Access management is a fundamental component of any robust cybersecurity program, but one element of it is often overlooked: non-user access management. And when third-party applications often have high levels of access to core corporate systems, this oversight becomes a huge problem—particularly when those applications are exploited by malicious actors, or it transpires that they’re inherently malicious themselves.
To find out how organizations can gain visibility into non-user access to their core systems, we spoke to Alon Jackson, Co-Founder & CEO of Astrix Security, a cybersecurity company dedicated to managing access for third-party integrations. A veteran of the Israel Defense Forces’ 8200 elite cyber unit, Jackson is an experienced thought leader and speaker in the cyber space—particularly in the realms of third-party and supply chain security.
In this interview, we spoke about the risk of having unmanaged or “shadow” integration on your critical services, why businesses need to take a proactive approach to security, and how gaining visibility into their third-party integrations can help organizations drive productivity, as well as improve security.
Astrix Security offers access management for third-party integrations. Could you tell us a bit more about what that involves, and why it’s so critical for businesses today?
The challenge that we solve is managing app-to-app security. So, managing how third-party applications connect to core systems in organizations. There are so many tools out there that help organizations today manage user access, but there is nothing that helps them understand the non-user access; not who is accessing my system, but what is accessing my system.
In more technical terms, these are API integrations that are being connected to our core systems. And the number of these integrations or connections is increasing because of the proliferation of APIs; the API economy is growing, and applications are becoming platforms. By becoming platforms, they’re opening themselves to integrations and connections. There are three main use cases as to why someone may want to create one of these connections between a third-party app and their core systems.
The first is from business owners that connect third-party apps to their accounts, which exposes those apps to their data and operations.
The second is from engineering folks that generate API keys and tokens to create automations, write code, and create their work between these platforms.
The third is from the people in the middle, who we call “citizen developers.” Citizen developers use low code/ no code automation platforms to tie and build workflows together without requiring the ability to write code. And they don’t just use a plugin that is already pre-integrated, they build it themselves using tools or platforms, like Zapier, Workato, and Dell Boomi.
These are all examples of low code/ no code integration platforms that help tie all these apps together. And this is part of the landscape of interconnectivity; the landscape of app-to-app connections.
What organizations do you typically work with?
Our typical customers are cloud-first enterprises around the globe, but mostly focused in the United States. They care very much about productivity and the age of connected work, and they want to run at the pace of the cloud. But they also care strongly about security, so they have a good security architecture and a firm security program already in place. So, it’s productivity first, and security supporting that.
Our customers are mostly cloud-first, running quickly, and growing fast.
The rise of cloud apps has given businesses easy access to a world of applications, but it’s also introduced challenges in terms of securing the use of those apps—particularly when they’re integrated without approval of the IT team. What are some of the risks caused by shadow integrations?
Shadow integrations are the applications on your network that you don’t know about. And the risks associated with them are super clear: this is a third party that has access to your core platform. Inherently, this has security and privacy or compliance issues.
So that’s the basic issue, and there are some amazing examples of where this has created a problem in the real world. The Heroku and Travis CI breaches that happened just a few months ago, involving their integrations with GitHub, are amazing examples that show exactly what we’re talking about.
Another good example is the recent leak of API keys from MailChimp. Marketing is a very vulnerable department for these kinds of issues, because they’re using a lot of apps and tying them together with automations. So, the MailChimp leak is another incident that happened in the past couple of months, which actually shows how fragile these API connections are, and how vulnerable they are.
For users, we have two-factor authentication, we have single sign-on, we have different security mechanisms to control and secure access. But integrations and non-user access fly under the radar; there are no security mechanisms and controls currently in place.
And this is exactly what we want to solve at Astrix.
How does Astrix help security teams to gain visibility into their third-party integrations and secure them?
First of all, we provide the visibility, which is critical to discovery. Knowing all the third parties that are connecting to your core platforms, and all the programs that will access your core platforms—that’s the first step.
Then comes automatic remediation. So, prioritizing what’s important, providing full context for the issues that we find, then enabling businesses to mitigate and remediate them with the click of a button.
Lastly, we allow for automated policy guardrails. So, you do not need to run to fix things after the fact; you have an automated platform that secures your policy across different application platforms in the organization.
You mention automation there as a means of pre-emptively securing data against third-party breaches and compliance violations. How does this work, and why is it so important for businesses to take a proactive approach to security, rather than reactive?
It’s the business model of third parties to live on your data. Sometimes the most dangerous third parties are those that are freemium: they don’t go through procurement; they don’t go through security reviews. So, someone in the organization wants to use the latest and greatest tool, and they’ve connected that tool to their mailing system or calendar, or wherever they need to help them do their job. Their heart is in the right place—they want to do their job; it’s productivity first. But if it’s a low-cost or free service, it’s very expensive on permissions; this is their business model. They have a very hungry machine learning engine at the back end that wants to live on your data. So, that’s how you get the service for free.
And the important part here is controlling this data spillage or exposure. To do that and shrink the window of opportunity of exposure, you need to identify that exposure. But that can be very difficult, because you have so many of these tools in the organization and it changes every day. So, you need to have a way or an automated process to manage that risk, because it’s much harder to do so retroactively than when you already have those workflows in place.
The first step in that is identifying when something interesting happens, then reading into its full context: “What is the third party? Who connected it? Why was it connected? When was connected? What were the permissions?”
Having this full context allows you to triage and make an informed decision about the event, and then actually do something about it. All this—the discovery, then the context, then the remediation—really shrinks the window of opportunity and the window of exposure. And that’s super important, both for pure security, and also for compliance.
Even if you accept the connection rather than blocking it, you want to show that you accepted it after you managed and investigated it, and you made sure that it doesn’t fly under the radar.
Earlier, you talked about implementing these layers of security as a means of supporting productivity. This theme of security as a business enabler is something we’re hearing more about recently. How can security teams help their board members or senior leadership understand the need to manage and secure third-party integrations, in terms of supporting the business?
I think security leaders today understand that they want to move from gatekeepers to productivity enablers. That’s a core issue. And to do so, they need to be able to back up what they’re saying about security with facts and apply it to a business context.
In the modern world, CISOs don’t know and are not expected to know all the different tools and applications that are out there; the list is endless. Having the full context that we talked about—all the information provided by Astrix, saying, “This is good, this is bad, this is the level of severity that we found for this issue,” and so on—having this information is very important for the security leaders, because they can then come to their board members and leadership backed by actual empirical information, saying what the issue is and what the best practices are for solving it.
Without our platform it usually takes days or even weeks of manual work to find out what they need to know about a third party they’ve never heard of before. They need to find out what it is, who connected it, how it’s behaving, when it was connected, whether it’s best practice in the industry or not—and they’d get this information by manually trying to run through logs and look at activities to understand what’s going on.
Having all this context enables them to be a good business driver, because they can now bring forward the connections that matter the most—the ones that have large exposure, and a high security score. When they bring something forward with context and actionable recommendations, that’s a real business driver. You can demonstrate with numbers and information what’s actually going on, what departments are using more tools than others, and what platforms are exposed.
And how can businesses use that data to drive productivity, as well as ensure security?
First of all, the security score alone is not enough. You must have a security score and exposure score together. And that can be a real business enabler.
If you only talk in terms of security scores, you’re just saying, “This is secure, this is not secure; this has a security score of three, that has a security score of nine.” But what can you really do with that number?
To make it really mean something, you need to work out whether the third party is exposed to sensitive information or not. If it is, does it connect to your core systems or not? One you know this, you can talk about allowing the organization to use an app for productivity, even though its security score is maybe five or six out of 10, because it isn’t actually connected to any of your sensitive data.
If the security score is high, then you can allow a high exposure score. But if the security score is low, maybe you want to mandate a lower exposure score, if at all, depending on the appetite of the organization.
And this is how the situation is for most organizations.
What would your final piece of advice be to organizations struggling to secure their cloud apps against today’s most prevalent threats?
Focus on your core platforms. Understand what your mission-critical services are, and then govern programmable access, just like you do for user access.
API access is surfacing these days from under the radar, and it’s just going to explode in the coming months and years, as everything is being more and more interconnected. And if you don’t start now, it may be too hard to fix later. It’s very hard to close integrations and connections after they’re no longer necessary, because you’re not sure why it was connected, when it was connected, whether it’s mission-critical or not, and so on. So, managing it as early as possible is super important. So, focus on what’s important, know what your core services are—the ones that are mission critical and hold your sensitive data—then manage programmable non-user access to them, just like you do for your users and even more so, since these are third-party access, in terms of security and compliance. It’s that simple.
Thank you to Alon Jackson for taking part in this interview. You can find out more about Astrix’s third-party integration security platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.