data":1904,"content":1905},{},[1906],{"nodeType":247,"value":1907,"marks":1908,"data":1909},"While delegating security responsibilities is great and takes a huge load off your security team, you need to consider who you’re delegating it to. ",[],{},{"nodeType":243,"data":1911,"content":1912},{},[1913],{"nodeType":247,"value":1914,"marks":1915,"data":1916},"This is what’s sometimes understood as supply chain security or third party risk management. You need to trust the SaaS provider to uphold their end of the bargain and, more often than not, also the SaaS/cloud vendors they use (their sub-processors) as well.",[],{},{"nodeType":243,"data":1918,"content":1919},{},[1920],{"nodeType":247,"value":1921,"marks":1922,"data":1923},"This sounds a lot scarier than it is. Many SaaS providers do a great job - they provide easy-to-audit, externally-verified, policies through a framework such as SOC2, and most do regular penetration tests and have bug bounty programs, etc.",[],{},{"nodeType":243,"data":1925,"content":1926},{},[1927],{"nodeType":247,"value":1928,"marks":1929,"data":1930},"And, before you panic about having to do a full security audit of every one of those hundreds of SaaS providers, know that there are tools that can help with this, which we’ll talk more about at the end of this article.",[],{},{"nodeType":276,"data":1932,"content":1933},{},[1934],{"nodeType":247,"value":1935,"marks":1936,"data":1937},"How to determine if you can live with the risk  ",[],{},{"nodeType":243,"data":1939,"content":1940},{},[1941],{"nodeType":247,"value":1942,"marks":1943,"data":1944},"Here are a few things you might consider when you assess third-party risk: ",[],{},{"nodeType":582,"data":1946,"content":1947},{},[1948,1972],{"nodeType":586,"data":1949,"content":1950},{},[1951,1959],{"nodeType":243,"data":1952,"content":1953},{},[1954],{"nodeType":247,"value":1955,"marks":1956,"data":1958},"The data going into these apps is simply too sensitive. ",[1957],{"type":342},{},{"nodeType":582,"data":1960,"content":1961},{},[1962],{"nodeType":586,"data":1963,"content":1964},{},[1965],{"nodeType":243,"data":1966,"content":1967},{},[1968],{"nodeType":247,"value":1969,"marks":1970,"data":1971},"Many organizations have very sensitive data, customer information or intellectual property (IP) that they simply aren’t willing to entrust to a third party. ",[],{},{"nodeType":586,"data":1973,"content":1974},{},[1975,1983],{"nodeType":243,"data":1976,"content":1977},{},[1978],{"nodeType":247,"value":1979,"marks":1980,"data":1982},"The app requests administrative access to sensitive systems ",[1981],{"type":342},{},{"nodeType":582,"data":1984,"content":1985},{},[1986],{"nodeType":586,"data":1987,"content":1988},{},[1989],{"nodeType":243,"data":1990,"content":1991},{},[1992],{"nodeType":247,"value":1993,"marks":1994,"data":1995},"You may not want to trust a third party with administrative access to critical IT systems",[],{},{"nodeType":243,"data":1997,"content":1998},{},[1999],{"nodeType":247,"value":2000,"marks":2001,"data":2002},"If the sensitive data in the app or the access the app has represents some significant (but not unacceptable) risk, you may consider:",[],{},{"nodeType":582,"data":2004,"content":2005},{},[2006],{"nodeType":586,"data":2007,"content":2008},{},[2009,2020],{"nodeType":243,"data":2010,"content":2011},{},[2012,2017],{"nodeType":247,"value":2013,"marks":2014,"data":2016},"The vendor has a string of repeated breaches or security incidents",[2015],{"type":342},{},{"nodeType":247,"value":543,"marks":2018,"data":2019},[],{},{"nodeType":582,"data":2021,"content":2022},{},[2023],{"nodeType":586,"data":2024,"content":2025},{},[2026],{"nodeType":243,"data":2027,"content":2028},{},[2029],{"nodeType":247,"value":2030,"marks":2031,"data":2032},"This is troubling because it’s a fairly common pattern for attackers to breach apps in ways that don’t