Trust but Verify: The Critical Need for Continuous Verification in Cybersecurity

| Editorial Team
1

The Problem With 'Trust but Verify' Is That We Don't Verify in Cybersecurity

In today's SaaS-dominated business landscape, organizations have widely adopted the "trust but verify" security approach—except most forget the verification part. According to cybersecurity experts, this dangerous oversight has created a growing security gap as credentials and connections receive indefinite trust, creating fertile ground for sophisticated breaches.

Organizations tout Zero Trust principles while practicing a contradictory "trust once, never verify again" approach with their SaaS applications and integrations. This disconnect has led to numerous high-profile breaches in recent years, highlighting the urgent need for continuous verification methods.

The dangerous world of implicit trust

SaaS environments in 2025 operate primarily on implicit trust. Once authentication occurs and access is granted, that trust typically continues indefinitely without further scrutiny. This creates several significant vulnerabilities:

  • OAuth tokens that rarely expire or get revoked
  • Third-party apps receiving excessive permissions
  • Automations running with minimal human oversight
  • Integrations continuing long after their usefulness ends

"Every SaaS integration or API token represents an implicit trust relationship between your organization and some third-party service," notes the report from The Hacker News. Once a user clicks "Allow," that application effectively becomes a trusted extension of the corporate environment.

The problem extends to automation as well. Many businesses rely on automation bots and scripts for critical tasks across cloud applications. These automations use API keys or tokens with significant privileges but typically run with minimal oversight once established.

Organizations implementing a comprehensive cyber security strategy with multiple protective layers still often overlook this fundamental verification gap.

Zero Trust's implementation gap

The irony is striking: while organizations frequently promote Zero Trust security ("never trust, always verify"), their actual SaaS practices amount to "trust once, then never verify again." The verification process typically consists of a single OAuth authorization screen, after which persistent access continues without further checks.

In essence, OAuth and API tokens establish persistent trust between applications with no mechanism for ongoing verification. Even robust Single Sign-On (SSO) and Multi-Factor Authentication (MFA) systems offer no protection here—these tokens effectively bypass those controls completely.

"There's no pop-up to re-authenticate when a connected app uses its token to query data; the app just presents the token, and it's assumed valid," explains the report. This creates a cybersecurity honor system that malicious actors eagerly exploit.

According to a recent study by the Ponemon Institute, 63% of organizations have no visibility into third-party access to critical systems through tokens and API keys. This alarming statistic underscores how widespread this verification gap has become across industries.

How attackers exploit the token blind spot

These unmonitored tokens and over-privileged applications have created a significant blind spot in security programs. While security teams have traditionally focused on monitoring user logins and endpoint activity, SaaS tokens and integrations often evade detection.

Several high-profile breaches demonstrate this vulnerability:

  • In early 2023, Slack revealed that cybercriminals stole employee tokens and used them to access internal code repositories
  • Around the same time, CircleCI suffered an incident where malware on an engineer's laptop captured a session token, allowing intruders to impersonate that engineer
  • The Salesloft/Drift breach saw cybercriminals compromise a SaaS chatbot provider and steal OAuth tokens for its Salesforce integration
  • ShinyHunters group used social engineering to trick employees into authorizing malicious apps, gaining access to major platforms like Google and Workday

In each case, compromised tokens undermined traditional security controls, allowing attackers to move undetected through systems by appearing as legitimate connected applications.

Developing a strong cyber resilience framework that accounts for token-based attacks is increasingly essential as these vectors become more common.

The expanding attack surface

The problem is compounding as organizations continue to add more SaaS applications to their technology stack. With the average enterprise now using over 130 different SaaS applications according to BetterCloud's 2023 State of SaaSOps report, the number of potential token vulnerabilities has increased exponentially. Each integration represents another potential point of compromise that traditional security monitoring often misses.

Moving toward continuous verification

A genuine Zero Trust model requires treating access as a continuous assessment rather than a one-time checkpoint. This approach focuses on the difference between what was initially granted (granted privilege) and how that access is actually used over time (observed privilege).

"By keeping an eye on the behavior, we can spot instances in which a token or application deviates from its intended use or pattern," the report states. Red flags should include:

  • A customer-data API key suddenly exporting an entire database at 2 a.m.
  • A normally quiet integration accessing sensitive finance records it has never touched before
  • Access patterns that deviate from established baselines

This aligns with Gartner's CARTA (Continuous Adaptive Risk and Trust Assessment) model, which emphasizes continuously verifying access in real-time and adapting to observed behaviors. The goal is transitioning from today's static trust model to one where trust must be constantly earned through appropriate behavior.

Effective technology risk management practices for monitoring access controls can significantly reduce the likelihood of token-based attacks succeeding within your environment.

How to implement effective verification

To close this security gap, organizations must embrace the concept that trust is not a one-time decision. Every access request, whether from humans or machines, should undergo continuous evaluation:

  1. Implement tools that monitor the behavior of authorized integrations
  2. Regularly audit and rotate tokens and API keys
  3. Enforce the principle of least privilege for all integrations
  4. Develop baselines for normal application behavior
  5. Deploy solutions that can identify when behavior deviates from expected patterns

Companies like Reco offer solutions that analyze granted privileges versus observed behavior across SaaS identities, tokens, and third-party apps. These tools can identify overprivileged applications, misused tokens, and integrations operating outside their baseline behavior.

Token lifecycle management

One critical but often overlooked aspect of verification is implementing proper token lifecycle management. Organizations should establish clear policies for:

  • Maximum token lifespans with enforced expiration dates
  • Regular rotation schedules for long-lived tokens
  • Immediate revocation processes when employees change roles or leave
  • Automatic deactivation of tokens that haven't been used within a specific timeframe

According to NIST Special Publication 800-204C, implementing proper token validation and management is essential for maintaining secure application ecosystems.

Practical applications for organizations

The information in this article can help organizations in several ways:

  1. Conduct an immediate audit of all authorized SaaS integrations and OAuth tokens
  2. Implement token rotation and expiration policies
  3. Review permission levels of existing integrations to ensure least privilege
  4. Deploy continuous monitoring solutions focused on application behavior
  5. Develop an incident response plan specifically for token compromise scenarios

As Gal Nakash, CPO and Cofounder at Reco and former Lieutenant Colonel in the Israeli Prime Minister's Office notes, "The problem with 'trust but verify' today is not that the motto is wrong; it's that we haven't been truly following it. We trusted, and then we forgot to verify."

In today's interconnected SaaS landscape, security can't be a set-it-and-forget-it proposition. Organizations must shift from static, one-time verification to continuous assessment—moving from "trust but verify" to "trust, but continuously verify" to protect their most valuable digital assets.

Adopting behavior-based security monitoring

Organizations should complement their existing security controls with behavior-based monitoring specifically designed for API and token usage. This approach focuses not just on authentication but on how authenticated services behave once access is granted. By establishing normal behavioral patterns for each integration and monitoring for deviations, security teams can identify potential compromises before significant damage occurs.

Editorial Team
You might also like

Creative Maximalism: YouTube’s Shift Towards Engaging Multilayered Storytelling

The Rise of Anywhere Operations: What you Need to Know

E-commerce Supply Chain: 5 Strategies for improving your Ecommerce sales and…

Mastering Incident Response: Best Practices for Effective Handling

Business Intelligence Consultant: Role, Skills & What to look for

YouTube vs Instagram: Which Platform Is Right for Your Business?