The use cases for Software as a Service (SaaS) are undeniably vast and advantageous. However, the nature of subscribing to a cloud service leaves a ton of ambiguity as to who is responsible for its security… The vendor or the customer? This article will present a 10,000-foot view of SaaS and the unintentional risks that surface when organizations bring in cloud services like SaaS.
What is SaaS?
SaaS is when individuals connect to and use cloud-based applications via the internet. Consider the phrase, “don’t reinvent the wheel.” SaaS is this notion that someone else has probably already perfected a task like electronic mailing or better known as “e-mail” and so rather than hassle with developing your own platform you subscribe to someone else’s. Most people do not realize they are already using a SaaS app when they access Gmail or Outlook. Gmail is considered SaaS because the end-user does not develop or maintain the infrastructure running behind the scenes; the entire Gmail app is hosted by Google. SaaS is particularly beneficial for emerging organizations who lack talent and capital to execute projects for every routine business obligation like payroll management, video conferencing, customer relationship management, etc. SaaS also enables organizations to have access to sophisticated applications that are not typically in the affordability range of small businesses.
What makes SaaS "all that"?
Unlike traditional IT solutions, the benefits of incorporating SaaS solutions can be observed almost instantaneously. This is because you do not need to procure the hardware or personnel to develop, install and configure your software service. Rather, all the customer is required to do is configure an application via an online portal. This is typically done via a web browser or API key. In addition, SaaS solutions also tend to provide tremendous budget assistance since your organization is not responsible for hardware/software maintenance, pushing/testing updates, or software development.
Concerns surrounding SaaS
Improper Configuration of SaaS Applications
Global IT research company Gartner forecasts that by 2025 99% of cloud security incidents will be the subscriber's fault. Identity and Access Control management is an example of one frequent task that the cloud customer is responsible for but might neglect. SaaS subscribers need to keep close tabs on who and which departments are allowed to access their systems. For instance, Marketing does not need to view the cloud storage locations that HR uses. It is also recommended that off-boarding procedures take into account cloud access. Some questions to consider from the customer’s side:
Is a vendor’s access revoked post-contract just like it is for on-premise access? Do departments have more access than what they need to complete their duties? How are users authenticated or verified when authenticating to applications? Does the cloud provider have an Intrusion Detection System?
SaaS Provider becomes a new attack vector and single point of failure
In theory, the compromise of a cloud vendor would mean a compromise of its customers. Another idea to consider is an insider threat. What happens if a SaaS employee abuses their access to sell confidential information about your organization? Even worse, if the SaaS provider fails or is under a Distributed Denial of Service attack that could leave you unable to process transactions, onboard new clients, or cause you to lose proprietary work. These points are great candidates for setting up a Service-level agreement. This will help ensure their downtime does not interrupt your business operations or income stream.
In at least 55% of SaaS vulnerability assessments conducted by Security firm AppOmni, it was discovered that most SaaS applications had data leaking into the anonymous cyberspace. Conversely, this shortcoming is the result of poor configuration on the customer’s end. After all, vendors like IBM and Microsoft often employ some of the best cybersecurity professionals.
One might be perplexed around how such vulnerabilities exist when the customer is configuring their cloud. Silent Sector believes this is a result of businesses not understanding the risk from cloud interconnectedness. So long are the days where organizations would execute tasks like provisioning/de-provisioning 3rd party accounts to access their in-house IT systems. Instead, contracts are created but access is not cut off after to the cloud applications after it expires. Ordinarily, organizations regularly review who has access to proprietary information and revoke access as appropriate. Additionally, if it is discovered data has been lost, playbooks are kicked off and incident response checklists are used to determine the scope of data leakage.
Cloud Security as a Foreign Topic
Unfortunately, cloud apps are not under as much scrutiny as on-premise applications for a variety of reasons ranging from budget constraints to forward and analyze logs. This goes hand in hand as the security industry is in a drought for competent cloud engineers. Moreover, the few cloud engineers who exist are overwhelmed with the existing cumbersome workload. Thus, they are not able to allocate time to respond and prioritize alerts- this may lead to data loss or dormant threats lurking in your SaaS app. It is also worth mentioning the affordability of SaaS apps like network storage means data retention can easily transpire beyond what's necessary- leading to a whole host of complications like compliance violations, lawsuits, incomplete data deletion, etc.
There are a variety of SaaS cybersecurity options available. Customers can run 3rd party programs that check the state of security configurations. These can also be configured to run on a schedule and alert of potential problem configurations. Some cloud providers such as Microsoft provide a “secure score” which provides tips on how to improve its cloud posture or establish key performance indicators. Cloud providers are also encouraged to complete web application penetration testing or SaaS penetration testing. Both these look at SaaS cybersecurity through the lens of an active attacker. Some green flags from a cloud provider could be they have a Virtual Chief Information Security Officer (vCISO) for SaaS or have met the SOC 2 requirements. A vCISO indicates the organization takes cybersecurity seriously enough to appoint an executive to manage its security strategy. Finally, external formalization via a SOC 2 report is an excellent pointer that the cloud provider understands more than adequate SaaS cybersecurity requirements.
Image courtesy of Microsoft
We function in a society where organizations are becoming highly specialized in what they do, this is not inherently malevolent but poses grave risks that should not be dismissed simply in the name of efficiency. Has your cloud provider taken the necessary SaaS cybersecurity precautions to reduce their attack surface? Are there any formalized certificates or attestations confirming their security? Contact Silent Sector today to get expert advice to ensure your SaaS provider or SaaS clients are appropriately protected.