Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3

News & Articles

July 3, 2024 | Davit Asatryan

How Browser Extensions Are Igniting the SaaS Data Protection Problem — and How You Can Take Control of the Situation

Uncover the risks of SaaS apps and the need for robust data protection. Safeguard your organization’s data from cyber threats.

In the last decade, software-as-as-service platforms have transformed businesses worldwide. The SaaS model has streamlined operations, increased efficiency, and empowered small startups all the way up to Fortune 500 enterprises.

However, there have been pitfalls. Notably, as SaaS apps have proliferated throughout the industry, so, too, has the amount of data generated by these apps — creating a new threat to data security.

Problems Like ‘0mega’

A recent report by the Cloud Security Alliance indicated a pressing need for robust security frameworks as organizations navigate the SaaS landscape. Despite inherent security features of SaaS applications, configuration and governance lapses pose substantial risks. This could open the floodgates to cyber threats, including data breaches and ransomware attacks.

David Asatrya of Spin.AI talks about SaaS data protection problems.

Davit Asatryan

To grasp the severity of the SaaS data security problem, consider the recent “0mega” ransomware attack. It leveraged a compromised account to create an active directory user, which then granted permissions — such as Global Admin, SharePoint Admin, and Exchange Admin — to wreak havoc within the company’s environment.

Whether it’s data breaches affecting healthcare records, ransomware attacks targeting financial transactions, or simply a bad actor seeking to cause reputational damage, the stakes have never been higher. The exposure is not just limited to potential loss of business or reputation damage; it also poses compliance risks, subjecting businesses to legal consequences under regulations like GDPR and CCPA.

The New Frontier of Risks

As companies grapple with SaaS application risks, another threat connected to data in mission-critical SaaS applications such as Google Workspace and Microsoft 365 is quietly gaining momentum: browser extension risk.

Spin.AI analysis showed that there are more than 300,000 third-party browser extensions and OAuth apps that interact with SaaS platforms. While extensions may offer user-friendly features, their risk to data security is alarmingly high.

Consider an extension that was advertised on Facebook as a search enhancement tool. It instead acted as a Trojan horse and hijacked Facebook accounts undetected. The extension was quickly removed from the storefront, but not before stealing login credentials of at least 6,000 corporate accounts and 7,000 VPN accounts.

Browser extensions typically require various permissions within an application or cloud environment to function properly. These permissions range from seemingly benign features like, “Read and change your data on websites you visit,” to far more intrusive ones like, “Capture content of your screen.”

This makes evaluating each extension for potential security risks cumbersome and complicated. These numerous permissions can also be layered together to create a security nightmare. For instance, an extension with “identity” permissions could leverage “webrequest” permissions to transmit personal information to third-party servers. This scenario is akin to leaving your front door open with a sign inviting strangers to come in.

Take Control

As the array of available extensions proliferates — many of which originate from unverified or unknown sources — organizations should consider a multilayered approach to protecting their valuable SaaS data.

It’s nearly impossible to secure your environment if you don’t know what’s in it. A solid first step to protecting your organization should include maintaining an up-to-date inventory of all installed extensions and SaaS applications. This will provide a comprehensive view of the potential points of vulnerability and allow you to spot potential weaknesses.

Second, conduct regular risk assessments to evaluate the level of threat each extension and application poses. These assessments should include established third-party risk management frameworks adapted to the specific needs and nature of your business. You should define what level of risk is acceptable and establish protocols for extensions that exceed this level.

ISACA’s analysis further reinforced the importance of robust access management and the proactive mitigation of risks associated with insecure APIs and shadow IT. It advocates for integrating SaaS platforms with enterprise identity solutions and enforcing multifactor authentication to fortify defenses against unauthorized access.

You can do this through automated controls configured to allow or block extensions and applications based on your organization’s established policies. Automating this process can ensure more consistent policy enforcement, thereby further reducing the likelihood of human error leading to a security breach.

Multilayered Approach

Remember, the cybersecurity landscape is always evolving. So, your strategy should as well.

A dynamic, multilayered strategy should include periodic reviews of security policies, risk assessments, and even the technologies used for automated controls. These will allow you to adapt to new kinds of threats as they emerge.

SaaS applications and browser extensions offer many benefits and conveniences, but they can also be a backdoor to your sensitive SaaS data. Taking a multilayered approach to SaaS security will help you better position your organization for success and allow you to take advantage of all that SaaS platforms and browser extensions have to offer.

Davit Asatryan is vice president of product for Spin.AI, focusing on the all-in-one SaaS Security platform, SpinOne. Davit specializes in SaaS data protection, helping organizations battle shadow IT, ransomware, and data leak issues.

Image: iStock

Editor’s Choice

ChannelPro DEFEND Conference Heads to NJ, Promises to Lift Cybersecurity and Profitability of MSPs

July 8, 2024 |

Register now for ChannelPro DEFEND: East in Islen, NJ, on Aug 7 and 8 for unparalleled cybersecurity learning, networking, and collaboration opportunities.

Introducing ChannelPro’s Top 20 MSPs for 2024

June 18, 2024 |

These companies lead the way in building up the IT channel, as well as ensuring that their clients run thriving businesses.

Related News & Articles

Growing the MSP

Explore ChannelPro


Reach Our Audience