The Changing Perimeter
Once upon a time, the security perimeter was simple: lock down the firewall, set up a VPN, and sleep (somewhat) peacefully. But since SaaS platforms took over the world, that perimeter has dissolved into thin air. The new frontier now includes OAuth permissions, browser logins, and app-to-app trust relationships.
In this reality, users don’t install software, they connect it. And every time someone clicks “Sign in with Google”, to log in somewhere without going through the sign up process, they’re often granting full access to calendars, emails, drives, and sometimes even entire SharePoint libraries.
Let’s take a real-world example:
Your marketing team finds a shiny new AI-powered copywriting tool. It promises better campaign emails with less effort—sounds great! So they sign up, hit “Accept” on the Microsoft integration prompt, and just like that:
- The app gets read/write access to their files
- It could browse your shared corporate drives
- It might even be able to send messages on their behalf
No bad intent, just bad oversight. These decisions, made innocently in seconds, blow massive holes in your SaaS perimeter.
What makes the situation even trickier is that you probably won’t find this app in your asset inventory. No ticket was opened. No DPO or CISO was consulted. It’s what we call ghost software, and it’s thriving in the shadows of your cloud stack.
Protecting your organization means redefining what “perimeter” even means. It’s no longer a question of ports, protocols, and network segmentation. It’s a question of who clicked what, and what they unwittingly gave away in the process.
Should you be scared of ghost software?
Ghost software, or Shadow SaaS, isn’t some malicious cyberweapon. It’s the hundreds of tools your employees connect to your environment without telling anyone. No procurement process. No security review. No logging. Just a quiet “Accept” click, and boom: instant access to your data.
Why is it so dangerous? Because it’s invisible.
Ghost software sneaks in through:
- OAuth logins (think: “Sign in with Google” or “Connect to Microsoft 365”)
- Freemium tools like productivity extensions, AI assistants, or personal cloud storage
- Browser add-ons and integrations that ride on top of trusted platforms
Each one may seem harmless on its own. But when someone connects a design tool to OneDrive, or an automation app to their inbox, it opens a new data exfiltration path. Multiply that by every employee, across every department, and you’ve got a shadow IT nightmare.
Most of these apps:
- Don’t appear in your official SaaS inventory
- Aren’t reviewed by IT or security
- Are granted excessive permissions—like full read/write access to calendars, files, or even chats
Picture this: an employee connects a scheduling tool to their Outlook, and that tool silently indexes every meeting invite, including the ones with sensitive attachments. You’d never know—until it's too late.
Ghost software thrives in environments where speed beats scrutiny. And with remote work, AI productivity tools, and every team “moving fast,” it’s spreading like wildfire.
If you don’t know which apps are connected to your core systems today, you're already exposed. And your real attack surface is likely much larger than you think.
OAuth: The Trojan Horse of SaaS
OAuth was designed to make life easier, and it really does. Users can connect apps in seconds without entering a single password. But as convenient as it is, it has quietly become an abused gateway in modern SaaS security.
Here’s the problem: OAuth, on top of granting access, it grants broad, often unchecked access. When a user clicks "Allow," they might be giving a third-party app permission to:
- Read and write emails
- Access files in their cloud drive
- Send messages on their behalf
- Manage calendars and contacts
The issue is a mix of over-permissioning, combined with the fact that nobody’s watching. These tokens don’t expire like passwords. They can sit there for months, even years, quietly enabling full access to corporate systems, completely bypassing MFA or SSO policies.
Imagine this scenario:
Someone on your team tries out a tool to auto-tag files in SharePoint. They authorize it via OAuth, use it once, and forget about it. But the app still has full file access. And if that app gets compromised? So does your data.
OAuth attacks aren’t hypothetical, they’re happening. From phishing campaigns that trick users into authorizing malicious apps, to benign apps that get acquired and weaponized later, OAuth is a modern attack vector most organizations don’t even monitor.
And you can’t just firewall this away. These connections are established from the inside out, often by well-meaning employees with no idea what they’re exposing.
If you’re not reviewing connected apps and their scopes regularly, you’re trusting every user to make security decisions on behalf of your entire company. And that’s a perimeter no one can afford.
Ghost Logins and Permission Creep
Even when you think your SaaS stack is under control, ghost logins and permission creep are quietly undermining your security posture. These issues don’t make headlines, but they’re exactly what attackers exploit, especially because they live in the blind spots.
