View Account Risks
Table of Contents
Expand all | Collapse all
-
-
- Allowed List of IP Addresses
-
- Begin Scanning a Bitbucket App
- Begin Scanning a Box App
- Begin Scanning ChatGPT Enterprise App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a Gmail App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning Office 365 Apps
- Begin Scanning a Microsoft Teams App
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a ShareFile App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App (Beta)
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Reauthenticate to a Cloud App
- Verify Permissions on Cloud Apps
- Start Scanning a Cloud App
- Rescan a Managed Cloud App
- Delete Cloud Apps Managed by Data Security
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
- Google Drive Labeling
- Configure Phishing Analysis
- Configure WildFire Analysis
-
-
-
- What is an Incident?
- Assess New Incidents on Data Security
- Filter Incidents
- Configure Slack Notification Alerts on Data Security
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Analyze Inherited Exposure
- Email Asset Owners
- Modify Incident Status
-
-
-
- What’s SaaS Security Inline?
- Navigate To SaaS Security Inline
- SaaS Visibility for NGFW
- SaaS Visibility and Controls for NGFW
- SaaS Visibility for Prisma Access
- SaaS Visibility and Controls for Panorama Managed Prisma Access
- SaaS Visibility and Controls for Cloud Managed Prisma Access
- Activate SaaS Security Inline for NGFW
- Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits
- Activate SaaS Security Inline for Prisma Access
- Connect SaaS Security Inline and Strata Logging Service
- Integrate with Azure Active Directory
-
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Predefined SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
-
- Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access
- Manage Enforcement of Rule Recommendations on NGFW
- Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access
- Change Risk Score for Discovered SaaS Apps
-
-
-
-
- Onboarding Overview for Supported SaaS Apps
- Onboard an Aha.io App to SSPM
- Onboard an Alteryx Designer Cloud App to SSPM
- Onboard an Aptible App to SSPM
- Onboard an ArcGIS App to SSPM
- Onboard an Articulate Global App to SSPM
- Onboard an Atlassian App to SSPM
- Onboard a BambooHR App to SSPM
- Onboard a Basecamp App to SSPM
- Onboard a Bitbucket App to SSPM
- Onboard a BlueJeans App to SSPM
- Onboard a Box App to SSPM
- Onboard a Bright Security App to SSPM
- Onboard a Celonis App to SSPM
- Onboard a Cisco Meraki App to SSPM
- Onboard a ClickUp App to SSPM
- Onboard a Confluence App to SSPM
- Onboard a Contentful App to SSPM
- Onboard a Convo App to SSPM
- Onboard a Couchbase App to SSPM
- Onboard a Coveo App to SSPM
- Onboard a Crowdin Enterprise App to SSPM
- Onboard a Customer.io App to SSPM
- Onboard a Databricks App to SSPM
- Onboard a Datadog App to SSPM
- Onboard a DocHub App to SSPM
- Onboard a DocuSign App to SSPM
- Onboard an Envoy App to SSPM
- Onboard an Expiration Reminder App to SSPM
- Onboard a Gainsight PX App to SSPM
- Onboard a GitLab App to SSPM
- Onboard a Google Analytics App to SSPM
- Onboard a Google Workspace App to SSPM
- Onboard a GoTo Meeting App to SSPM
- Onboard a Grammarly App to SSPM
- Onboard a Harness App to SSPM
- Onboard a Hellonext App to SSPM
- Onboard an IDrive App to SSPM
- Onboard an Intercom App to SSPM
- Onboard a Jira App to SSPM
- Onboard a Kanbanize App to SSPM
- Onboard a Kanban Tool App to SSPM
- Onboard a Kustomer App to SSPM
- Onboard a Lokalise App to SSPM
- Onboard a Microsoft Azure AD App to SSPM
- Onboard a Microsoft Outlook App to SSPM
- Onboard a Microsoft Power BI App to SSPM
- Onboard a Miro App to SSPM
- Onboard a monday.com App to SSPM
- Onboard a MongoDB Atlas App to SSPM
- Onboard a MuleSoft App to SSPM
- Onboard a Mural App to SSPM
- Onboard an Office 365 App to SSPM
- Onboard an Okta App to SSPM
- Onboard a PagerDuty App to SSPM
- Onboard a RingCentral App to SSPM
- Onboard a Salesforce App to SSPM
- Onboard an SAP Ariba App to SSPM
- Onboard a ServiceNow App to SSPM
- Onboard a Slack Enterprise App to SSPM
- Onboard a Snowflake App to SSPM
- Onboard a SparkPost App to SSPM
- Onboard a Tableau Cloud App to SSPM
- Onboard a Webex App to SSPM
- Onboard a Workday App to SSPM
- Onboard a Wrike App to SSPM
- Onboard a YouTrack App to SSPM
- Onboard a Zendesk App to SSPM
- Onboard a Zoom App to SSPM
- Onboarding an App Using Azure AD Credentials
- Onboarding an App Using Okta Credentials
- Register an Azure AD Client Application
- View the Health Status of Application Scans
- Delete SaaS Apps Managed by SSPM
View Account Risks
The Identity Security component of SSPM uses information from a an application
instance and from your identity provider to give you visibility into human and non-human
account risks.
