Hubspot Employee Account Breach Highlights Crisis in SaaS Identity Management

Hubspot offers a CRM platform used by sales, marketing, and customer service teams. The nature of its use means that the data stored in the application is highly sensitive and includes contact information, contract details and interaction data. Hubspot recently disclosed a security incident in which one of its employee accounts was compromised, and the bad actor was able to access the data of a number of Hubspot customer accounts. Breaching the Hubspot application itself may not provide an immediate payoff for the bad actor, but the data exfiltrated from the event is invaluable for future campaigns. The details are not available in Hubspot’s disclosure, however, it is likely that the bad actor gained access by stealing an employee’s credentials and gaining the keys to the kingdom, security team’s worst nightmare. Current industry solutions address this problem with a patchwork of solutions that cover only a fraction of applications.  Without a different approach, bad actors will continue to profit. 

SSO is Not Enough–Most SaaS are Not Supported

Much of security today relies on passwords. If you are able to authenticate yourself and your device, you are granted access to resources. The fundamental concept of passwords was invented in the earliest days of computing, back in 1961. The problem is that in 2022, fundamentally not much has changed. Users choose passwords that are more complex and seemingly difficult to obtain, and are stored in password managers. Grip Security data shows that only 20% of SaaS applications are SSO connected, meaning authentication for 80% of applications takes place manually with a user entering a password. The reason this occurs is that not every application is supported by SSO, and workers will use whatever SaaS application they need to get their job done–regardless of the security policies that are in place.  

The sheer number of SaaS applications employees use today makes it impossible to maintain immaculate password hygiene manually. Our data shows that an average employee uses 30+ SaaS applications on a regular basis. Some are supported by SSO, and the rest are either managed by the employee directly or secured through password managers. Even with these basic security controls, it is common for 50% or more of the employees to use repeat passwords and not change them regularly. The combination of new SaaS applications and the reliance on the employee to maintain strong password hygiene means that security teams have little control, and that this approach fails to secure the company’s most valuable assets.  

The Hubspot employee whose credentials were compromised likely did not know that someone had stolen their login and password. They likely got phished with a very convincing email that bypassed Hubspot’s defenses, including SSO (Hubspot is a public company and we can safely assume it has SSO in place), and unknowingly gave away the keys to the kingdom. Making matters worse, the employee’s credentials are likely used in many different Hubspot systems. If the company has a comprehensive SaaS inventory for each user - they would then be required to reset all of the user’s credentials. 

SaaS Identity Management–Rewriting the Rules 

Despite the large number of identity and access management (IAM) solutions on the market today, credential theft is rampant and is the number one goal of phishing emails. Employees unknowingly allow their credentials to be compromised because they are responsible for creating and updating them. Using that logic, security teams must ask themselves if that root cause can be eliminated by removing the reliance on a login and password in order to access resources. What if the company itself owned and managed the employee’s identity and authentication?

Taking the responsibility for identity management away from the individual employee may seem like a radical option, but our experience shows that it can exponentially improve every organization’s security posture. This can be done when two critical SaaS security capabilities are in place:  

SaaS Discovery

Organization’s must have a complete inventory of all SaaS applications being used with continuous monitoring to detect new applications that are onboarded. The discovery must cover every user across every device, managed or unmanaged, in any location. This first - and most critical - step is one that most companies struggle with.

SaaS Access Management

Identify all users that have a need to use a SaaS application and track, control, and manage their access to it. This control must cover every device, managed or unmanaged, in any location. Without the previous discovery capability, controlling access to the universe of SaaS applications becomes impossible. 

Once these two elements are in place, a SaaS security platform can own and manage the authentication for all SaaS applications. The employee has no actual need to know what their password is, because authentication is managed and updated by the SaaS security platform. This process now becomes automated, resulting in passwords that are strong, rotated regularly and never accidentally entered into a phishing page by the employee. If Hubspot had this in place, they may have avoided their recent breach. 

Grip SaaS Security Platform–Designed for the Age of SaaS

Grip Security was founded with the belief that the use of SaaS applications will continue to grow exponentially, providing immeasurable value to the business world. SaaS adoption has become prolific and individual users can provision themselves as they need to, sometimes by

bypassing any security controls and expanding the SaaS sprawl most enterprises have today. Security teams and decision makers are left with very few mitigation and management measures to ensure that these benefits coexist with a strong SaaS security posture. This seems like an increasingly difficult task, for which a reasonable security solution has yet to be found. 

Rather than taking the legacy framework and trying to adapt it to the age of SaaS, Grip Security took a fundamentally different approach. Our SaaS Security does not rely on a network, the usage of managed devices, an agent, or the user to religiously follow a set of policies–because experience has shown that they will not do so. Our flagship platform takes the responsibility away from the individual user, automates the entire process and excels at the two critical components of SaaS security: Discovery and Access Management. 

SaaS Application Discovery (Sanctioned, Unsanctioned, and Shadow SaaS):

Grip leverages a proprietary method that discovers all organizational SaaS applications (past and present). This discovery capability is not limited to those applications that are currently being used by existing employees, but allows detection of Shadow SaaS or zombie SaaS– applications that are active but regularly used by current or former employees. It is the most complete SaaS discovery capability in the industry. 

Access Management (Automated Offboarding, One-Click Remediation)

Once the organization’s SaaS applications are discovered, Grip’s platform assesses their risk, identifies the owner/administrator of the application, and provides telemetry on how often the application is being used. Our platform provides security teams with the capability to control access to the application and revoke access to one or more applications depending on the user’s role or employment status, thereby ensuring that all active SaaS has a verified owner, authorized access, and comprehensive security oversight.  

By taking a completely fresh and innovative approach, Grip Security delivers the best SaaS security platform in the industry while maintaining the business benefits of SaaS enterprises are seeking.