Picture credit: iStockPhoto

A benchmark report by Adallom into the uptake of software as a service (SaaS) applications has found that Salesforce customers have the highest percentage of privileged access users – and warned about the problems that may cause businesses.

On average 7% of users on Salesforce accounts are privileged or have admin access, compared with 4% for Google Apps, 2% for Box and 1% for Office 365, the other three services analysed.

The report gave a grave warning over the prevalence of “super admin” accounts – ones with complete and unrestricted access to the SaaS. “A compromised “super admin” account represents a much greater threat to an organisation because it has access not only to view and edit privileged data, but also to modify access rights of other privileged users,” the report notes.

Regular readers of CloudTech will remember the unfortunate story of Code Spaces, the cloud provider which had to wave the white flag in June this year due to a DDoS attack. While their service was Amazon Web Services EC2, the hackers got in to the admin control panel, before creating backup logins and deleting data, backups and machine configurations.

“Customers, not vendors, are responsible for risk management,” the report notes. “While most enterprise SaaS providers have built-in support for two-factor authentication and IP restrictions that can be used with user accounts, sophisticated attackers can circumvent those controls through session hijacks and targeted malware.”

One customer in the study found over 100 Salesforce users with admin privileges. But that’s not the biggest problem.

11% of SaaS accounts are ‘zombie’ accounts according to the study; accounts which haven’t been touched for three months. There are perfectly good reasons why this could be the case, such as maternity leave. Yet 80% of companies still have at least one account on the system of a suspended or terminated employee.

These dormant accounts are the perfect opening point for hackers, the report argues. “An inactive account does not only represent a security risk, it’s also a financial burden on the company,” it argues. “In many of the organisations we protect, we often see double digit percentages of zombies – these are licenses which the company is paying for even though they aren’t being used.”

Similarly scary is the finding that the average company shares its files with 393 external domains, while 29% of employees share 98 corporate files with their personal email accounts on average. It can happen unintentionally through sync agents, but again it represents a serious security risk.

What’s more, 92% of respondents in a recent Forrester survey indicated their security controls for SaaS applications were effective. “Security professionals with this mindset are rolling the dice with their sensitive data,” said Forrester’s Andras Cser. “Perimeter and endpoint protections provide minimal protection against new, emerging and largely unknown threats.”

Earlier this week a report from Databarracks found that human error was responsible for one in five data loss incidents.