impact customer information, but then use the information they learn from these breaches to launch far more successful breaches in future and gain access to additional sensitive data. ",[],{},{"nodeType":243,"data":2034,"content":2035},{},[2036,2040,2049,2053,2062,2065,2074],{"nodeType":247,"value":2037,"marks":2038,"data":2039},"Consider the string of breaches at ",[],{},{"nodeType":252,"data":2041,"content":2043},{"uri":2042},"https://www.bleepingcomputer.com/search/?q=lastpass+breach",[2044],{"nodeType":247,"value":2045,"marks":2046,"data":2048},"LastPass",[2047],{"type":260},{},{"nodeType":247,"value":2050,"marks":2051,"data":2052},", ",[],{},{"nodeType":252,"data":2054,"content":2056},{"uri":2055},"https://www.bleepingcomputer.com/search/?q=okta+breach",[2057],{"nodeType":247,"value":2058,"marks":2059,"data":2061},"Okta",[2060],{"type":260},{},{"nodeType":247,"value":2050,"marks":2063,"data":2064},[],{},{"nodeType":252,"data":2066,"content":2068},{"uri":2067},"https://www.bleepingcomputer.com/search/?q=twilio+breach",[2069],{"nodeType":247,"value":2070,"marks":2071,"data":2073},"Twilio",[2072],{"type":260},{},{"nodeType":247,"value":2075,"marks":2076,"data":2077}," (and many others) or as a typical example of this.",[],{},{"nodeType":582,"data":2079,"content":2080},{},[2081,2105,2129],{"nodeType":586,"data":2082,"content":2083},{},[2084,2092],{"nodeType":243,"data":2085,"content":2086},{},[2087],{"nodeType":247,"value":2088,"marks":2089,"data":2091},"The app doesn’t offer adequate security features. ",[2090],{"type":342},{},{"nodeType":582,"data":2093,"content":2094},{},[2095],{"nodeType":586,"data":2096,"content":2097},{},[2098],{"nodeType":243,"data":2099,"content":2100},{},[2101],{"nodeType":247,"value":2102,"marks":2103,"data":2104},"You want to see features like MFA, SSO (either social login through OIDC or, ideally, SAML), and bonus points for the ability to enforce these controls. This is especially important on platforms where the data is high-risk.",[],{},{"nodeType":586,"data":2106,"content":2107},{},[2108,2116],{"nodeType":243,"data":2109,"content":2110},{},[2111],{"nodeType":247,"value":2112,"marks":2113,"data":2115},"They operate in a sanctioned country ",[2114],{"type":342},{},{"nodeType":582,"data":2117,"content":2118},{},[2119],{"nodeType":586,"data":2120,"content":2121},{},[2122],{"nodeType":243,"data":2123,"content":2124},{},[2125],{"nodeType":247,"value":2126,"marks":2127,"data":2128},"Clearly SaaS providers operating from (or that have close ties with) sanctioned or politically-complicated countries represent additional risk.",[],{},{"nodeType":586,"data":2130,"content":2131},{},[2132,2140],{"nodeType":243,"data":2133,"content":2134},{},[2135],{"nodeType":247,"value":2136,"marks":2137,"data":2139},"The SaaS vendor may not have the resources to adequately protect your sensitive data. ",[2138],{"type":342},{},{"nodeType":582,"data":2141,"content":2142},{},[2143],{"nodeType":586,"data":2144,"content":2145},{},[2146],{"nodeType":243,"data":2147,"content":2148},{},[2149],{"nodeType":247,"value":2150,"marks":2151,"data":2152},"Also, question vendors that are so small that it is hard to imagine they can afford to spend significant resources on security. ",[],{},{"nodeType":243,"data":2154,"content":2155},{},[2156],{"nodeType":247,"value":2157,"marks":2158,"data":2159},"These are really common apps that integrate with your Google Workspace or Microsoft 365 - they add a feature or help streamline the employee’s workflow but aren’t a fully baked SaaS app with funding, a product and engineering team, or customer support.",[],{},{"nodeType":276,"data":2161,"content":2162},{},[2163],{"nodeType":247,"value":2164,"marks":2165,"data":2166},"If you can’t establish trust with a SaaS provider…",[],{},{"nodeType":243,"data":2168,"content":2169},{},[2170],{"nodeType":247,"value":2171,"marks":2172,"data":2173},"While