Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog

The Case of SailPoint Built in Admin Accounts: Full Tenant Access Granted

Dvir Sasson
Updated
December 2, 2024
December 3, 2024
4 minutes

What do these three attacks– the Snowflake breach, the Okta breach, and the Microsoft Midnight Blizzard attack–have in common? A threat actor broke in through a SaaS provider environment that wasn't protected with MFA and used that to gain a foothold into other organizations that were using that application. This underscores an important trend: threat actors are shifting their tactics away from direct attacks on businesses and instead targeting third-party vendors as an entry point.

SaaS is the achilles heel of  organizations. With so many apps, app-to-app connections, permissions, and a lack of centralized controls, SaaS ecosystems are almost certainly goldmines for bad guys looking to exploit weaknesses in order to exfiltrate data or encrypt it and hold it for ransom. 

No vendor is safe. While many of these vendors allow their customers to enable controls to prevent unauthorized access, like Microsoft Lockbox, how can you know for sure the vendor is maintaining access to your tenant securely? Who rotates the keys? Who owns them and ensures they’re secured? Hell, does the vendor have an internal “Just In Time Access” process? 

Along with the potentialities of poor security hygiene on the part of your vendors, there are other risks that often come with vendor relationships. One example of this is the existence of backdoor admin accounts into your tenant that are maintained by your vendors. These backdoor accounts are used to provide support to customers, but they introduce risks and, if misused or compromised, can lead to data exposure.

The Case of SailPoint’s Built-In Admin Accounts

SailPoint, a leading identity provider, includes two built-in organizational admin accounts, slpt.services and slpt.support, within its SaaS solution. These accounts are used to provide customer support and ensure smooth operations. While these accounts are designed with good intentions, they introduce potential risks:

  1. Initial Access Without Consent:
    • For the first six months after integration, these accounts can access an organization’s tenant without requiring explicit consent.
    • This unrestricted access aims to facilitate onboarding and troubleshooting, but it also means that administrators might not even be aware of these backdoor entries.
  2. Consent Requirement After Six Months:
    • After the initial period, SailPoint requires explicit consent from the organization before accessing its tenant.
    • While this is a positive step, the accounts still exist, and their presence continues to pose a potential risk if compromised or exploited.

The Risks of Backdoor Admin Accounts

While built-in admin accounts may serve operational purposes, their existence creates vulnerabilities that organizations should not overlook:

  1. Potential for Compromise:
    • If the credentials for these accounts are compromised—whether through phishing, brute force, or other means—an attacker could gain unrestricted access to the tenant.
    • Given the Org–OWNER permissions of these accounts, this could lead to exposure of sensitive data, configuration changes, or worse.
  2. Abuse of Privileged Access:
    • These accounts could be abused by internal or external actors, either intentionally or unintentionally, to access sensitive organizational data.
    • Without adequate monitoring, unauthorized activity might go undetected for extended periods.
  3. Lack of Transparency:
    • Many organizations may be unaware that these accounts exist, leaving them blind to potential risks.
    • Without visibility into how and when these accounts are used, organizations cannot ensure their data is fully protected.

How Reco Can Help

Reco is designed to provide organizations with the visibility and control needed to address potential risks like those posed by backdoor admin accounts. With specific posture checks and alerts, Reco can help safeguard your SaaS environment from unauthorized access or abuse of built-in accounts, such as slpt.services and slpt.support in SailPoint.

1. Proactive Monitoring of Admin Accounts

Reco continuously monitors the activity of built-in admin accounts to detect any unusual behavior. By providing real-time visibility into when and how these accounts are being accessed, Reco ensures organizations can identify potential abuse before it leads to a breach.

  • Alerts are triggered for suspicious activities such as:
    • Access from unusual locations or devices.
    • Login attempts outside business hours.
    • Actions inconsistent with the account's intended purpose.

2. Posture Checks for Built-In Accounts

Reco’s security posture management identifies and assesses risks associated with built-in accounts. This includes ensuring these accounts are configured securely and are not being misused.

  • Key posture checks include:
    • Ensuring multi-factor authentication (MFA) is enforced for these accounts.
    • Identifying unnecessary permissions or overly broad access.
    • Highlighting any changes to account configurations that might indicate tampering.

3. Automated Alerts for Abuse Attempts

When an account such as slpt.services or slpt.support is used in a way that deviates from expected behavior, Reco immediately notifies the appropriate security teams. These alerts enable swift action, whether it’s revoking access, locking the account, or investigating further. (See Figure 1)

The Bottom Line

The presence of backdoor admin accounts in SaaS integrations like SailPoint highlights a broader issue: the trade-off between convenience and security. While these accounts can facilitate smooth operations and speedy customer service, they also create another potential attack vector for your organization.

Organizations must demand transparency from their SaaS providers while implementing robust internal controls and tools, like Reco, to mitigate the risks. 

Get a demo of Reco here.

ABOUT THE AUTHOR

Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Technical Review by:
Gal Nakash
Technical Review by:
Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.