The Challenge of MFA Everywhere

As enterprises increasingly rely on SaaS services, web and cloud apps, the security landscape evolved, presenting new challenges. Multifactor authentication (MFA) emerges as a critical solution for mitigating SaaS-Identity risks; not only enhancing security by thwarting unauthorized access attempts but also contributes to a more robust overall security posture.

Organizations often recognize the imperative of implementing multifactor authentication across their SaaS environments to protect sensitive data, maintain compliance with regulations, and fortify their defenses in an ever-evolving threat landscape.

Easier said than done. Here, we explore the benefits of “MFA Everywhere”, the projects driving it, why it is so difficult, and how Grip is enabling customers to realize it.

‍

The Role of MFA in SaaS-Identity Risk Management

Incorporating MFA into your security strategy is an essential step in securing your organization against the broad range of SaaS security concerns and the outsized impact of SaaS compromise given the current business landscape, modern work, and business-led IT strategies.  

1. Mitigating Unauthorized Access: MFA introduces an additional layer of security by requiring users to provide multiple authentication factors. This significantly reduces the risk of unauthorized access, even if credentials are compromised. It acts as a critical barrier against attackers attempting to exploit password vulnerabilities.

2. Protecting SaaS Account Credentials: With MFA in place, the reliance on password-based authentication is reduced. Even if a user's password is compromised, an additional factor such as a one-time code generated on a mobile app or biometric data is required for access, greatly enhancing credential security.

3. Safeguarding SaaS Data: MFA ensures that only authorized users can access SaaS applications and the data stored within them. This added layer of security prevents unauthorized data sharing and leakage, helping organizations maintain control over their sensitive information.

4. Addressing Shadow IT: MFA can be implemented across various SaaS platforms, even those not officially sanctioned by IT. This helps organizations regain control of shadow IT by mandating stronger security practices across all applications, reducing the risk of unauthorized tool usage.

MFA is a potent tool in the arsenal of enterprise security. Its implementation yields a marked reduction in unauthorized access incidents, fortifies credential security, and offers protection against a dynamic threat landscape. In an era where data breaches loom large, MFA is an indispensable component of a resilient defense — and paramount in addressing SaaS-specific security concerns.

‍

SaaS Security Concerns

Specific SaaS security concerns that drive multifactor authentication:

Unauthorized Access to SaaS Accounts: SaaS applications often contain sensitive corporate data, and unauthorized access can lead to data breaches and intellectual property theft. Traditional username/password combinations, while convenient, are susceptible to phishing attacks and credential theft. This concern is exaggerated in the context of business-led IT and modern work, when user choice and shared responsibility had fueled SaaS expansion, and with it, the identity perimeter.

Data Exposure and Operational Control: The ease of data sharing within SaaS platforms can inadvertently lead to data leakage or exposure. Without stringent access controls, the risk of sensitive information being shared outside the organization is heightened. Again, we see how this can be exacerbated by the conditions of modern work, where critical control of the digital enterprise happens through a SaaS service — from HR to IT, factories to finance — the digital enterprise is a SaaS operation. If an attacker compromises a SaaS account, it can put the adversary in control of production environments, source code repositories, domain registries, and operational controls via SaaS apps.

Account Compromises and Shadow IT: Users may inadvertently compromise their accounts by reusing passwords or falling victim to phishing schemes. Additionally, the prevalence of shadow IT — employees using unauthorized SaaS tools — poses security challenges, as these tools are often outside the purview of IT security. According to a study conducted by Microsoft, roughly 109 passwords are reused by enterprise employees; compromise the credential once and it can be the key to access 108 other SaaS tools.

‍

Challenges of MFA Everywhere

It is clear how MFA benefits security teams and their organizations, reducing the opportunity for threats and limiting the risk of an expansive SaaS-Identity risk landscape. So, why is it so difficult to realize MFA everywhere?

1. Most SaaS Apps are Unknown. With the continuous expansion of business-led IT strategies, blind spots are inevitable. When organizations distribute responsibility for sourcing, procuring, and supporting business applications, there will be inherently less visibility to all the SaaS services and web apps those individual business groups use. According to a study by KPMG, the estimated proportion of business-led SaaS will account for 85% of overall SaaS tools. When most apps are business-led SaaS, most apps will be unknown to IT and security teams trying to achieve MFA everywhere.  

2. Most SaaS Apps are Unfederated. Once organizations have gone through the process of discovering their real-world SaaS usage, the next challenge is dealing with the fact that most of those apps will remain unfederated. Organizations are growing their portfolio of unfederated SaaS apps, because:

a) users and usage are too varied to manage and govern via IAM/SSO,

b) the backlog for SSO (or MFA) enrollment is already overwhelmed,

c) the SSO tax is too costly for SSO-enabled SaaS licenses,

d) the churn rate for switching SaaS apps becomes wasted IAM, IT, and security resources, or

e) all the above.

MFA everywhere is often impracticable for SaaS services, web apps, legacy portals, and cloud accounts that are not federated to corporate identity controls or access management. After all, MFA is intended to be a step-up challenge to any existing, primary access controls. If most apps are unfederated, it becomes a misarranged cart and horse situation to realize MFA everywhere.

