SaaS security: you're doing it wrong


By Andrew Collins
Tuesday, 06 May, 2014

SaaS security: you're doing it wrong

Your approach to securing software-as-a-service (SaaS) is wrong. But it's not entirely your fault - the hype around cloud computing and lack of useful information on SaaS provider failures takes some of the blame.

At least, that's according to a recent report from analyst firm Gartner, called 'Everything you know about SaaS security is wrong'.

The report's author, Jay Heiser, says that potential buyers of cloud services are worried about the wrong things when it comes to security.

"Evidence suggests that SaaS purchasing decisions overemphasise low-likelihood risks, while paying insufficient attention to SaaS failure modes that are more likely - and more impactful."

According to Heiser, "dozens" of security questionnaires reviewed by the analyst firm suggest that potential cloud service buyers are more concerned about the security posture of cloud service providers than they are about data loss or the providers' administrators.

However, this balance of concerns does not reflect the reality of SaaS risks, Heiser argues.

On the topic of service providers' security posture, he writes: "While it is impossible to prove that unreported incidents have not taken place, SaaS providers have apparently experienced relatively few security failures."

The blame for many SaaS security failures actually lies closer to home, according to the analyst.

"There have been many reports of incidents in which passwords have been compromised and used to gain unauthorised access to individual SaaS accounts. These failures were not due to any vulnerabilities in the service provider's offerings, but were instead the result of unsafe practices on the part of users," Heiser writes.

(That said, Heiser does note that in a small number of cases, SaaS and other cloud service providers have permanently lost customer data via technical failure. "Some cloud services providers have experienced business failures, forcing their customers to seek alternatives with little or no advance warning.")

In order to address their concerns (which, according to the analyst, are misplaced), many potential cloud buyers have undertaken "huge" risk assessment efforts to determine the likelihood that SaaS providers will resist penetration attempts.

But "there is no evidence that detailed questionnaires or visits to providers result in any reduction in SaaS risk".

Course correction

Organisations looking to the cloud should make sure they understand which potential SaaS security failures are most likely to affect their particular usage of cloud services. They must explicitly avoid "becoming trapped in hype, myth and an endless series of improbable hypothetical threats", Heiser writes.

Three actual SaaS security failures, according to Heiser, are:

1. Sensitive data placed in unapproved services. Many employees within the organisation make use of cloud services without the knowledge of the IT department. This can present substantial risk of data leakage or loss, and in some industries can be grounds for pecuniary penalty - even if the data is not accessed by an unauthorised user.

2. Authorised users misusing cloud-based data. According to Heiser, cloud-based apps usually have a less sophisticated approach to access control than internal apps. Even if a cloud-based app does have strong access control options, organisations rarely make use of these, anecdotal evidence from Gartner clients suggests.

A few problems arise as a result, including authorised users accessing data they should not; authorised users that should have been expired; and authorised users leaking data through the cloud, including via automatic syncing of files to home machines.

3. Stolen credentials. Most enterprise SaaS authentication (and "virtually all" consumer SaaS authentication) is in the form of reusable passwords, Heiser says.

"Because people have a natural tendency to use the same password on multiple systems, SaaS-based enterprise data can be at risk to an attacker who has managed to guess someone's Facebook password, or has captured it using password-slurping malware.

"The compromise of individual accounts by stealing the password is the most likely form of SaaS security failure. Every organisation using SaaS that has not taken steps to improve account control or authentication strength is vulnerable," the analyst says.

Pictured: Gartner analyst Jay Heiser.

Related Articles

Secure-by-design software development for digital innovation

The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...

Bolstering AI-powered cybersecurity in the face of increasing threats

The escalation of complex cyber risks is becoming a pressing issue for those in business...

How attackers are weaponising GenAI through data poisoning and manipulation

The possibility for shared large language models to be manipulated through data poisoning...

Content from other channels on our network

6G-REFERENCE project envisions cell-free comms in urban areas

Vertiv boosts colocation data centre capacity for Chorus

'Curving' light beams could enable terahertz comms

Panasonic offers private 5G network testing in Munich

Antenna upgrade enables better sewer management

Robotic lab enhances battery manufacturing

Machine learning used to create fabric-based touch sensor

Hybrid sodium-ion battery can be charged in a few minutes

Researchers develop energy-efficient probabilistic computer

Wearable sensor measures real skin feel

EV future for Monash Uni

Shell Cove battery launched on NSW South Coast

Million-dollar rooftop solar for Kimberley hospital

Protecting wildlife from electrical assets — and vice versa

Immersive VR training for electricians

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd