Plugging a SaaS access hole