The hybrid work model imposed by organizations during the height of the COVID-19 pandemic triggered many enterprises to accelerate moves to cloud-based services for better resilience and efficiency. In its ongoing evolution, Software as a Service (SaaS) has empowered organizations with the tools necessary for effective management, communication, and collaboration, regardless of the location of the organization or its employees. Moreover, it does not require customers’ investment in physical infrastructure, platform administration, patching, or monitoring. However, these benefits are associated with notable risk factors and challenges for both SaaS customers and providers.
SaaS Customer Challenges
Cloud computing is no longer considered an emerging and disruptive technology, but rather a mainstream trend that has become more mature over the years. However, new cloud-based services such as SaaS are thriving due to their numerous benefits. SaaS is a software distribution model in which the provider is responsible for hosting applications and providing security, development and maintenance to its customers. The adoption of SaaS has become increasingly critical for enterprise success, though it requires the organization to release some of its control over data, application management and customization. Therefore, hacker focus has shifted from the cloud in general to emerging tools and technologies that reside within the cloud and, more specifically, to SaaS. Consequently, SaaS customers face several notable challenges.
Data Loss
Organizations have less control over and visibility into their data when using SaaS. Therefore, there is a greater risk of accidental data deletion or leakage. If this risk materializes, it can result in permanent loss of sensitive data that often triggers a serious financial, legal and reputational impact. Costs can include compensating affected employees or customers, executing incident response plans, restoring data from backups, investigating the data breach, investing in new security measures, regaining customer trust, and paying legal fees, including fines for noncompliance with the EU General Data Protection Regulation (GDPR). Organizations that violate GDPR can be fined up to 4 percent of their annual global turnover or EU€20 million, whichever is greater.1 In all cases, if sensitive data are compromised, whether intentional or not, affected individuals can seek legal action to claim compensation. In some cases, the fallout from data loss can threaten an organization’s survival. As such, it is essential for SaaS providers to identify relevant threats and reduce their attack surfaces.
Unauthorized Access
When using SaaS, organizations face an increased risk of user account takeover. This risk is partly related to SaaS being exposed to the Internet. Geographic restrictions are not common in SaaS services, enabling brute force and other credential-based attacks to originate from anywhere. There are also opportunities for attackers to access user credentials obtained through the dark web and use those credentials to commit account takeovers. Authentication and authorization are critical aspects of SaaS application security. To improve identity and access management, organizations should evaluate the possibility of integrating SaaS platforms into their enterprise single sign-on (SSO) solutions and enforce multifactor authentication (MFA). SSO is also an efficient method for inventorying SaaS tools and providing detailed insights into their usage.
Insecure Application Programming Interfaces
Some SaaS tools’ application programming interfaces (APIs) may lack proper role-based access control mechanisms and have exploitable vulnerabilities. Insecure or missing access control mechanisms and vulnerabilities in API endpoints result in unauthorized access to sensitive data. To mitigate this risk, organizations must protect their communication endpoints as per best practices, including vulnerability management and limiting API access, based on need-to-know and least privilege principles.
Shadow IT
Shadow IT refers to the systems, devices, applications, and services accessed and used by employees or departments without the knowledge, explicit approval, or oversight of the IT, information security, and legal teams. The consumerization of SaaS services is a main driver of shadow IT. Users with Internet access can easily acquire and use SaaS tools. Organizational departments, including legal, procurement, IT, information security, and privacy teams often have no opportunity to vet SaaS tools prior to their use. This approach makes the organization vulnerable to tremendous risk from a compliance and security perspective, including data exposure, malware and productivity loss. Therefore, organizations should adopt effective technical solutions to prevent the installation and usage of unsanctioned SaaS tools to close gaps in compliance and security risk.
Vulnerability Management
Customer organizations are at the mercy of SaaS providers to perform effective vulnerability management. Even a single vulnerability in SaaS tools provides attackers with an entry point to the organization’s data.
Even a single vulnerability in SaaS tools provides attackers with an entry point to the organization’s data.
