mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 10:55:17 +03:00
308 lines
11 KiB
Markdown
308 lines
11 KiB
Markdown
---
|
|
name: implementing-zero-trust-for-saas-applications
|
|
description: >
|
|
Implementing zero trust access controls for SaaS applications using CASB, SSPM,
|
|
conditional access policies, OAuth app governance, and session controls to enforce
|
|
identity verification, device compliance, and data protection for cloud-hosted services.
|
|
domain: cybersecurity
|
|
subdomain: zero-trust-architecture
|
|
tags: [zero-trust, saas-security, casb, sspm, conditional-access, oauth-governance, session-controls]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
---
|
|
|
|
# Implementing Zero Trust for SaaS Applications
|
|
|
|
## When to Use
|
|
|
|
- When securing access to SaaS applications (Microsoft 365, Google Workspace, Salesforce, Slack)
|
|
- When implementing conditional access policies requiring MFA and device compliance for SaaS
|
|
- When deploying CASB for shadow IT discovery and unsanctioned app blocking
|
|
- When enforcing session-level controls (DLP, download restrictions) for sensitive SaaS data
|
|
- When governing OAuth application permissions and detecting excessive consent grants
|
|
|
|
**Do not use** as a replacement for SaaS-native security controls (configure those first), for applications with no SAML/OIDC support, or when SaaS vendor does not support API integration for CASB/SSPM.
|
|
|
|
## Prerequisites
|
|
|
|
- Identity provider with conditional access: Microsoft Entra ID P1/P2, Okta
|
|
- CASB solution: Microsoft Defender for Cloud Apps, Netskope, or Zscaler CASB
|
|
- SaaS applications configured with SSO via SAML 2.0 or OIDC
|
|
- MDM enrollment for device compliance signals (Intune, Jamf)
|
|
- DLP policies defined for sensitive data categories
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Federate SaaS Authentication Through Identity Provider
|
|
|
|
Centralize authentication for all SaaS applications through a single IdP.
|
|
|
|
```powershell
|
|
# Configure SAML SSO for Salesforce via Entra ID
|
|
Connect-MgGraph -Scopes "Application.ReadWrite.All"
|
|
|
|
# Create enterprise application for Salesforce
|
|
$app = New-MgServicePrincipal -AppId "SALESFORCE_APP_ID" -DisplayName "Salesforce"
|
|
|
|
# Configure SAML SSO settings
|
|
$samlSettings = @{
|
|
preferredSingleSignOnMode = "saml"
|
|
samlSingleSignOnSettings = @{
|
|
relayState = ""
|
|
}
|
|
}
|
|
Update-MgServicePrincipal -ServicePrincipalId $app.Id -BodyParameter $samlSettings
|
|
|
|
# Assign user groups to the application
|
|
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $app.Id -BodyParameter @{
|
|
principalId = "SALES_GROUP_ID"
|
|
resourceId = $app.Id
|
|
appRoleId = "DEFAULT_ROLE_ID"
|
|
}
|
|
```
|
|
|
|
### Step 2: Create Conditional Access Policies for SaaS Applications
|
|
|
|
Enforce identity and device requirements before granting SaaS access.
|
|
|
|
```powershell
|
|
# Block access from non-compliant devices to sensitive SaaS apps
|
|
$policy = @{
|
|
displayName = "ZT - Require Compliant Device for SaaS"
|
|
state = "enabled"
|
|
conditions = @{
|
|
applications = @{
|
|
includeApplications = @("SALESFORCE_APP_ID", "M365_APP_ID", "SLACK_APP_ID")
|
|
}
|
|
users = @{
|
|
includeUsers = @("All")
|
|
excludeGroups = @("BREAK_GLASS_GROUP")
|
|
}
|
|
clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
|
|
}
|
|
grantControls = @{
|
|
operator = "AND"
|
|
builtInControls = @("mfa", "compliantDevice")
|
|
}
|
|
sessionControls = @{
|
|
cloudAppSecurity = @{
|
|
isEnabled = $true
|
|
cloudAppSecurityType = "mcasConfigured"
|
|
}
|
|
signInFrequency = @{
|
|
value = 8
|
|
type = "hours"
|
|
isEnabled = $true
|
|
}
|
|
}
|
|
}
|
|
New-MgIdentityConditionalAccessPolicy -BodyParameter $policy
|
|
|
|
# Block downloads on unmanaged devices
|
|
$downloadPolicy = @{
|
|
displayName = "ZT - Block Downloads on Unmanaged Devices"
|
|
state = "enabled"
|
|
conditions = @{
|
|
applications = @{ includeApplications = @("SHAREPOINT_APP_ID") }
|
|
users = @{ includeUsers = @("All") }
|
|
devices = @{
|
|
deviceFilter = @{
|
|
mode = "include"
|
|
rule = "device.isCompliant -ne True -or device.trustType -ne 'ServerAD'"
|
|
}
|
|
}
|
|
}
|
|
sessionControls = @{
|
|
cloudAppSecurity = @{
|
|
isEnabled = $true
|
|
cloudAppSecurityType = "mcasConfigured"
|
|
}
|
|
}
|
|
}
|
|
New-MgIdentityConditionalAccessPolicy -BodyParameter $downloadPolicy
|
|
```
|
|
|
|
### Step 3: Deploy CASB for Shadow IT Discovery and App Governance
|
|
|
|
Configure Microsoft Defender for Cloud Apps to discover and control SaaS usage.
