We’ve made a point of hardening the security of infrastructure-as-a-service clouds because they’re so complex and have many moving parts. Unfortunately, many of the software-as-a-service systems that have been in use for more than 20 years are no longer on the cloud security priority list.
Organizations make a lot of assumptions about SaaS security. Essentially, SaaS systems are applications that run remotely, with data stored on back-end systems that the SaaS provider encrypts on behalf of the customer. You may not even know which database stores your accounting, CRM, or inventory data, and you’ve been told that you shouldn’t really care. After all, the provider manages the whole system for you, and users and administrators simply operate it through a web browser. In effect, SaaS means you’re much further away from the components than other forms of cloud computing.
SaaS, as stated in most marketing studies, is the biggest part of the cloud computing market. This is not well understood since the focus these days is on IaaS clouds such as AWS, Microsoft, and Google, which have distracted from the largely fragmented world of SaaS clouds, which are primarily business process as a service that you access through a browser. But SaaS now also includes backup and recovery systems and other services that are more like IaaS but are delivered using the SaaS approach to cloud computing. They save you from worrying about all the little details, which the cloud should do.
I suspect SaaS cloud security will become more of a priority once a few well-publicized breaches hit the media. You can bet it does happen, but unless the public is directly affected, violations usually don’t get a press release.
What should we pay attention to when it comes to SaaS security?
Security issues at the heart of SaaS are human error. Configuration errors occur when administrators too frequently grant access rights or permissions to users. People who might not have had rights can end up misconfiguring SaaS interfaces, such as API or UI access. Although it’s not really a problem if the rights are limited, too often people who only need simple access to data from a single data entity (such as inventory) have access to all data. This can be leveraged into devastating data breaches that are highly preventable.
This is normally a data access issue that the SaaS provider provides through user interfaces and API access. However, issues also arise with the data integration layers that SaaS customers install to synchronize data in the SaaS cloud with other cloud-hosted IaaS databases or, more likely, with legacy systems that are still held internally. These layers of data integration are often easily breached for the reason we just mentioned: poor access rights management. The data integration layers themselves, most of which are also provided in SaaS mode, may have vulnerabilities. In any case, your data is always hacked.
Other security issues are easier to understand. An employee decides to eliminate some of the company’s frustrations and copies most of the data hosted in SaaS to a USB stick and deletes it from the building. Much like granting more access privileges than a person needs, this is easily solved with restrictions and more education.
On the SaaS vendor side, issues include a lack of transparency, such as their own employees walking out of the building with customer data, or breaches that go unreported. It’s impossible to know how many of these situations have occurred, but if none have been reported to you, it may indicate that your SaaS provider is withholding information that could be harmful to them.
SaaS security is both an old and new approach and technology stack. It was the first cloud security I worked on, and we’ve come a long way since then. However, SaaS security hasn’t received as much funding, love, or education as other areas of cloud security. We may pay for it at some point unless we fix things now.
Copyright © 2022 IDG Communications, Inc.