The Identity Security component of SSPM uses information from a Salesforce or Office
365 instance and, optionally, your identity provider to give you visibility into
account risks. The Identity Security dashboard displays risks for human accounts and
also for non-human accounts. Human accounts are accounts that are associated with an
individual who accesses the application through a web interface with ID and password
credentials. Non-human accounts are typically services that authenticate to the
application's API by using a token or an API key. By connecting to your Salesforce
or Office 365 instance, the Identity Security component helps you identify common
account risks so you can take action.
- To navigate to the Identity Security dashboard, select Posture Security Identity.View the information for Human/Non-Human Accounts.The dashboard displays information about human and non-human accounts for a Salesforce or Office 365 application instance. If no Salesforce or Office 365 instance is connected to SSPM, the dashboard prompts you to onboard one. If more than one Salesforce or Office 365 instance is connected to SSPM, you can select a different instance from the SaaS Accounts list.From the selected application instance, the dashboard displays a summary of account risks for the application. The risk types displayed in the dashboard will vary depending on the application type (Salesforce or Office 365). Risks can include ACCOUNTS DORMANT FOR OVER a specified number of days, CREDENTIALS NOT ROTATED IN a specified number of days, OVER-PRIVILEDGED accounts, and GUEST ACCOUNTS. If at least one instance of the Microsoft Azure or Okta identity provider was onboarded to SSPM, the Identity Security dashboard also displays the ACCOUNTS MISSING IN IDP by comparing account information from the application instance with information from the identity provider. If more than one identity provider instance is connected to SSPM, you can select a different one from the Identity Providers list. You can also Add Provider to onboard a different Microsoft Azure or Okta instance.Inspect the information displayed in the upper section of the dashboard for a high-level summary of the account risks that the Identity Security component detected in your application instance. Depending on the type of application, the top section of the dashboard displays the following information.
Displayed Information Description ACCOUNTS DORMANT FOR OVER a specified number of days.The number of human accounts that have not been accessed for the specified period. These might be accounts that were not deleted after the account owner left the organization, and were forgotten. Or a user might have set up a new account without deleting, or continuing to access, the older one. Dormant accounts represent a signification security risk because bad actors can use them to gain access. Accounts that have remained dormant for a significant period can represent the greatest risk, because they might predate enforced requirements for MFA and for password length and complexity.You can display the number of accounts that have been dormant over 30, 60, or 180 days, and can click the number of dormant accounts to filter the table of Human Accounts in the lower section of the page. The table provides more information about each dormant account. It shows when the account was created, when the account was last accessed, and when the account password was last updated.CREDENTIALS NOT ROTATED IN a specified number of days.The number of non-human accounts that have not had their credentials rotated for the period specified.This summary is the number of accounts with non-rotated credentials for non-human accounts only. However, from the table of Human Accounts, you can view when an account's credentials were last rotated.Non-human account credentials include service account passwords, as well as credentials for accessing APIs, such as API keys and OAuth tokens. Failure to rotate these non-human account credentials can represent a significant risk to your organization.Service account passwords that are not rotated are more vulnerable to brute-force attacks, especially if the password predates enforced requirements for password length, complexity, and reuse.API keys that are not rotated increase the window of opportunity for bad actors to exploit leaked or compromised keys. Similarly, if the client secret of an OAuth application is not rotated, a compromised refresh token will enable to a bad actor to continue to obtain valid access tokens.You can display the number of non-human accounts with credentials that have not been rotated in 30, 60, or 180 days. You can click the number of accounts to filter the table of Non-Human Accounts in the lower section of the page. The table provides more information about each account, such as when the account was created, and when the account credentials were last updated.ACCOUNTS MISSING IN IDPThe number of human accounts that are local accounts, which are accounts that were not created through your identity provider. Local accounts are a security risk because the identity provider is not managing access for them. Because they have bypassed the identity provider, it is difficult to enforce security policies for them.The Identity Security component identifies these risky local accounts by comparing account information from the application instance with account information from the identity provider. For this reason, the dashboard will display the local account information only if the Identity Security component is integrated with an instance of either the Microsoft Azure or the Okta identity provider. If the dashboard is not displaying this information, you can Add Provider and follow the steps to onboard Okta or Microsoft 365.The identity provider that the Identity Security component uses for this comparison is the identity provider that is currently selected in the Identity Providers list. If more than one identity provider instance is connected to SSPM, you can select a different identity provider from the list.When you add a new identity provider or switch to a different identity provider, it can take approximately 15 minutes for the Identity Component to determine the local accounts based on the new identity provider's account information.You can click the number of accounts that are missing in the identity provider to filter the table of Human Accounts in the lower section of the page. From the table you can gain additional insights about the local accounts, such as the email address that is associated with the account.OVER-PRIVILEDGED ACCOUNTS This information applies to Salesforce instances only. The number of human accounts that have excessive permissions, which are probably not required for the user to do their job. Overpriviledged accounts are ordinary user accounts that have administrator permissions. For Salesforce, the overprivileged accounts are accounts that have Modify All Data permissions.You can click the number of overprivileged accounts that are missing in the identity provider to filter the table of Human Accounts in the lower section of the page. From the table, you can gain additional insights about the local accounts, such as the email address that is associated with the account.GUEST ACCOUNTS This information applies to Office 365 instances only. Guest accounts in Office 365 enable you to collaborate with people who are outside of your organization. Although guest accounts are designed to give outside users access to your resources for legitimate purposes, they can represent a risk if their access is not properly restricted. For example, an external collaboration setting in Azure Active Directory might grant guest users the same access as members. Another Azure Active Directory setting might allow anyone in the organization to invite guest users, including guests and non-administrators.Navigate to the Human Accounts tab, which displays details about the human accounts in the application instance.Human accounts are accounts that are associated with an individual who accesses the account through a user interface with ID and password credentials. The displayed information includes the email address of the account owner, when the account was last accessed, and when the account credentials were last rotated. If the Identity Security component is integrated with your identity provider, the table will also show whether the account is a local account that was created through the identity provider. In the table, you can also Add Filter to filter the table by the various account attributes.Navigate to the Non-Human Accounts tab, which displays details about the non-human accounts in your application instance.Non-human accounts are typically services that authenticate to your application instance through an API by using an OAuth token or an API key. The displayed information includes the email address of the human user who created the non-human account, when the account was created, and when the account credentials were last rotated. In the table, you can also Add Filter to filter the table by the various account attributes.When viewing either the Human Accounts or the Non-Human Accounts tab, you can click the download icon to export a CSV file with a list of the non-human or human accounts. The list will contain all users unless you applied a filter to the table.Take action to resolve issues with the non-human or human accounts.If SSPM is linked to an issue tracking system, you can create a ticket to resolve account issues. To do this, select one or more accounts on either the Human Accounts or Non-Human Accounts tab, and File Ticket. To view the tickets that were created, navigate to the table's Tickets tab.