The Challenge of MFA Everywhere

As companies become more reliant on SaaS applications, the security landscape changes, introducing new challenges. Multi-factor authentication (MFA) has become a fundamental solution for mitigating risks associated with SaaS identity by enhancing security, thwarting unauthorized access, and contributing to a robust security posture.

Despite the apparent benefits, achieving widespread MFA adoption is challenging. This article explores the benefits of "MFA everywhere," the projects driving it, why it is so difficult to implement, and how Grip is helping customers achieve it.

The Role of MFA in SaaS-Identity Risk Management

Incorporating MFA into your security strategy is essential for securing your organization against a wide range of SaaS security concerns, including potential SaaS compromises due to today's business-led IT movement.

• Mitigating Unauthorized Access: MFA adds a critical layer of security by requiring multiple forms of verification, significantly reducing the risk of unauthorized access.
• Protecting SaaS Account Credentials: MFA enhances credential security by reducing reliance on passwords. Additional authentication factors like a one-time code or biometric data are required even if a password is compromised.
• Safeguarding SaaS Data: MFA ensures that only authorized users can access applications and data, helping to prevent unauthorized data sharing and leaks.
• Addressing Shadow IT: Implementing MFA across various SaaS, even those not officially sanctioned by IT (AKA shadow IT), helps control and protect against unauthorized use of such SaaS.

Without question, MFA is a powerful tool in enterprise security, crucial for reducing unauthorized access and protecting against a dynamic threat landscape.

SaaS Security Concerns

Specific SaaS security concerns that drive multifactor authentication:

Unauthorized Access to SaaS Accounts: SaaS applications frequently contain sensitive corporate data, making unauthorized access a significant threat that can result in data breaches and intellectual property theft. Although convenient, traditional username and password combinations are vulnerable to phishing and credential theft. This risk is magnified in the context of business-led IT and modern workplace dynamics, where decentralized user choice and shared responsibility contribute to expanding the identity perimeter and intensifying SaaS adoption.

Data Exposure and Operational Control: The inherent ease of data sharing within SaaS platforms can inadvertently lead to data leakage or exposure. There is an elevated risk of sensitive information being shared outside the organization without stringent access controls. This risk is particularly acute in modern work environments where critical digital enterprise control—from HR to IT and factories to finance—relies heavily on SaaS services. A compromised SaaS account could potentially give an attacker control over critical business operations, including production environments, source code repositories, and domain registries.

Account Compromises and Shadow IT: Users may inadvertently compromise their SaaS accounts by reusing passwords or succumbing to phishing schemes. Moreover, the prevalence of shadow IT—employees using unauthorized SaaS tools—compounds security challenges, as these tools often escape the oversight of IT security. A study by Microsoft revealed that an average enterprise employee reuses approximately 109 passwords. Compromising one credential can provide access to nearly all other SaaS tools used by that employee, illustrating the cascading risk of inadequate password management.

‍

Challenges of Implementing MFA Everywhere

Although the benefits of MFA are well understood—mitigating threats and reducing the expansive SaaS identity risk landscape—it is challenging to implement universally due to several factors:

1. Most SaaS apps are unknown. The continuous expansion of business-led IT strategies creates inevitable blind spots. As organizations decentralize the responsibility for sourcing, procuring, and supporting business applications, visibility over SaaS services and web apps used by individual business groups diminishes. A KPMG study estimates that business-led SaaS will constitute 85% of all SaaS tools. Consequently, many apps remain unknown to IT and security teams, complicating the universal application of MFA.

2. Most SaaS apps are unfederated. Discovering real-world SaaS usage is only the first hurdle; the next challenge is that many of these apps will remain unfederated. Reasons for this include:

• Varied users and usage complicating management through IAM/SSO.

• Overwhelmed backlogs for SSO or MFA enrollment.

• High costs associated with SSO-enabled SaaS licenses (SSO tax)

• High churn rates for SaaS apps lead to wasted IAM, IT, and security resources.

Organizations need a way to implement MFA on apps that aren’t federated with an identity provider.

3. Most SaaS apps have few users. While the spotlight often shines on major SaaS providers like Salesforce and Microsoft 365, many SaaS applications are smaller, used by fewer than 10 users, and represent 74% of apps according to some studies. Grip has identified over 80,000 unique web apps and SaaS services across thousands of organizations. This broad distribution and the absence of direct administrative control pose significant challenges for security teams. They struggle to monitor logins, manage credentials, and detect unsanctioned account sharing. Managing security across such a diverse and fragmented landscape is daunting, complicating the prioritization of which apps should be targeted for comprehensive MFA implementation.

4. Most SaaS apps have short lifecycles. The ease of adopting and switching SaaS providers contributes to a high churn rate, reported at 62% every two years as of 2021. The frequent changes in the SaaS portfolio, often managed outside of traditional IT oversight, result in a significant effort wasted on trying to secure applications that may soon be replaced.

These challenges highlight the difficulties security and IT teams face in securing SaaS environments comprehensively. In these complex scenarios, solutions like Grip become invaluable, offering tools to extend secure outcomes across all SaaS applications, regardless of these challenges.

How Grip Enables MFA Everywhere Projects

Grip supports the implementation of MFA across diverse SaaS environments in two primary ways:

1. Federating Unfederated SaaS Services: Grip can identify SaaS services that are currently unfederated but have the potential to be federated with an Identity Provider (IDP) using protocols like SAML. Once these apps are under IDP control, enforcing MFA becomes feasible.

2. Enhancing Security for Unfederated Services: For SaaS services that will remain unfederated, Grip extends security measures by helping security teams to identify unmanaged applications where MFA should be enabled and assists in coordinating with the relevant stakeholders, such as business app owners, to ensure MFA is activated. Grip also maintains a record of these interactions and the status of these requests through detailed audit logs.

‍

‍

Conclusion

Securing SaaS and the identities that access SaaS is inherently challenging due to the complex and dynamic nature of modern work and business-led IT strategies. These factors significantly widen the control gap in the SaaS identity risk landscape. However, the need for universal security measures like MFA has never been more pressing.

Leveraging Grip can help overcome these practical challenges, allowing organizations to extend robust security measures across all their SaaS applications, web services, legacy portals, and cloud accounts—ensuring comprehensive protection with no exceptions and no disruptions. This approach not only addresses the immediate security needs, but also provides a scalable solution that adapts to future challenges.

To learn more about how Grip can help you identify and prioritize which apps need MFA, we invite you to schedule time with our team.

‍