Close up of hand pointing at tablet with abstract cloud hologram showing SaaS security

The “Ghost SaaS” Threat and Why Security Teams Should Take It Seriously

SaaS platforms that hang around in one form or another – like when a platform shuts down but its domain name continues to function – is a growing problem. And it can cause major security headaches for organizations because while the service on a platform may no longer work, the SaaS domain may remain active: Imagine that employees at an organization use a SaaS platform that goes out of business, and the lapsed domain is acquired by someone else. If this happens, the automated activities set up by employees for platform activities continue to operate, making that data and the organization vulnerable to attacks.

What is today a perfectly legitimate platform could tomorrow be repurposed – perhaps for nefarious purposes. There’s no way to know in advance if that will happen, and once it does, there is nothing security teams can do to change it. Thus, any security efforts must be taken in-house – and must consist of analyzing connections, automated activities, and accounts that connect to the many service platforms used by organizations today.

This issue of “ghost” SaaS is far more common than most people realize. Dozens of online platforms, both SaaS and social, have merged, changed direction, or shut down completely over the years, and there is a constant, active market for sales of online platforms. A service could go out of business, sell its assets, or just forget to renew its domain (it even happened to Google!).

To prevent those headaches, security teams need to be vigilant – both on what services employees are connecting to, and whether those platforms are still safe.

Account holders of these platforms are, of course, informed of changes that are set to take place, but not everyone pays attention to those messages. While the account at a shuttered SaaS site will no longer work, scripts and routines that an employee might have set up to automate tasks at that site may continue to operate, until they are stopped.

The result could be the uploading of sensitive data that could be used by bad actors to harm the organization. There’s no guarantee that the new owners of the domain – or the service, for that matter – will adhere to the security standards that the previous owners adhered to, standards that security teams took into consideration when approving use of the service. Even if a larger company, known for good security, buys a smaller service, it also doesn’t mean that they will keep supporting and updating the product. Indeed, the same problem could exist even if the domain doesn’t change hands; a startup could pivot to a completely different business model with a completely different policy on usage, data security, and more. Either way, what was yesterday a trusted SaaS site is today an unknown and untrusted entity – and connections to that service, whether intentional or otherwise, could cost a company dearly.

The first step for security teams is to seek out information about what services employees use, and then determine if those services – their purpose, location, ownership – have changed. If so, they need to be vetted again – and if they don’t stand up to scrutiny, security teams need to stop their usage in the organization.

While security teams can ask employees to check their scripts and automated activities, a more efficient and effective method of dealing with this problem is to use an automated intelligent system that will examine all connections in and out of the organization’s network, connecting to the domains of ghost SaaS platforms. Chances are employees will not remember setting up those scripts, and a thorough automated examination of those connections is much more likely to yield the desired results.

The issue of SaaS security concerns security teams a great deal. A UK government cybersecurity study lists a plethora of worries: Misconfiguration of SaaS access that hackers could take advantage of, difficulties in keeping up with SaaS platform changes, and difficulties in integrating SaaS platforms in their security efforts, among other issues. The poll showed that even with “standard” SaaS – platforms that they approved – 94% of security teams surveyed were “moderately to extremely concerned” about security issues, while 69% were “not confident at all” on their ability to defend their firms from those threats. Presumably, those numbers would jump exponentially when dealing with ghost SaaS.

One of the main concerns is lack of visibility; a SaaS platform is going to be only as safe as the owners and managers of that platform allow for – and in the case of ghost SaaS, not only are security teams not in control of security, there often isn’t anyone on the other side to discuss security with. Unless security teams can vet the chain that a service followed on its way to its new life – and ensure that they can re-vet it for security – the only viable way to deal with the problem is to ensure the cutting of all connections between employees and SaaS platforms that either are under new ownership, closed down, or otherwise different than they were when security teams approved their use.

#Security teams need to be vigilant - both on what #SaaS services employees are connecting to, and whether those platforms are safe and remains safe for use in the organization. #respectdataClick to Tweet

There’s no question that SaaS has improved productivity – but that increase isn’t worth an attack. By ridding the organization of ghost SaaS connections, security teams can ensure they get that productivity – without compromising security or business growth.


CTO and Co-Founder at Atmosec