SaaS security: you're doing it wrong


By Andrew Collins
Tuesday, 06 May, 2014


SaaS security: you're doing it wrong

Your approach to securing software-as-a-service (SaaS) is wrong. But it's not entirely your fault - the hype around cloud computing and lack of useful information on SaaS provider failures takes some of the blame.

At least, that's according to a recent report from analyst firm Gartner, called 'Everything you know about SaaS security is wrong'.

The report's author, Jay Heiser, says that potential buyers of cloud services are worried about the wrong things when it comes to security.

"Evidence suggests that SaaS purchasing decisions overemphasise low-likelihood risks, while paying insufficient attention to SaaS failure modes that are more likely - and more impactful."

According to Heiser, "dozens" of security questionnaires reviewed by the analyst firm suggest that potential cloud service buyers are more concerned about the security posture of cloud service providers than they are about data loss or the providers' administrators.

However, this balance of concerns does not reflect the reality of SaaS risks, Heiser argues.

On the topic of service providers' security posture, he writes: "While it is impossible to prove that unreported incidents have not taken place, SaaS providers have apparently experienced relatively few security failures."

The blame for many SaaS security failures actually lies closer to home, according to the analyst.

"There have been many reports of incidents in which passwords have been compromised and used to gain unauthorised access to individual SaaS accounts. These failures were not due to any vulnerabilities in the service provider's offerings, but were instead the result of unsafe practices on the part of users," Heiser writes.

(That said, Heiser does note that in a small number of cases, SaaS and other cloud service providers have permanently lost customer data via technical failure. "Some cloud services providers have experienced business failures, forcing their customers to seek alternatives with little or no advance warning.")

In order to address their concerns (which, according to the analyst, are misplaced), many potential cloud buyers have undertaken "huge" risk assessment efforts to determine the likelihood that SaaS providers will resist penetration attempts.

But "there is no evidence that detailed questionnaires or visits to providers result in any reduction in SaaS risk".

Course correction

Organisations looking to the cloud should make sure they understand which potential SaaS security failures are most likely to affect their particular usage of cloud services. They must explicitly avoid "becoming trapped in hype, myth and an endless series of improbable hypothetical threats", Heiser writes.

Three actual SaaS security failures, according to Heiser, are:

1. Sensitive data placed in unapproved services. Many employees within the organisation make use of cloud services without the knowledge of the IT department. This can present substantial risk of data leakage or loss, and in some industries can be grounds for pecuniary penalty - even if the data is not accessed by an unauthorised user.

2. Authorised users misusing cloud-based data. According to Heiser, cloud-based apps usually have a less sophisticated approach to access control than internal apps. Even if a cloud-based app does have strong access control options, organisations rarely make use of these, anecdotal evidence from Gartner clients suggests.

A few problems arise as a result, including authorised users accessing data they should not; authorised users that should have been expired; and authorised users leaking data through the cloud, including via automatic syncing of files to home machines.

3. Stolen credentials. Most enterprise SaaS authentication (and "virtually all" consumer SaaS authentication) is in the form of reusable passwords, Heiser says.

"Because people have a natural tendency to use the same password on multiple systems, SaaS-based enterprise data can be at risk to an attacker who has managed to guess someone's Facebook password, or has captured it using password-slurping malware.

"The compromise of individual accounts by stealing the password is the most likely form of SaaS security failure. Every organisation using SaaS that has not taken steps to improve account control or authentication strength is vulnerable," the analyst says.

Pictured: Gartner analyst Jay Heiser.

Related Articles

Strategies for navigating Java vulnerabilities

Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...

Not all cyber risk is created equal

The key to mitigating cyber exposure lies in preventing breaches before they happen.

How AI can help businesses manage their cyber risks

Artificial intelligence can be a powerful ally in the fight against cyberthreats.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd