Improve SaaS application security and observability with AWS AppFabric
Adoption of software-as-a-service (SaaS) applications continues to grow, with many organizations now utilizing hundreds of SaaS apps across their business. While organizations routinely leverage SaaS apps to improve employee productivity, many suffer from security issues and inefficiencies resulting from data silos. IT and security teams face challenges related to quickly identifying and responding to security events across their SaaS application portfolios. Limited data oversight also makes it challenging to achieve regulatory compliance.
To overcome these challenges today, IT teams often build point-to-point (P2P) integrations between each SaaS application and the tools necessary to analyze audit logs and ensure the security of each application. Building individual P2P integrations can take weeks or months, resulting in suboptimal security monitoring. In order to monitor for threats and anomalous behavior, security teams must build a mechanism to normalize application data into a format that supports cross-application analysis and alerts. Once an alert is triggered, analysis often requires manually fetching user details based on each application’s unique identifiers. Finally, provisioning and deprovisioning users in SaaS applications not connected to a centralized Identity Provider (IdP) can require security teams to manually check user access status in each individual SaaS applications, which takes time and increases the risk of unauthorized user access.
AWS AppFabric addresses these challenges by quickly connecting SaaS applications for better security and productivity. AppFabric eliminates the effort associated with building and managing P2P integrations between individual SaaS applications and the organization’s security and business operations tools. AppFabric fully manages these integrations and automatically provides normalized SaaS application data using the Open Cybersecurity Schema Framework (OCSF). OCSF is an open-source, vendor-agnostic security schema.
“We operate in a highly regulated environment,” said Nathan Arora, chief business officer at YuJa. “AppFabric has helped our team reduce our manual efforts by nearly 40% in terms of pipeline management. It’s also improved our security posture across our internal application toolset, thanks to a normalization framework based on common threat vectors and enrichment of top SaaS app audit logs.”
AppFabric enriches SaaS application data with a unique user ID. This enables customers to centrally monitor their SaaS application portfolio for potential risks like large file downloads, logins from unknown locations, publicly shared data, and changes to admin privileges. AppFabric also includes a user access feature that allows security and IT admins to quickly determine which users have access to specific application(s). To use this feature, the admin simply runs a search in AppFabric based on corporate email address. This reduces time spent on tasks requiring manual intervention, such as provisioning and deprovisioning users or auditing individual user access across SaaS applications.
“We really like the easy integration and improved security visibility that AppFabric brings to our organization,” said Dudi Levi, head of Cyber Data at Bank Leumi. “By leveraging AWS AppFabric to aggregate logs from widely used SaaS enterprise applications, and its support for the OCSF schema, we are able to reduce the time to deliver security logs to our advanced security operations center. What took us days will now only take hours. The logs will be streamed to the bank’s Amazon Redshift and Amazon Aurora analytics services and ready for immediate consumption across analytics, rules, and forensic workloads.”
AWS AppFabric architecture
AppFabric monitors SaaS applications for new log data, then enriches that data with additional detail like user email address. AppFabric users can set up ingestion connectors to Amazon Simple Storage Service (Amazon S3) or Amazon Kinesis Data Firehose to monitor and store transformed data (see Figure 1). By leveraging security applications and other AWS services, organizations can further bolster their security posture by configuring alerts for notable events or identifying patterns in log data that could pose organizational risks.
“Transforming SaaS application raw audit log data and then centralizing the data into a logs stash comes with its share of challenges. But it is a foundational requirement before we can start to create alerts and monitor usage across multiple apps,” said Boris Surets, chief information security officer at Optibus. “We are especially conscious about creating basic visibility, for our global staff, into what happens across the company’s SaaS activities to reduce risk exposure. AppFabric has doubled our visibility into SaaS activity overnight, with minimal effort and cost.”
Connecting to Amazon S3
Normalized application audit logs provided by AppFabric can be stored directly in Amazon S3. SaaS audit logs are encrypted at rest using Amazon S3 managed keys (SSE-S3) or the default Amazon S3 managed key in the AWS Key Management Service (SSE-KMS). Since these keys are managed by AWS, there is no need for key material rotation. Additionally, you can use lifecycle policies to transition normalized audit logs into less expensive Amazon S3 storage tiers like Amazon S3 Standard-Infrequent Access, based on user-defined access patterns.
To store AppFabric sourced audit logs in Amazon S3, choose an existing bucket or create a new bucket with a globally unique identifier in the same Region as your AppFabric resources. Once in a bucket, you can use the AWS Command Line Interface (AWS CLI), the AWS Software Development Kit (AWS SDK), or the AWS Management Console to inspect and consume the audit logs in your security tool, where you can search the data and run threat detection models.
