Cloud-based applications pose new risks to company data. Here’s how to protect yourself from SaaS security risks.
ORLANDO, Fla. -- While the cloud has brought speed, agility and reduced capital costs to enterprises, it also exposes companies to new kinds of application security risks.
That’s because a multitenant, dispersed cloud computing architecture has made it much easier for malicious actors to access company data—whether that data consists of employee addresses and salaries or intellectual property and internal strategy documents. Software as a Service (SaaS)-based applications now present a new level of data security risk, said Jonathan Rosenberg, vice president and chief technology officer in Cisco’s collaboration division, at Cisco Live 2018.
SaaS security risks could create a “business-ending breach” for companies that don’t understand their vulnerability in the cloud era, Rosenberg noted. Given that 93% of companies use SaaS-based applications, they need to grasp the risks.
“Every document, every PowerPoint, every business strategy—this data is the lifeblood of your business,” Rosenberg said. “These are devastating problems if this data gets breached.”
In the old days of client/server architecture, Rosenberg explained, companies had certain tried-and-true methods to secure proprietary data: Companies encrypted their data in transit and at rest and then checked off the box for having adequate security measures in place. But they didn’t have to consider the status of off-site servers storing data and running applications—servers that cloud providers manage today.
With SaaS, companies allow their data to be placed on multitenant servers, where it may commingle with others’ data. That, Rosenberg said, creates a “honeypot” problem, in which sensitive information is at greater risk because it is aggregated in one place. He compared this to banks closing their branches and placing all customers’ money, jewelry and other valuables in just one vault.
But SaaS security risks are particularly dangerous because of a second problem, Rosenberg noted. Here “data flows like water—all over the place,” Rosenberg explained, where application data is now far more permeable and diffuse. Companies consume SaaS-based applications. But so do their vendors and partners. “Almost every vendor consumes SaaS services themselves: for analytics, data management, and so forth,” he said.
Moreover, developers can access cloud-based apps through application programing interfaces and drop that software into their own apps. All it takes, Rosenberg said, is one compromised bit of code, copied and embedded in your company’s own app, and malicious actors are off to the races.
“This is hard to contain because it’s become so easy,” Rosenberg said. He explained further that SaaS security risks can spread like wildfire as companies, their vendors and partners now exchange data and applications freely in this architecture.
“This is an exponential process. SaaS services in the cloud involve thousands of microservices changing daily and the data bounces around in many places,” Rosenberg said. “For the bad guy, all he has to do is find the weak link in the chain.”
Rosenberg discussed strategies that SaaS vendors rarely employ but should in order to ensure application security in the cloud. Cisco has worked to build these kinds of security safeguards into Webex Teams, Rosenberg said.
Further, he explained how SaaS vendors need to bring encryption to the content that resides in SaaS applications through what he described as “end-to-end protection.”
1. End-to-end encryption. First, Rosenberg said, consider the encryption of content in the SaaS application itself. With end-to-end encryption, he said, there is a key in the client/server database, and the application receives a key. When content is created by a user—whether that is a PowerPoint slide or a chat message or a Word document—it is then encrypted. That content is not only encrypted in transit and at rest, but at the point of creation.
“It’s a new paradigm, where the content that is created is encrypted between creation and use,” Rosenberg said. He acknowledged that this is more complicated and difficult to manage because of the additional layers of security.
Rosenberg made a few additional recommendations that involve building security into the SaaS application itself:
2. Build security into mobile apps. Companies need to ensure that mobile devices that are lost or stolen can secure the data residing in an app, whether on a personal or business device. Mobile-device management technologies help, but these tools address the security problem “after the fact.” It is preferable to build security into the app in the first place, he advised.
3. Requiring pin security. Rosenberg noted that 7% of business users using apps on mobile phones don’t use a security pin. For an application like Webex, that could open up a company to a data security breach via a user’s personal phone. SaaS vendors should require that their mobile app requires a pin code.
4. Secure access without VPN connection. With SaaS-based apps, users may not need to use a VPN to access sensitive company data. “SaaS applications are susceptible to attacks that were prevented by your VPN." The app should require a specific set of certificates to run, Rosenberg said.
“I am a believer in the cloud,” Rosenberg said. “SaaS allows us to move fast and do more for users, but these security problems need to be addressed. And the silver lining is they can be.”
For more Cisco Live 2018 news, check out our guide.
For more Cisco news:
For more Cisco resources:
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”