|
|
|
|
```bash
|
|
# Query discovered cloud apps via Defender for Cloud Apps API
|
|
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/" \
|
|
-H "Authorization: Token ${MDCA_API_TOKEN}" \
|
|
-H "Content-Type: application/json"
|
|
|
|
# Get list of unsanctioned apps
|
|
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/discovered_apps/" \
|
|
-H "Authorization: Token ${MDCA_API_TOKEN}" \
|
|
-d '{
|
|
"filters": {
|
|
"appTag": {"eq": "unsanctioned"},
|
|
"traffic": {"gte": 1000}
|
|
},
|
|
"sortField": "traffic",
|
|
"sortDirection": "desc"
|
|
}'
|
|
|
|
# Create session policy for DLP enforcement
|
|
curl -X POST "https://api.cloudappsecurity.com/api/v1/policies/" \
|
|
-H "Authorization: Token ${MDCA_API_TOKEN}" \
|
|
-d '{
|
|
"name": "Block PII Upload to SaaS",
|
|
"policyType": "SESSION",
|
|
"severity": "HIGH",
|
|
"enabled": true,
|
|
"sessionPolicyType": "CONTROL_UPLOAD",
|
|
"filters": {
|
|
"fileType": {"eq": ["DOCUMENT", "SPREADSHEET"]},
|
|
"contentInspection": {
|
|
"dataType": ["CREDIT_CARD", "SSN", "PASSPORT"]
|
|
}
|
|
},
|
|
"actions": {
|
|
"block": true,
|
|
"notify": {
|
|
"emailRecipients": ["security-team@company.com"]
|
|
}
|
|
}
|
|
}'
|
|
```
|
|
|
|
### Step 4: Configure OAuth App Governance
|
|
|
|
Review and restrict OAuth application permissions to prevent excessive consent.
|
|
|
|
```powershell
|
|
# Query OAuth apps with high-privilege permissions
|
|
$oauthApps = Invoke-MgGraphRequest -Method GET `
|
|
"https://graph.microsoft.com/v1.0/servicePrincipals?\$filter=tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')&\$select=displayName,appId,oauth2PermissionScopes"
|
|
|
|
# Review consent grants
|
|
$grants = Get-MgOauth2PermissionGrant -All
|
|
$highRisk = $grants | Where-Object {
|
|
$_.Scope -match "Mail.ReadWrite|Files.ReadWrite.All|Directory.ReadWrite.All"
|
|
}
|
|
|
|
Write-Host "High-risk OAuth grants: $($highRisk.Count)"
|
|
$highRisk | ForEach-Object {
|
|
$sp = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId
|
|
Write-Host " App: $($sp.DisplayName) | Scope: $($_.Scope) | Type: $($_.ConsentType)"
|
|
}
|
|
|
|
# Configure app consent policy to require admin approval
|
|
$consentPolicy = @{
|
|
displayName = "Require Admin Approval for High-Risk Permissions"
|
|
conditions = @{
|
|
clientApplications = @{ includeAllClientApplications = $true }
|
|
permissions = @{
|
|
permissionClassification = "high"
|
|
permissions = @(
|
|
@{ permissionValue = "Mail.ReadWrite"; permissionType = "delegated" }
|
|
@{ permissionValue = "Files.ReadWrite.All"; permissionType = "delegated" }
|
|
)
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
### Step 5: Implement SaaS Security Posture Management (SSPM)
|
|
|
|
Audit and remediate SaaS security configuration drift.