3. Most SaaS Apps Have Few Users. When most organizations think about “SaaS”, visions of the big names come to mind — Salesforce, Microsoft 365, Box, Dropbox, and Adobe always top the list in the mind’s eye. But this is an availability bias, classifying according to the ease of recalling examples. But the long train of SaaS is much, much greater than most people think. Grip, alone, has uncovered over 80,000 unique web apps and SaaS services across thousands of organizations. And 74% of SaaS apps in these organizations have fewer than 10 users.  

With such widespread diffusion of SaaS use, and without direct control of the administration of these apps, security and IT teams are at a loss to even understand when someone logs in, which credential they are using, or if the low user count is due to broad, unsanctioned account sharing. Piecing together a puzzle of hundreds of apps with thousands of accounts — some active, some shared, some abandoned, some dormant — leaves security teams without a clear understanding of prioritizing MFA everywhere.

4. Most SaaS Apps have Short Lifecycles. One critical factor that gives rise to the lopsided share of unfederated, business-led SaaS services is the ease of adoption. Consequently, it also makes switching SaaS providers just as easy. In 2021, the churn rate — the speed with which a SaaS app is used, then replaced by another — was 62% every two years.  

As mentioned earlier, the general habit of keeping SaaS unfederated is the speed with which the SaaS portfolio changes. Worst of all, it is not like the IT or security teams are even aware of a SaaS change, because it is an unmanaged, business-led apps governed entirely by someone else. Naturally, this leads to sunk cost in effort to apply MFA to apps with such a short shelf life, making it just impractical to pursue MFA everywhere.  

Staring down these challenges are security and IT teams who need to achieve secure outcomes without direct control over the SaaS (and identity) that needs securing. That’s where Grip steps in.

‍

How Grip Enables MFA Everywhere Projects

Grip expands security protection to include unfederated SaaS services with access controls like MFA. Grip enables security teams to improve access control to unfederated SaaS accounts — enforcing MFA to Grip before the user can access the target SaaS service, web app, or cloud account. Grip SaaS Access Control (SAC) enables security teams to control user authentication, authorization, and access management for unfederated web apps, legacy portals, SaaS services, and cloud accounts.

‍

Key Capabilities of Grip SaaS Access Control (SAC)

• Monitor SaaS and Identity Sprawl: Grip SAC centrally tracks each login to SaaS services, web apps, and cloud accounts for every identity, typically uncovering 70% more SaaS usage than previously known. 

• Unfederated SaaS Access Policy: Proactively enforce risk and compliance policies by automatically controlling business justification and controlling user access. Grip SAC makes passwords inaccessible to users, reducing the risk of reuse, duplication, or unsanctioned sharing.

• Strong SaaS Authentication: Grip SAC takes over user credentials to unfederated SaaS apps and web services to create a new, strong password within a secure vault that does not reveal the password to the user. Security teams can control passwords instead of people to ensure credential hygiene in unfederated SaaS accounts. 

• SAML-less Single Sign On (SSO): Enhance security by automatically logging users into SaaS applications, legacy portals, or internal systems that do not support SAML, while avoiding costly upgrades to SAML-supported license tiers. 

• MFA Everywhere: Govern access to unfederated SaaS via Grip SAC, including enforcing multifactor authentication (MFA) to Grip SAC before authenticating users to targeted SaaS apps, legacy portals, web services, or cloud accounts. Extend strong authentication to existing unfederated SaaS, and automatically enforce MFA policy to all new SaaS accounts as they emerge.  

‍

‍

In our MFA everywhere solution we aim to provide the ability for the portal user to review all the apps that are not protected by MFA, and suggest targeting those applications for MFA enrollment, whether through the SaaS app or via Grip SAC, thereby enabling strong authentication to SaaS outside IAM ownership.

To apply MFA to SaaS via Grip SAC, you can follow these simple steps:

1. Make sure access to Grip SAC is performed through your IDP with MFA as a default policy.
2. In the Grip portal, identify the SaaS apps and select “Move to Grip”.
3. Select the users to authenticate with Grip SAC, then click “Run”.

And that’s it – within a few minutes the passwords to these accounts will be automatically rotated and hidden from users, while requiring MFA to access SaaS accounts.

‍

Conclusion

Security is hard. SaaS and identity security are even harder. Many security teams and their organizations have exceptional policies, programs, and personnel to enable strong access controls and secure authentication. But the challenges standing in the way are the circumstances of modern work and business-led IT strategy. Naturally, this stretches the canyon-like control gap as the SaaS-Identity risk landscape expands.

MFA everywhere is a security project whose time has come. The impracticalities and challenges can be overcome leveraging Grip SaaS Access Control to extend secure outcomes beyond the reach of traditional tools and teams — scaling protection like MFA to all SaaS apps, web services, legacy portals, and cloud accounts. No exceptions, no disruptions.

Get started with a free SaaS-Identity Risk Assessment.

‍