Use case 1: AppFabric and Amazon S3
Most organizations are interested in preventing bad actors from extracting and exploiting intellectual property and other sensitive corporate data. In this example, a company may use Dropbox for cloud storage, Okta for enterprise authentication, and Smartsheet for project planning. Using AppFabric, the company ingests and normalizes audit logs across all these applications with an Amazon S3 bucket configured as the destination, and uses the Amazon S3 bucket as a source for their observability tool, Rapid7. Recently, the company’s security team noticed an increase in the number of failed login attempts by a user provisioned to the company’s Smartsheet account, and wanted to see if there were similar patterns across other SaaS applications. They also noticed recent changes to admin privileges on a Dropbox folder used by a product team working on commercially sensitive features. Using AppFabric as the integration layer (see Figure 2), the security team created alerts and notifications within Rapid7 to notify them when such events take place again, allowing the team to investigate and take enforcement actions, including revoking Smartsheet access for certain accounts.
Review figure 2 to visualizes the end-to-end process described in use case 1.
Connecting to Amazon Kinesis Data Firehose
Ingest AppFabric audit logs in near real-time using Amazon Kinesis Data Firehose. Using Amazon Kinesis as an ingestion destination connects normalized logs with AWS services and supported third-party applications (a list of destinations can be found here). By using Amazon Kinesis, users are able to configure a desired buffer size and interval to deterministically send normalized logs to their final destinations. These destinations include applications like Splunk and AWS services like Amazon Redshift. Users with software licenses or affinity access can continue using their preferred monitoring tools, while taking advantage of the scalable Amazon Kinesis delivery streams. To set up AppFabric with Amazon Kinesis, delivery streams must use Direct PUT as a source and be configured in the same Region as the AppFabric resources.
Use case 2: AppFabric and Amazon Kinesis Data Firehose
In this example, a financial services company wants to implement company-wide logging across all their SaaS applications. Implementing near-real-time monitoring is critical, as the company handles sensitive customer financial data. The company primarily uses Miro, Slack, and Zoom for collaboration. In addition, the company uses Splunk as a security tool. With thousands of messages per hour, hundreds of daily collaboration sessions, and dozens of meetings happening concurrently, live data monitoring is difficult without an automated solution. By using AppFabric with Amazon Kinesis Data Firehose (see Figure 3), the company is able to stream normalized logs to their preferred Splunk SOAR dashboard. The DevOps team has created rules (e.g.: unusual download activity on Smartsheet, escalating admin privileges on a Slack channel, or enabling public sharing settings on a Slack channel) that trigger a notification within the DevOps Slack channel, to initiate investigation.
Figure 3: Architectural flow of AppFabric with Amazon Kinesis Data Firehose integration, visualizes the end-to-end process described in use case 2:
Security and observability tools compatible with AppFabric
SaaS application data from AppFabric is compatible with any tool that supports receiving data from Amazon S3 or Amazon Kinesis Data Firehose. This includes security tools like Logz.io, Netskope, Netwitness, Rapid7, Splunk, as well as proprietary security solutions. See the Compatible Security Tools and Services section of the AppFabric Administration Guide for more details on how to set up specific security tools and services to observe data from AppFabric.
Getting started with AppFabric
To set up AppFabric and enable ingestion of audit logs from supported applications, you must create an app bundle (the AppFabric app bundle stores all of your app authorizations and audit log ingestions), authorize AppFabric to connect with your SaaS applications, and set up data ingestion to output the audit logs to Amazon S3 or Amazon Kinesis Data Firehouse. Refer to the Getting Started section of the AppFabric Administrator Guide for details on how to create these AppFabric resources The AppFabric Administration Guide also includes advanced options like encryption with a customer-managed key and details on connecting supported applications and the security observability platform.
Using the user access feature
To use the user access feature, you must first configure an authorization for a SaaS application. Once you’ve authorized a SaaS application, you can search (see Figure 4) for a user by email address in the AppFabric console and see information pertaining to the user across all of your SaaS applications.
Figure 4: User access feature, demonstrates an example of a user found in two of three SaaS applications:
Cleaning up AppFabric resources
If you do not want to continue using AppFabric after completing this setup procedure, delete any data remaining in output locations and delete any other AppFabric resources created to avoid incurring any additional charges. See the Deleting AppFabric resources section of the AppFabric Administration Guide for instructions on how to clean up your AppFabric resources.
In this blog post we covered how AppFabric improves SaaS application security and observability, AppFabric architecture, how to get started using AppFabric, and how to use AppFabric user access feature. We discussed a use case for securing intellectual property with AppFabric and Amazon S3, and a use case for near real-time data monitoring across SaaS applications using AppFabric and Amazon Kinesis Data Firehose.
AppFabric reduces operational overhead associated with identifying and addressing security events across your SaaS application portfolio. AppFabric also provides access to user information across SaaS applications to aid in tasks such as deprovisioning verification. We invite you to explore the benefits of using AppFabric. Get started at the AppFabric console. Using the comprehensive documentation, you can quickly connect your SaaS applications to AppFabric and begin enhancing your security observability experience.