|
|
|
|
```bash
|
|
# Query SaaS security posture via CASB API
|
|
curl -X GET "https://api.cloudappsecurity.com/api/v1/security_config/" \
|
|
-H "Authorization: Token ${MDCA_API_TOKEN}" \
|
|
-d '{"app": "Microsoft 365"}'
|
|
|
|
# Common SSPM checks:
|
|
# - MFA enforcement for all admin accounts
|
|
# - External sharing restrictions in SharePoint/OneDrive
|
|
# - Email forwarding rules to external domains blocked
|
|
# - Idle session timeout configured (< 8 hours)
|
|
# - Legacy authentication protocols disabled
|
|
# - Admin consent workflow enabled
|
|
# - Conditional access policies active
|
|
# - Audit logging enabled for all services
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Term | Definition |
|
|
|------|------------|
|
|
| CASB | Cloud Access Security Broker - intermediary enforcing security policies between users and SaaS applications |
|
|
| SSPM | SaaS Security Posture Management - continuous monitoring of SaaS application security configurations |
|
|
| OAuth Governance | Review and control of third-party application permissions granted through OAuth consent flows |
|
|
| Session Controls | Real-time access restrictions (block downloads, DLP inspection, watermarking) applied during active SaaS sessions |
|
|
| Shadow IT | Unauthorized SaaS applications used by employees without IT approval or security review |
|
|
| Conditional Access | Policy engine evaluating identity, device, location, and risk signals before granting SaaS access |
|
|
|
|
## Tools & Systems
|
|
|
|
- **Microsoft Defender for Cloud Apps**: CASB providing shadow IT discovery, session controls, DLP, and SSPM
|
|
- **Microsoft Entra ID Conditional Access**: Policy engine for identity-based access control to SaaS applications
|
|
- **Netskope CASB**: Cloud-native CASB with inline and API-based SaaS security controls
|
|
- **Okta Identity Governance**: OAuth app governance and access certification for SaaS applications
|
|
- **SSPM Tools**: AppOmni, Adaptive Shield, Valence Security for SaaS configuration monitoring
|
|
|
|
## Common Scenarios
|
|
|
|
### Scenario: Securing Microsoft 365 and Salesforce for 1,000-User Organization
|
|
|
|
**Context**: A professional services firm with 1,000 users uses Microsoft 365, Salesforce, Slack, and 20+ other SaaS apps. Several data breaches in the industry drive a zero trust initiative for all SaaS access.
|
|
|
|
**Approach**:
|
|
1. Federate all SaaS authentication through Entra ID with SAML SSO
|
|
2. Create conditional access policies requiring MFA + compliant device for all SaaS apps
|
|
3. Deploy Defender for Cloud Apps for shadow IT discovery (identify 150+ unauthorized apps)
|
|
4. Mark unauthorized apps as unsanctioned and block via SWG/proxy
|
|
5. Configure session controls: block downloads on unmanaged devices, DLP for file uploads
|
|
6. Review OAuth app permissions: revoke 45 high-risk consent grants, enable admin approval workflow
|
|
7. Enable SSPM monitoring for Microsoft 365 and Salesforce configurations
|
|
8. Set up weekly automated posture reports for security leadership
|
|
|
|
**Pitfalls**: Conditional access policies need break-glass exclusions. Some legacy SaaS apps may not support modern authentication. Session controls require proxy-based CASB which can impact performance. OAuth app revocation may break integrations; coordinate with app owners first.
|
|
|
|
## Output Format
|
|
|
|
```
|
|
Zero Trust SaaS Security Report
|
|
==================================================
|
|
Organization: ProServices Corp
|
|
Report Date: 2026-02-23
|
|
|
|
SAAS INVENTORY:
|
|
Sanctioned Apps: 25
|
|
Unsanctioned (blocked): 127
|
|
Shadow IT Users: 342 (discovered in last 30 days)
|
|
|
|
CONDITIONAL ACCESS:
|
|
Policies active: 8
|
|
Sign-ins evaluated: 456,789
|
|
Blocked by policy: 2,345 (0.5%)
|
|
MFA enforced: 100% of sign-ins
|
|
|
|
DEVICE COMPLIANCE:
|
|
Compliant device required: All 25 sanctioned apps
|
|
Sign-ins from compliant: 448,123 (98.1%)
|
|
Sign-ins blocked (non-compliant): 8,666
|
|
|
|
CASB / DLP:
|
|
DLP violations detected: 89
|
|
Files blocked from upload: 34
|
|
Downloads blocked (unmanaged): 1,234
|
|
|
|
OAUTH GOVERNANCE:
|
|
Total OAuth apps: 312
|
|
High-risk permissions: 12 (reviewed)
|
|
Revoked consents: 45
|
|
Pending admin approval: 8
|
|
|
|
SSPM FINDINGS:
|
|
Critical misconfigurations: 3
|
|
High: 7
|
|
Medium: 15
|
|
Remediated this month: 18
|
|
```
|