Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Debunking Three SaaS Security Myths

IT Security Myths

The SaaS revolution is here.

IT Security Myths

The SaaS revolution is here.

According to Gartner, SaaS and cloud-based business application services revenue will grow from $13.5 billion in 2011 to $32.8 billion in 2016. PwC’s latest Global 100 Software Leaders Report data shows that the top software companies in the industry have continued a consistent and growing shift towards Software-as-a-Service (SaaS), growing their revenues by 60% to US$20 billion.

As SaaS adoption grows, so do the security concerns. But there is so much confusion around SaaS security that many enterprises are focusing on the wrong problems. Here are the three biggest myths when it comes to SaaS security:

Myth #1 – Shadow IT is the biggest SaaS problem.

Much of the concern around SaaS security has been on the proliferation of unsanctioned IT apps, the so-called Shadow IT applications being deployed by rogue users.

If you believe that these rogue departmental users, who have circumvented formal IT provisioning processes and sidestepped IT security controls in the process, are just trying to find more effective ways to do their jobs and gain competitive advantages (another benefit of SaaS), then the goal should be to empower them. IT can either conduct a proper analysis of the shadow IT application to determine if it is appropriate for the organization, or provide an approved alternative. Christopher Mim’s article in the Wall Street Journal “Let Staff Go Rogue on Tech” talks about this:

Once a shadow IT service is sufficiently popular, whoever is in charge usually conducts a formal analysis of the provider’s security measures and compliance with appropriate regulations. As long as everything checks out, what started as an employee end-run around their own IT staff becomes institutionalized.

In other words, shadow IT is manageable and most of your efforts will focus on monitoring your users once a quarter. It is not the doom and gloom SaaS security problem that everyone is pitching it to be. It is an opportunity to learn about IT applications that everyone can benefit from, so don’t fight it.

SaaS security is not about discovering and fighting Shadow IT. It is instead about securing your approved SaaS applications (remember that this list will include Shadow IT applications that have been institutionalized) that contain the bulk of company data that must be protected. It is about ensuring that data and all the variety of functions you can utilize in SaaS is compliant to any standards in your industry, and protected from threats, misuse or abuse.

SaaS RevolutionMyth #2 – Security that works in my enterprise works for SaaS

If you agree on the SaaS security problem, then it’s time to debunk the next myth… that the security solution that you’re using actually addresses your needs.

Organizations want to extend the same security and risk/compliance controls they have in the enterprise to SaaS, but in fact, traditional security solutions are ineffective because of the following reasons:

Lack of visibility – As part of the shared responsibility model, security for the SaaS application is dependent on the cloud provider. The cloud provider is responsible for securing its services, while enterprises are accountable for usage and all activities. Yet, an enterprise, and its existing security solutions may have very little visibility and control of the SaaS application and infrastructure to achieve the latter.

Mobility and BYOD – A key benefit of SaaS, the ability to easily access an application from anywhere anytime and on any device, brings security challenges. Traditional security solutions will fail, unless you adopt an extreme access policy model where you only allow user access to SaaS via VPN, and via managed IT devices, or route it via the enterprise IP address range–which kind of defeats the value of the cloud.

SaaS application diversity – Every SaaS application is created to uniquely solve a customer problem. Therefore, there are various user functions, file sharing and collaboration options that may differ from application to application, but may be subject to risk and compliance mandates. Firewalls and IPS can be extremely ineffective when it comes to understanding all of these unique knobs.

Myth #3 – The Biggest Risks To SaaS Are Stolen Credentials

SaaS services conceivably may be more secure than internally managed enterprise applications (depending on the security focus by the cloud provider), but their adoption introduces new attack vectors. They can range from sensitive corporate data being accessed by cybercriminals, sensitive corporate data being exposed or misused by authorized users, stolen credentials, and external attacks to SaaS applications.

Are these concerns real?

We know attacks are already happening today. We have seen Zeus variants configured to detect and extract data from Salesforce.com sessions (rather than online banking sessions).

Misuse and abuse of SaaS applications are related to the user, which in many cases is the weakest link, a fact that is well documented. Intentionally or maliciously, users are introducing risks to the business that IT is not aware of. When was the last time IT tracked and validated that users had not enabled public access for a financial spreadsheet in a SaaS application? When was the last time you received an alert that a user had authenticated to a SaaS application from multiple locations? Can IT validate that the download of customer information by a sales person meets his or her normal application usage pattern and is not data exfiltration?

Take Control of SaaS

In summary, it’s time to take control of your SaaS applications. Stop fighting shadow IT and stop thinking your existing security solutions work for SaaS. In my next article, I’ll dive deeper into the security requirements for SaaS.

Tweet me @DanelleAu @SecurityWeek on what other SaaS security myths I missed!

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.