The US Department of Defense (DoD) has 3 million employees and 4,800 locations in 160 countries. The IT requirements of an organization like the US Department of Defense are–to put it mildly–unique. So, it came as a surprise to many in the space when the DoD announced they would be transferring IT resources to the cloud in April of 2019.
The DoD’s decision underlines just how ubiquitous cloud-based technology has become. It’s no longer “if,” but “when” and “how” to move to the cloud. While there are still a few stragglers in the large enterprise space, SMEs have embraced the cloud––and in particular SaaS applications––wholeheartedly. Just take a look at the percentage of companies that will be running purely on SaaS by 2022.
This adoption of SaaS products makes sense for several reasons. SaaS applications are often the most affordable and attractive option out there for SMBs. They often lead to lower CapEx and operational overhead, while also offering quick deployment compared to on-premise software. It’s a winning combination.
SaaS Security Issues
It’s no surprise then that with near-universal SaaS adoption, SaaS security issues have increased too. As mentioned above, SaaS products are relatively straightforward to deploy, and therefore individual business units within a company can often procure them without oversight from IT or security teams. According to one study conducted by Frost & Sullivan and sponsored by McAfee, more than 80% of respondents use non-approved SaaS applications in their jobs.
As the number of SaaS tools in an organization explodes, so too does the opportunity for inconsistent and problematic security policies. If you have an inkling that this is happening in your organization, it’s not too late to get a handle on it. Here are four SaaS security issues that need to be top-of-mind in 2020.
In 2016, an attack compromised 68 million Dropbox user accounts. The attackers exploited an improperly secured employee password to obtain email addresses and hashed and salted passwords from breached accounts that were created in 2012 and earlier. Dropbox is just one example of the many high-profile breaches that have occurred in the last decade.
The nature of data stored in SaaS applications makes data breaches particularly problematic: This data often includes financial information, customer data, intellectual property, and other sensitive information. In light of this, SaaS suppliers and customers should ensure that they have in place appropriate technical and organizational measures to keep personal data safe and a protocol for responding to breaches if they do occur.
Another SaaS security issue is the loss of data access control: The IT department no longer has complete control over which user has access to what data and the level of access. Employees may accidentally delete data resulting in data loss or expose sensitive data to unauthorized users resulting in data leakage. The darker side of employee risk involves acts with malicious intent. The results are devastating.
In one of the most high profile intrusions to date, South Koreans learned in January 2014 that data from 100 million credit cards was stolen over several years. What ensued was chaos. More than 2 million South Koreans subsequently had their credit cards blocked or replaced. What followed for the organization was senior executive resignations, government investigations, and financial loss.
Behind the theft was an employee of the Korea Credit Bureau (KCB), a solvency company. While one would imagine a highly sophisticated operation, he merely copied the data to an external hard drive. He then resold the data to credit traders and telemarketing companies.
Phishing is a hacking method in which the attacker sends a malicious message, usually an email, but sometimes a text message, Skype, or Slack message. Phishing attacks have become the primary hacking method used against organizations. Phishing attacks targeting SaaS applications exploded by 237%.
One of the most well-known examples of phishing occurred during the 2016 US presidential election, when former White House chief of staff and the chairman of Hillary Clinton’s campaign, John Podesta, had his personal Gmail account hacked.
These attacks aim to use the familiarity users have with the SaaS platform to trick them into handing over other credentials, creating an interaction that results in widespread credential theft. Just take a look at the email that tricked Mr. Podesta.
Malware propagation is a significant SaaS security issue and a constant threat to SaaS applications. With SaaS applications acting as storage clouds, they become an effective distribution medium for malware. On average, one in three corporate instances of SaaS apps contained malware, and Microsoft OneDrive had the highest rate of infection at 55%.
Managing the Top SaaS Security Issues
Increased organizational awareness of these SaaS security issues can ensure mitigating and eliminating them. Assessing risks and implementing intelligent controls helps to enhance the security of your SaaS applications.
Many companies focus on asking questions about SaaS security during the sales process. Given the evolving threat landscape, it’s crucial to ensure you assess the threats from emerging technologies and cyber threats.
You don’t have to go it alone: With a SaaS application management platform like Augmentt, you can easily track usage of unauthorized SaaS applications to enforce SaaS security policies.
Want to learn more, please check out our SaaS Security eBook.