There are several due diligence activities SaaS providers must perform for the sake of proper vulnerability management, including:
- Implement security training for developers and other IT staff to reduce the number of new security defects
- Introduce security earlier in the development life cycle to ensure security and privacy by design
- Develop a comprehensive and continuous vulnerability management program to identify, evaluate, report on and prioritize vulnerabilities
- Define security metrics to identify and visualize vulnerability trends
- Address identified vulnerabilities in a timely manner
Third-Party Risk Management
Involving third-party vendors in an organization’s internal operations and processes poses security risk. Hence, organizations must implement a third-party assessment program to evaluate and monitor third-party risk. Third-party security assessment questionnaires are a powerful tool designed to help organizations collect data and other relevant security information about third parties, ideally before entering into a business relationship. However, many SaaS providers are unwilling to answer lengthy questionnaires about their current security postures. Instead, they might share their SOC audit reports and International Organization for Standardization (ISO) certifications, which provide some information about the vendor’s security posture, but lack essential details such as the effectiveness of their business continuity or disaster recovery plans, adopted encryption protocols, data backup plans, secure software development life cycle (SDLC) and more. Organizations using SaaS services often must settle for less detailed risk information than what is available for internally managed applications. This leads to the inability of SaaS customers to have a thorough understanding of risk in the SaaS environment and the overall organization.
Risk Mitigation
SaaS providers are unlikely to change their environment and business processes to meet individual customers’ requirements and standards. This approach leaves customers to figure out other ways of managing risk. Risk identified in SaaS providers often must be mitigated via compensating controls in the customer’s organization, such as:
- Integrating SaaS platforms to the organization’s SSO solution and enforcing MFA for all logins
- Implementing a role-based access control (RBAC) mechanism (if supported by the platform)
- Storing data backups outside the SaaS platform
- Providing periodic security training for employees
- Restricting access to company APIs used to exchange data with SaaS providers
Event Visibility
SaaS providers are unlikely to send infrastructure- and application-level security event logs to customers’ security information and event management (SIEM) solutions, leaving customers’ security operations teams lacking in terms of important information. This diminishes the ability to identify and manage potential security incidents. For example, it can be difficult to know whether and when a brute-force password replay attack is perpetrated against a SaaS customer user account. Such attacks could lead to undetected data breaches, resulting in the organization being considered liable for the data leak and for not reporting the incident to the appropriate parties (e.g., employees, customers, authorities) in a timely manner.
Risk Culture
It can be challenging for customers to understand the fundamental nature of a SaaS provider’s risk culture. Audits, certifications, questionnaires, and other materials paint a narrow picture of the providers’ security posture. Moreover, SaaS providers are unlikely to share their risk register with customers, as this would reveal excessive details about the SaaS provider’s security posture. Further, SaaS providers are unlikely to undergo detailed customer audits due to limited resources. Despite external audits and completed questionnaires, the risk culture of a SaaS provider often remains a closed book.
Shared Responsibilities
Some SaaS customers lack a fundamental understanding of the shared responsibility model between the customer and provider. Not all SAAS providers publish a shared responsibility matrix, complementary user entity controls (CUEC) or other useful artifacts. While some SaaS providers share CUEC information or shared responsibility information with their customers, many do not, leaving customers to discern on their own where key responsibilities lie. If the responsibility model communicated by the vendor is not clear enough, it is essential for customer organizations to contact the vendor and explicitly agree on this matter before concluding the contract. Lacking CUEC and other information, SaaS customers must undergo a detailed risk analysis to discern and reverse engineer a responsibility matrix.
Fourth-Party Data Access
A common side effect of SaaS solutions is that data are shared with additional external parties. Specific fourth-party access can be legitimate and necessary. However, there are many cases where fourth-party access results from misconfigurations or careless or unintended data access, exposing organizations to large-scale data exfiltration. Therefore, organizations must adopt a zero-trust approach and continuously monitor all fourth-party applications integrated into their SaaS environment. As part of their evaluations, organizations should ask vendors to specify what services they outsource and identify the fourth parties involved. SaaS providers are often reluctant to provide information about their third parties, leading to more ambiguity surrounding risk.
Disaster Recovery
The resilience of individual SaaS providers is largely unpredictable. Some SaaS providers may have high-quality, tested business continuity and disaster recovery plans, while others may not. Again, SaaS providers often do not provide these details, leaving customers in the dark regarding the resilience of their critical SaaS providers.