the hope is that you can establish enough trust with third-party SaaS providers to allow employees to use the app, there will be exceptions.",[],{},{"nodeType":377,"data":2175,"content":2176},{},[2177],{"nodeType":247,"value":2178,"marks":2179,"data":2180},"Guide employees to secure alternatives early, before they invest too much time in a risky platform",[],{},{"nodeType":243,"data":2182,"content":2183},{},[2184],{"nodeType":247,"value":2185,"marks":2186,"data":2187},"Obviously, you can block the apps that you’ve deemed too risky for your company’s risk profile, which will reduce the attack surface. However, doing that in a vacuum, without working with the employees who are using (or testing) a SaaS application, can roadblock their work. ",[],{},{"nodeType":243,"data":2189,"content":2190},{},[2191],{"nodeType":247,"value":2192,"marks":2193,"data":2194},"While it solves your need for strong SaaS security, if you don’t provide employees with an alternative, more secure app to test, you’re burning all good will with the rest of the company. ",[],{},{"nodeType":243,"data":2196,"content":2197},{},[2198],{"nodeType":247,"value":2199,"marks":2200,"data":2201},"Worst case scenario, they’ll work around you to use the tool you removed by using their personal laptop or personal email to log in. ",[],{},{"nodeType":243,"data":2203,"content":2204},{},[2205],{"nodeType":247,"value":2206,"marks":2207,"data":2208},"The best path forward is to get into the SaaS adoption process early, as shown in this employee SaaS app adoption workflow: ",[],{},{"nodeType":468,"data":2210,"content":2214},{"target":2211},{"sys":2212},{"id":2213,"type":411,"linkType":412},"6HzSQ8wPVn9RfDSFWGaCh8",[],{"nodeType":243,"data":2216,"content":2217},{},[2218],{"nodeType":247,"value":2219,"marks":2220,"data":2221},"The goal is to catch those apps that are high risk, either because the data going into them (or that will be) is high risk or because the app can perform some high-risk action (like managing your inventory or sending emails to customers or your behalf). ",[],{},{"nodeType":243,"data":2223,"content":2224},{},[2225],{"nodeType":247,"value":2226,"marks":2227,"data":2228},"By getting in early, you can focus your efforts on these high-risk vendors and apps to make sure they can be trusted with their data. ",[],{},{"nodeType":243,"data":2230,"content":2231},{},[2232,2236,2246],{"nodeType":247,"value":2233,"marks":2234,"data":2235},"We’ve written more about this ",[],{},{"nodeType":406,"data":2237,"content":2241},{"target":2238},{"sys":2239},{"id":2240,"type":411,"linkType":412},"6ppEa7WXiKcgLQ9yGn7q3k",[2242],{"nodeType":247,"value":415,"marks":2243,"data":2245},[2244],{"type":260},{},{"nodeType":247,"value":2247,"marks":2248,"data":2249}," and it’s worth your time to read it, we promise. Blocking simply doesn’t work and it frustrates the team, so please consider this new way of securing SaaS. ",[],{},{"nodeType":276,"data":2251,"content":2252},{},[2253],{"nodeType":247,"value":2254,"marks":2255,"data":2256},"Try a tool to automate SaaS account security improvements",[],{},{"nodeType":243,"data":2258,"content":2259},{},[2260],{"nodeType":247,"value":2261,"marks":2262,"data":2263},"Check out SaaS security tools that don’t only look at the SaaS provider or the SaaS platform itself, but which also focus on the SaaS account or user identity level. ",[],{},{"nodeType":243,"data":2265,"content":2266},{},[2267],{"nodeType":247,"value":2268,"marks":2269,"data":2270},"Once you have visibility into which apps employees are using, you can dig into whether they’re using security features like MFA or using strong passwords. If they're not, use Push to equip them to enable MFA on their own: ",[],{},{"nodeType":468,"data":2272,"content":2276},{"target":2273},{"sys":2274},{"id":2275,"type":411,"linkType":412},"22jQt6xKpBHthBFqYlzKD1",[],{"nodeType":243,"data":2278,"content":2279},{},[2280],{"nodeType":247,"value":2281,"marks":2282,"data":2283},"Modern