Securing Non-Human Identities In The Age Of SaaS
Yoni Shohet is the Co-Founder & CEO at Valence Security.
Today’s business thrives on automation and seamless integration. Organizations leverage a vast ecosystem of SaaS applications and often integrate their business-critical applications and data with other SaaS using SaaS-to-SaaS integrations, creating a complex web of non-human identities (NHIs).
These NHIs or machine identities—mainly service accounts, API keys and OAuth tokens—are the silent workhorses that keep the digital engine running. However, this convenience comes at a cost. Security teams must closely monitor these NHIs, which vastly outnumber human identities.
The 2024 State of SaaS Security Report reveals the scale of the challenge. In certain cases, for every human identity, there are 8.6 non-human identities (pg. 18). These third-party SaaS integrations, and the NHIs that power them, create several new security challenges for organizations.
The Ever-Expanding World Of Third-Party Integrations
The power of SaaS lies in its ability to easily connect and automate workflows between applications with third-party integrations. These integrations leverage NHIs to exchange data and functionality and make tasks faster for everyone. Examples of popular SaaS integrations connected to core platforms include Superhuman with Google Workspace, Calendly with Microsoft 365 and Gong with Salesforce.
While these integrations enhance productivity and collaboration, they also introduce security risks.
• Reduced Visibility Due To Distributed Ownership: Many SaaS applications are adopted by business units independently to address specific needs. For example, HR may administer Workday, sales teams manage Salesforce, the R&D team has control over GitHub and so on. If security teams don’t have administrative ownership over those platforms, they also lack visibility into integrations the business user might add.
• Over-Privileged Access: When a SaaS user adopts a new integration, part of the process is enabling access privileges to the core SaaS platform. Granting third-party integrations more access than necessary can expose sensitive data. The 2024 State of SaaS Security Report identified that one-third of…