SaaS Provider Challenges
Many SaaS platforms store vast amounts of personal data that can be accessed from almost any device, putting critical data at risk. Therefore, SaaS providers face distinct challenges of their own to meet customers’ expectations and maintain efficiency in delivering products and services.
Attestations
SaaS providers need to find the right balance between external attestations against cost and time to obtain them. Customers are usually interested in the effectiveness of the provider’s critical information security and privacy controls such as access management, change management, system development, backup management, encryption, physical security, staff qualification and training, and business continuity management/disaster recovery planning. Thorough and efficient SaaS providers identify and commit to the attestations (e.g., SOC 1, SOC 2, ISO certifications) that are the most meaningful to customers.
Disclosure of Security Program Details
SaaS providers are often challenged in finding the right balance between revealing too little and too much information with their customers (i.e., security policies, procedures, standards, business continuity plans, controls, and risks). Sharing too much information could enable attackers to compromise the SaaS environment. On the other hand, sharing too little information may not be enough for customers to assess the security posture of the provider; consequently, they might not want to enter into a business relationship. SaaS providers should perform a risk assessment, a benchmark of customer requests and a cost-benefit analysis to define the right balance for information sharing.
Efficiency and Security
SaaS providers are constantly struggling to achieve the right balance between economically scaling and mitigating the range of risk factors associated with multitenant environments. Multitenancy can be complex and expensive to implement correctly. Senior management in some SaaS organizations may not fully support the implementation of multilayer controls to prevent cross-customer data leakage. To obtain senior management buy-in, SaaS providers need to undergo detailed risk analyses of their environments to quantify the top risk factors. If senior management does not listen, it may be necessary to bring in outside experts to identify and explain top risk factors.
Configurability
SaaS providers must develop a robust platform that provides rich configurability and flexibility for customers, to reduce the need for customization in the future. Customization leads to increased complexity, making it more challenging to ensure that there are no exploitable flaws in the SaaS platform.
Customization leads to increased complexity, making it more challenging to ensure that there are no exploitable flaws in the SaaS platform.
Third-Party Risk Management
For organizations that store personal information or personally identifiable information (PII) in SaaS, their questionnaires may consist of hundreds of questions, especially if they are using standardized information gathering (SIG) questionnaires. SaaS providers should develop an efficient approach to avoid providing too much information when responding to customer requests via customers’ third-party risk management programs. An efficient approach may consist of demonstrating available security attestations (e.g., ISO 27001 certification, SOC 1 or SOC 2 reports) to the customer and responding to residual requests, or preparing a formal security posture statement and making it available to the customer. This approach significantly reduces the workload of the provider and is less time-consuming for customers because they do not have to wait long to receive the basic security information from the provider.
Shared Responsibilities
Defining the line between customers’ and providers’ responsibilities is imperative to reduce the risk of introducing vulnerabilities into SaaS infrastructure. SaaS providers must define and outline the shared responsibility model and determine which party is responsible for individual security, privacy, and operational activities, to ensure accountability and comprehensive protection of sensitive data.
Conclusion
As the SaaS model continues to expand, organizations must take the necessary security measures by building a sound SaaS strategy, developing and updating their risk appetite statements, establishing incident response plans, and performing thorough due diligence through structured third-party risk management programs to gain visibility into each vendor’s security posture. These activities enable organizations to understand their complete security postures, including what is knowable about the risk associated with doing business with each SaaS provider. On the other hand, SaaS providers must consider standardizing their security processes, defining clear responsibility models, being transparent with customers, and striving for continuous improvement of their security postures. Anything less results in the presence of undiscovered risk.
Endnotes
1 Browne, R.; “Fines for Breaches of EU Privacy Law Spike Sevenfold to $1.2 Billion, as Big Tech Bears the Brunt,” CNBC, 17 January 2022
Ejona Preçi, CISM, CRISC, ITIL v4
Is an information security expert and an advocate for gender equality and diversity in the tech and security industries. She serves as the principal security risk manager for FREE NOW, a Daimler and BMW joint venture.
Peter H. Gregory, CISA, CISM, CRISC, CDPSE, CCSK, CISSP, DRCE
Is a career cybersecurity and privacy leader and the author of numerous books on cybersecurity and privacy. He can be reached at www.peterhgregory.com.