A ghost login is an OAuth or SSO-based connection that still works long after it should’ve been revoked. Maybe a user left the company. Maybe an app hasn’t been touched in six months. But the access? Still active. And worse, it often bypasses MFA because the token is already trusted.
Then there’s permission creep:
Over time, users accumulate roles and access rights they no longer need. There’s rarely a formal review process. No one’s going back to check if “temporary” access was ever rolled back. The result? Overprivileged accounts that quietly expand your attack surface.
Why it matters:
- A forgotten app integration could still have edit rights in Teams or SharePoint.
- An unused admin account might still exist, silently ticking like a time bomb.
- Third-party vendors might retain access to sensitive systems well beyond their contract dates.
Attackers love these loose ends. They don’t break in, they can just log in. And with no alerts tied to stale tokens or outdated roles, you may never know until it’s too late.
And you cannot just attribute this phenomena to employee negligence. it’s about systems that weren’t designed for constant flux. Modern SaaS environments shift daily, but most access controls don’t keep up.
Regular audits help, but at scale, you need automation to catch and kill what doesn’t belong. Because in the end, it’s not always the obvious breach that hurts you. It’s the quiet access nobody thought to check.
Fighting Back with SaaS Visibility
You can’t secure what you can’t see—visibility is step one. That’s why ghost software is a compliance risk. Frameworks like ISO 27001 and NIS2 require organizations to maintain an accurate asset inventory, enforce access controls, and manage vulnerabilities. Shadow SaaS directly undermines all three.
Brainframe GRC helps organizations re-establish control over their SaaS environment by embedding SaaS governance into your compliance workflows:
- Access Review Workflows: Trigger periodic reviews of OAuth app permissions, browser plugins, and third-party access to critical platforms like Microsoft 365, Google Workspace, or Slack.
- Approval & Justification Flows: Require a risk-based approval before any new app connects to core systems. You can configure rules like: “If an app requests write access to email, escalate to the CISO for review.”
- Link to Controls: Tie third-party SaaS access to specific ISO 27001 controls (e.g. A.5.9 for inventory, A.5.15 for access control, A.5.19 for third-party security), or to NIS2 obligations on vulnerability management and incident exposure.
Detecting Ghost Software with Brainframe
Beyond governance, Brainframe GRC can help detect ghost software before it becomes a problem.
- 🕵️♂️ Detect OAuth connections not tied to any approved app list
- 📬 Flag unused or over-permissioned tokens across email, calendar, and cloud storage
- 📊 Alert when a new third-party app gains access to sensitive data scopes
- 🔁 Trigger access reviews when employees leave or change roles
These automations give your security and compliance teams early warning, without relying on manual ticketing or guesswork.
How to Regain Control of SaaS
SaaS was supposed to make things easier. But somewhere between “move fast” and “connect everything,” we lost track of who has access to what. But there is a silver lining in all this, which is that you don’t need to shut everything down to regain control, you just need a smart, layered approach.
Here’s how organizations can minimize ghost software related risks:
- 🔍 Visibility First: Start by mapping every app connected via OAuth, SSO, or browser extension. Use logs from your identity provider, SIEM, or simply Brainframe GRC to build a real inventory. No more flying blind.
- 🚫 Kill What Doesn’t Belong: Identify unused, high-risk, or unsanctioned apps, and revoke their access. Set rules like “disconnect if inactive for 30 days” or flag apps with overly broad scopes (like "read all emails").
- ⚙️ Automate Remediation: Manual audits won’t scale. Set up workflows that trigger reviews, notify you on new detections and even block risky activity automatically.
- 🧠 Train Users Without Lecturing Them: Most people don’t realize clicking “Accept” is the digital equivalent of handing over the keys to the building. Quick training videos, context-aware warnings, or Slack nudges go a long way.
- 📜 Govern, Don’t Guess: Build and enforce a list of approved SaaS tools. Require justification or security review before new tools can plug into core systems like Google Drive or Microsoft Teams.
The SaaS ecosystem isn’t slowing down, and that’s fine. But without guardrails, it becomes a playground for shadow apps and unnecessary risk. Rebuilding your perimeter will allow the building of smarter controls around the reality of how people work today.
You won’t stop SaaS sprawl completely. But you can make sure it’s not happening behind your back.
