The current generation of web applications are products collectively referred to as SaaS: software as a service. SaaS products are in a different league from hosted applications often masquerading as “cloud” software. To many, there is little difference because characteristics like multi-tenancy, automated provisioning, scalability and elasticity are not easily conveyed to the end-user. Perhaps the best way to think of it is in terms of design: SaaS applications are typically modular and composed of many small parts that can be changed without affecting the entire application. Traditional software is a large lump of bits and bytes and requires down-time to make a small change, SaaS products do not.
Combined with modern appeals such as increased uptime, advanced security, single-sign on, cross-platform compatibility, accessibility from anywhere, and agility it is easy to forget that SaaS applications require as much cybersecurity discipline as conventional products. The spoils of SaaS products like those from Microsoft Office 365, Google Cloud, DropBox, Netflix and so many others make it easy to forget that there are major risks associated with poor implementation.
THE PROBLEM
SaaS data – like the data that lives on servers or devices – is still subject to human error, insider threats, configuration errors, extorsion, and breaches. In general, user data is not protected by SaaS vendors. As your company adopts software-as-a-service, part of the risk assessment is understanding the concept of shared responsibility for security of data. What’s even more difficult to grasp is that most SaaS providers host their applications on Platform-as-a-Service (PaaS) infrastructure (such as Azure, AWS, or Google Cloud) where they are the customer and they share security responsibility. When applied correctly this model is the most effective way to develop secure applications, but when implemented poorly it is effectively a Ponzi scheme for cybersecurity.
As a software-as-a-service customer the typical responsibilities are not always clearly defined and buried in terms of service. Some companies, like Microsoft (Office365), make things clear: “…recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” Other companies are typically not that transparent because shared responsibility is difficult to explain, harder to implement, and could easily cost a sale. Those companies sacrifice depth for breadth and typically sell a “secure” solution that in principle is smoke and mirrors. Big or small, clear or not, the typical division of responsibilities for SaaS companies is as follows:
Item | SaaS Responsibility | Your Responsibility |
---|---|---|
Hardware Failure | Total. | None. |
Software Failure | Total. | Some. With a plethora of browser and operating systems, a compatibility issue with endpoint to app connectivity rests on you to manage. |
Natural Disaster | Total. | None. |
Continuity Event | Total. | None. |
Malicious Actors | Shared. Data centers and MSPs are a hot target – one breach means provides major financial incentive. | Shared. Many poorly managed targets are low-hanging fruit for a plethora of hackers and extortionists. |
Viruses & Malware | Shared. Data center and infrastructure. | Shared. Exchanged data (emails, attachments, links) can cripple your on-premise devices. You are responsible for ensuring nothing bad reaches an end-user. |
Malicious Insiders | None. | Total. A disgruntled employee or even one that is poorly trained can cause catastrophic damage do your data. |
Programmatic Errors | None. | Total. Most SaaS products feature an application programming interface (API) that allows other apps to talk to theirs. Those permissions are controlled by you and a common vector for cybersecurity events. |
Human Error | None. Most providers are capable of recover entire tenants in case of a tenant failure, not one person who deletes something critical. | Total. You are entirely responsible for your use of the application. |
Meanwhile cybersecurity threats evolve. Forrester Research Study showed that 24% of companies surveyed experienced a full data disaster. National Small Business Administration cites that 44% of small businesses have been victims of cyber attacks. Garner Group estimates that average mid-size companies have 16-20 hours of application downtime annually. Price Waterhouse Cooper determined that 70% of small businesses that experience a major data loss go out of business within a year.
SaaS disruptions are equally possible and probable as they are for on-premise and conventional systems. The threats are different, but the outcomes are the same: lost revenue, lost productivity, missed deadlines, compromised communication, financial impacts, compliance violations, and customer dissatisfaction.
THE SOLUTION
There are no silver bullets, magic wands or sacred oracles that will do-away with the risks. It’s no surprise that many companies, and often many IT managers, choose to bury their heads in the sand and hope nothing bad happens. There is, however, a mindful approach to understanding and mitigating risks of software-as-a-service that we have developed internally and share with our clients daily. While specifics of this approach will vary between organizations, the general milestones do not. More importantly, this is a living process that changes and adapts to the cyber-threats and should be referenced periodically.
Hire representation.
Do not make choices on your own. A solutions consultant is an ally and one operating under fiduciary responsibility is an asset. Our customers benefit from a two-prong approach to SaaS implementation: vendor security review and client needs discovery. During vendor security review our team looks at the company in question and attempts to paint a concise picture of their practices juxtaposed against industry standards and our own experience. Meanwhile, during discovery we look internally at your organization and determine your needs through a comprehensive but digestible review.
Understand terms of service.
While we all accept our Apple Terms of Service without thinking, same cannot be said for your organization. While we cannot discourage reading each TOS word for word, in the minimum review the warranties and any paragraph that includes “warranty“, “backup“, or “responsible“. Compare it against the gold standards of service agreements such as the Microsoft Services Agreement and draw your own conclusion on what the vendor in question is doing differently.
Secure your email.
E-mail continues to be a critical component of SaaS and a space used to transact daily activities. Trust in e-mail is paramount but most companies have little trust or simply are unaware of the risks and the possible mitigation measures. An intelligent, machine-learning driven anti-phishing/anti-malware/anti-ransomware technology combined with a properly configured DKIM/DMARC/SPF technology and a secured domain are key components of trusting your e-mail.
Secure your access.
Credential hygiene combined with secure authentication systems are a useful way to effectively track logon events throughout all of your SaaS products. Technologies involved here include single-sign-on (SSO), multi-factor (MFA) authentication, application portals, device trust, and adaptive access are means to protect your workforce with simple and powerful access security. While secure authentication is one component, there is more to securing access. Organizations must be able to understand who is accessing what and detect account compromise. This is achieved through a number of technologies and processes and links back to an understanding of your organizational needs and experienced solution consultants to help you implement cost-effective and valuable solutions.
Secure your end-points.
Securing end-points means protecting your end-user devices in context of confidentiality, integrity, and availability. This does not mean loading anti-virus and calling things good. This is about intelligent and mindful implementation of hardware that fits your organization. In most cases there are at least four technologies in play: remote management and monitoring, mobile device management, anti-malware and behavior analytics, and employee monitoring (for insider threat, malicious activities, and data loss protection).
Remote management and monitoring is generally a function of your information technology services provider. The key components are the ability to automate processes, respond to requests, and inventory your assets. Mobile device management, on the other hand, shares some overlap but focuses on compliance and enforcement of policies. Anti-malware also comes in many flavors but the key ingredient – today – are technologies capable of detecting malicious application behavior because threats like ransomware arrive and operate encrypted and often cannot be seen by scanners. Lastly, while employee monitoring can be controversial, it offers a simple way to validate security events that would otherwise take hours or fail detection entirely.
Shadow IT
While majority of the items above ultimately focus on layers protecting people, there is also a need to manage third-party application access, connections via APIs, and connections between systems. One approach is to monitor corporate systems using a technology called cloud application discovery and simultaneously alerting on events that match behavior patters of known threats.
Commit to Oversight.
None of these technologies matter if your organization tries to do it alone. There is a reason we do not perform surgeries on ourselves, litigate our own matters, or build home rockets to launch ourselves into space. Instead, we choose experts to help guide us. To do this effectively, in the cybersecurity world, the effective means of protecting an organization are calibrated to the company’s needs and bespoke. Even when the same tools are used across multiple organizations the implementation of those tools is rarely identical. Priorities differ, engagements differ, needs differ. To manage cybersecurity effectively someone needs to pay attention, and a trusted third-party partner is your best choice.