SaaS security solutions like Push can not only give you visibility into that information, but automate the process of reaching out to employees to help them turn on security features or updating weak passwords in a few short clicks.",[],{},{"nodeType":276,"data":2285,"content":2286},{},[2287],{"nodeType":247,"value":2288,"marks":2289,"data":2290},"Manage SaaS risk as scale without overburdening your team",[],{},{"nodeType":243,"data":2292,"content":2293},{},[2294],{"nodeType":247,"value":2295,"marks":2296,"data":2297},"\nWhen facing a list of hundreds of apps that employees are using in your business, doing due diligence feels like a daunting task. Push can help with this as well.",[],{},{"nodeType":243,"data":2299,"content":2300},{},[2301],{"nodeType":247,"value":2302,"marks":2303,"data":2304},"You can classify SaaS apps directly in the Push platform based on:",[],{},{"nodeType":582,"data":2306,"content":2307},{},[2308,2318],{"nodeType":586,"data":2309,"content":2310},{},[2311],{"nodeType":243,"data":2312,"content":2313},{},[2314],{"nodeType":247,"value":2315,"marks":2316,"data":2317},"the sensitivity of the data they contain",[],{},{"nodeType":586,"data":2319,"content":2320},{},[2321],{"nodeType":243,"data":2322,"content":2323},{},[2324],{"nodeType":247,"value":2325,"marks":2326,"data":2327},"the permissions they've been granted using the Sensitivity level field",[],{},{"nodeType":243,"data":2329,"content":2330},{},[2331],{"nodeType":247,"value":2332,"marks":2333,"data":2334},"Then use the Approval status option to capture your decision about an app. ",[],{},{"nodeType":468,"data":2336,"content":2340},{"target":2337},{"sys":2338},{"id":2339,"type":411,"linkType":412},"5rACOqYdUseU5rJqTSkaK5",[],{"nodeType":243,"data":2342,"content":2343},{},[2344,2348,2359],{"nodeType":247,"value":2345,"marks":2346,"data":2347},"This helps your team suss out the risk so you can make the right choice, without having to have discussions in side channels. ",[],{},{"nodeType":406,"data":2349,"content":2353},{"target":2350},{"sys":2351},{"id":2352,"type":411,"linkType":412},"1BuDaKpiwwntLe4goObvgb",[2354],{"nodeType":247,"value":2355,"marks":2356,"data":2358},"Read more about how this works",[2357],{"type":260},{},{"nodeType":247,"value":450,"marks":2360,"data":2361},[],{},"Focus on account and identity security to reduce SaaS risks","You’ve probably locked down the known cloud services your company is using, but what about all those other SaaS apps people in the company are using? \n","2023-08-15T00:00:00.000Z","focus-on-account-security-to-reduce-saas-risks",{"items":2367},[2368,2370],{"sys":2369,"name":1489},{"id":1488},{"sys":2371,"name":2373},{"id":2372},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":2375},[2376],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2377},{"url":236},"report-on-identity-based-attacks","blog/report-on-identity-based-attacks",{"json":2381},{"data":2382,"content":2383,"nodeType":239},{},[2384],{"data":2385,"content":2386,"nodeType":243},{},[2387],{"data":2388,"marks":2389,"value":2390,"nodeType":247},{},[],"Identities have quickly become the new perimeter, leading attackers to target identities as the primary way to access sensitive corporate data. A recent report found that 68% of companies say identity-related attacks directly impacted their business in 2023.","A new report on securing digital identities has some interesting takeaways to consider as we think about securing identities in the cloud. Here's our take.",{"id":2393,"publishedAt":2394},"3mqMCM9bqSDqpMvxttYOFx","2026-01-30T09:32:29.362Z",{"items":2396},[2397,2399],{"sys":2398,"name":2373},{"id":2372},{"sys":2400,"name":2402},{"id":2401},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks","P06kSfrb40DPGY5j6ADyGK53LycReJpr3vBf-uQUCcc",1784196727037]