We’ve seen rapid, widespread adoption rates for Software as a Service (SaaS) apps over the last 24 months as organizations adapt to post-COVID business operations. And all signs point to continued growth. In fact, Gartner predicts that worldwide spending on cloud services will grow more than 18% in 2021 (and in 2022). This isn’t hard to believe when you consider the fact that an application like Microsoft Teams added 95 million new users in 2020 alone.
Understanding the Risks
SaaS application security risks fall into three primary buckets. The first is a business operational risk that may cause a downtime incident, the second is data loss and data leakage due to human error or cyber threats, and the third is compliance or regulatory issues. Any organization using SaaS apps needs to be aware of these potential risks and understand that even legitimate, reputable applications could cause problems in these areas. So, it’s not just the malicious applications or browser extensions created by cyber criminals you need to be worried about.
And the cost of this risk is real. For example, according to IBM’s 2020 Cost of Data Breach Report, the average data breach cost in 2020 was $3.86 million. Keep in mind, that’s the average. Norsk Hydro claimed its final bill was more than $75 million. If we’re looking at ransomware specifically, the average recovery cost paid in 2020 was a staggering $312,493 (a 171% year-over-year increase). And finally, compliance-related penalties can have a significant impact on the bottom line as well. For example, GDPR violations can eclipse 200 million Euros or 4% of total global turnover (whichever is higher). In short, you simply can’t afford to turn a blind eye to SaaS app risks.
You might be wondering how likely you are to encounter these issues. The answer is more likely than you think! Application security vulnerabilities account for a massive 43% of data breaches, and even world-renowned tools can be vulnerable. Just look at the security issues Zoom experienced over the last 12 months. As for ransomware infections via apps, hackers even disguised a malicious app as a COVID-19 map tracker loaded with AZORult malware. The endless list of real-world issues proves SaaS apps security is a real concern.
It’s vital to understand the dangers third-party SaaS applications can introduce for your company. In an ideal world, your Security Operations team would thoroughly perform a manual risk assessment for each application or extension before use. However, with most employees still working remotely and administrators struggling with limited control over their users’ activity, this may not be a reality today.
In most cases, the threats from these apps come from two different perspectives. First, the app may try to leak your data or damage it. And second, it may be a legitimate app, but the code may be poorly written and includes multiple vulnerabilities. Poorly coded applications can introduce vulnerabilities that lead to supply chain attacks like SolarWinds. Many expect cloud and SaaS providers to take responsibility for security, but this isn’t realistic. In fact, Google takes no responsibility for the safety of the applications on its Marketplace, so any third-party app or extension downloaded by employees becomes the organization’s express responsibility.
Why SaaS Became a Ransomware Target
Ransomware has been around for years. But SaaS platforms and services have become increasingly critical for business success over the past decade. Moreover, as the pandemic has driven massive growth in remote workforces, the cloud has become an even more enticing (and lucrative) target for cybercriminals. As a result, cloud ransomware is on the rise. This new generation of cyber extortion spreads through the cloud and encrypts SaaS data associated with cloud services.
As cloud services accumulate vast numbers of users in a single ecosystem, they become prime targets for attackers. And as cybercriminals release increasingly sophisticated algorithms each year, protecting against ransomware is becoming more challenging. For example, new ransomware attacks block on-premises antiviruses and backup agents, delete backed-up data and download sensitive information. They steal a victim’s saved credentials from web browsers and email clients – and even threaten to upload private data publicly if the victim doesn’t pay the ransom – and more.
Installing a SaaS app means giving it permissions to access your data, including mail, files or profile information. Granting permissions is an expected procedure, like accepting a user agreement. So it’s no wonder why authorizing apps to access cloud data hardly raises suspicion within most organizations.
But there’s a catch. By granting permissions to a seemingly harmless cloud app, an employee may be giving access to a hacker without realizing it. Cybercriminals can embed malicious code into an app to get access to and control data. If an employee installs a malicious app, a cybercriminal could review, edit, delete and encrypt your files. And of course, cybercriminals will try to profit from getting access to your data. They steal business data to sell on the dark web or encrypt the files with ransomware and demand money for decryption.
Improving SaaS App Security
Unfortunately, there’s no silver bullet that can help you to keep your business data 100% secure in the cloud. But the good news is that a combination of best practices and technology can help you significantly reduce the impact of these risks. There are three essential best practices for mitigating SaaS app security risks. First, offer regular security awareness training for your employees. Next, install a risk assessment solution that can monitor and assess multiple risk factors on the fly and report potential security threats. And lastly, use security policies to automate allow-list and block-list management.
On the technology side, consider adding a SaaS application security solution that can automatically scan all third-party apps connected to your cloud environment to get complete visibility of what is going on in your organization. Beyond that, analyzing daily log records can uncover abnormal behaviour patterns among your apps and employees. This can help identify risks and prevent banned app downloads in real-time.
You also need a backup tool for your data. Malicious third-party apps or extensions can infect your data with ransomware or delete it, so a reliable backup solution is an indispensable element of your disaster recovery strategy. Finally, ransomware is growing fast, so you need dedicated ransomware protection capabilities that can prevent attacks from third-party applications.
Just remember that you need a way to immediately flag and stop these attacks in their tracks. In 99% of cases, responsibility for security incidents and data breaches is ultimately yours. Use the above best practices to mitigate SaaS application security risks and avoid becoming just another security statistic.
The original post "Understanding SaaS App Risks and How to Mitigate Them" was written by Dmitry Dontov, CEO and Chief Architect of Spin Technology and posted on MyTechDecisions.com