Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SaaS security best practices: where IAM controls still fall short


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Provider risk review, inventory, zero trust, VPN restrictions, access reviews, incident response, and automation fit together as a practical control stack, according to Zluri’s overview of seven SaaS security best practices using the Microsoft Midnight Blizzard OAuth compromise to show how they work together. The underlying lesson is that SaaS sprawl and delegated access still outrun manual governance.

NHIMG editorial — based on content published by Zluri: 7 SaaS Security Best Practices You Must Follow

By the numbers:

Questions worth separating out

Q: How should security teams govern OAuth-connected SaaS apps that retain broad access?

A: Treat every OAuth-connected app as a governed identity with a clear owner, approved scopes, and an expiry or review point.

Q: Why do SaaS access reviews often miss the most dangerous permissions?

A: Because access can drift between review cycles.

Q: What breaks when third-party SaaS visibility is incomplete?

A: Least privilege breaks first, because teams cannot limit what they cannot see.

Practitioner guidance

  • Build a live SaaS and OAuth inventory Track each app owner, approval source, granted scopes, and last validation date in one governed register so stale delegated access can be removed before it becomes a blind spot.
  • Review privileged SaaS integrations on change events Trigger review when an app owner changes, when OAuth scopes expand, when a vendor relationship changes, or when a service account is repurposed, rather than waiting for a scheduled certification cycle.
  • Constrain SaaS access with conditional trust checks Combine MFA, device trust, and network controls with app-level scope limits so a verified user still cannot inherit more access than the business role requires.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of how each of the seven SaaS security practices maps to day-to-day administration.
  • Concrete examples of how Zluri's SaaS management, access management, and access review features are positioned together.
  • The article's own incident-response checklist for SaaS breaches, including backup and recovery actions.
  • Practical guidance on when to use vendor assessment, VPN restrictions, or access review in a SaaS programme.

👉 Read Zluri's seven SaaS security best practices and the Microsoft OAuth case →

SaaS security best practices: where IAM controls still fall short?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Legacy OAuth trust is the central SaaS governance failure mode here. The Microsoft incident shows that an application can remain trusted long after the business context that justified its access has changed. That means access reviews and provider assessments are not enough if they do not capture the living scope of delegated SaaS trust. Practitioners should treat dormant OAuth applications as standing identity risk, not as configuration debris.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility, according to The State of Non-Human Identity Security.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should revoke a compromised SaaS integration during an incident?

A: The business owner, identity team, and security operations function should have pre-assigned authority to disable the app, revoke tokens, and remove risky scopes without waiting for a lengthy approval chain. In SaaS incidents, containment depends on fast, role-defined action before the attacker completes further access.

👉 Read our full editorial: SaaS security best practices expose the limits of legacy IAM



   
ReplyQuote
Share: