It's time to put SaaS security first
Did we prioritize IaaS security at the expense of SaaS security? Know what to avoid, like giving too many permissions to users and setting up UIs, APIs, and integrations wrong.
Because infrastructure-as-a-service clouds are so complex and have so many moving parts, we've made it a priority to strengthen their security. Unfortunately, many software-as-a-service systems that have been in use for over 20 years have slipped down the cloud security priority list.
Organizations make numerous assumptions about SaaS security. At their core, SaaS systems are remote-access applications that store data on back-end systems that the SaaS provider encrypts on the customer's behalf. You might not even know what database is storing your accounting, CRM, or inventory data—and you've been told not to worry about it. After all, the provider manages the entire system, and users and administrators simply access it via a web browser. Indeed, SaaS abstracts you much further away from the components than other types of cloud computing.
According to most marketing studies, SaaS accounts for the lion's share of the cloud computing market. This is not well understood because the emphasis these days is on IaaS clouds like AWS, Microsoft, and Google, which has diverted attention away from the largely fragmented world of SaaS clouds, which are mostly as-a-service business processes accessed via a browser. However, SaaS now includes backup and recovery systems as well as other services that are more IaaS-like but are delivered via the SaaS cloud computing model. They free you from dealing with the nitty-gritty details, which is what the cloud should do.
I believe that after a few well-publicized breaches, SaaS cloud security will become a higher priority. You can bet these are happening, but unless the public is directly affected, breaches rarely make it into a press release.
What should we be on the lookout for in terms of SaaS security?
Human error is at the heart of SaaS security issues. When administrators grant user access rights or permissions too frequently, misconfigurations occur. People who should not have been granted access to SaaS interfaces, such as API or user interface access, may end up misconfiguring them. Although this is not a big deal if rights are restricted, people who only need simple data access to a single data entity (such as inventory) are frequently given access to all the data. This can lead to devastating data breaches that are entirely avoidable.
This is typically an issue with data access provided by the SaaS vendor via user interfaces and API access. However, issues arise when SaaS customers install data integration layers to sync data in the SaaS cloud with other IaaS cloud-hosted databases or, more likely, back to legacy systems that are still held in-house. This data integration layer is frequently breached due to the previously mentioned reason—mismanagement of access rights. The data integration layers themselves, many of which are also delivered as SaaS, may be vulnerable. In either case, your data has been compromised.
Other security issues are simpler to comprehend. An employee decides to vent on the company by copying the majority of the SaaS-hosted data to a USB drive and removing it from the building. This is easy to fix with restrictions and more education, kind of like giving someone more access than they need.
SaaS providers include a lack of transparency, such as their own employees walking out of the building with customer data, or unreported breaches. It's impossible to know how many of these incidents have occurred, but if none have been reported to you, it could mean that your SaaS provider is withholding information that could be damaging to them.
SaaS security is a new and old approach and technology stack. It was the first cloud security project on which I worked, and we've come a long way since then. However, SaaS security has not received the same level of funding, affection, or education as other aspects of cloud security. We may have to pay for it later if we don't get things fixed right away.
