Software-as-a-service (SaaS) solutions give unprecedented flexibility to any business. You can access them on the cloud whenever you want to and wherever you are. They allow you to minimize your hardware expenses and scale up and down whenever necessary. Eventually, they can be easily integrated into a single workflow. But despite the increasing adoption of cloud-based software products, SaaS security concerns persist. In a study conducted in 2021, as many as 98% of surveyed businesses had experienced at least one security incident in the previous 18 months.
So, does this mean that all those claims about SaaS product security are nothing more than hype? Well, it isn’t that clear-cut. This article will give you a basic understanding of the nature of SaaS security risks and how you can prevent them.
The Main Cloud SaaS Security Challenges
Today’s SaaS environments include, on average, 42 third-party applications. On the one hand, having most data and processes off-premise is extremely liberating for a business. On the other, controlling so many apps is a real challenge. And that’s where two key SaaS data security concerns — the lack of visibility and insufficient access management — stem from.
The Lack of Visibility
According to one survey, six out of ten business owners view the lack of visibility into their SaaS environments as one of their major cybersecurity challenges. And it’s not only because of the number of apps they need to keep a close eye on. Each of these applications comes with an individual set of security characteristics, access settings, and privacy policies, which are constantly changing as providers upgrade their products. To crown it all, let’s not forget about the variety of devices each SaaS app can be accessed from. As a result, security teams have little knowledge of the real risks to the company data.
Insufficient Access Management
With businesses being completely overwhelmed with the number of third-party apps in their cloud environments, only 12% of businesses with 50-99 apps in their SaaS stack actually conduct weekly misconfiguration checks. Add this to the pervasive reliance on SaaS app providers in terms of security — and it becomes clear why inadequate access management is considered to be another major security threat by the majority of businesses: many security teams don’t have a full picture of who accesses the company’s data and in what manner, or what kind of data is being accessed.
Together, these two control issues have the potential to cause massive data leaks, making your systems more vulnerable to a variety of cyber threats, such as account hijacking, ransomware attacks, phishing campaigns, and insider threats. Now, let’s take a look at some cases and the lessons that can be learned from them.
SaaS Security Incidents and What They Can Bring About
Let’s face it: to many of us, all those statistical findings are just a set of symbols and warnings of cybersecurity experts can feel unconnected to our own situation. Still, like it or not, data leakages and cyberattacks are real. Below we’ve highlighted three cybersecurity incidents that center around (or at least involve) SaaS apps you know and may use.
Jira’s Global Data Leak
In August 2019, one security researcher discovered that thousands of companies, including NASA, unwittingly leaked some of their data online due to a single misconfiguration in Jira.
It turned out that when you create dashboards and filters in Jira, the platform allows you to choose between a few permission settings for who can view these details. And that’s where the problems begin. Some admins assume that “all users” or “everyone” stands for “open to anyone in the company” however, these actually mean they are publicly viewable and indexed in search engines. Worse still, these options are the default ones.
Threat researchers from Varonis revealed that as many as 3,774 dashboards, 244 projects, and 75,629 issues are publicly accessible with the majority of these assets having made their way into the open web accidentally. Project names, avatars, owners, statuses, and user emails are the most common data assets that have leaked this way. Using this information, attackers can craft phishing campaigns, launch password spraying or credential stuffing attacks, or target even more sensitive systems.
SolarWinds Supply Chain Attack
In late 2020, security vendor FireEye reported a massive cyberattack against SolarWinds — a prominent American IT infrastructure management software provider. According to its CEO, Sudhakar Ramakrishna, the bad actors broke into the company’s Office 365 account, gained access to SolarWinds’ personnel accounts, and used them to inject malicious code into the vendor’s Orion software update, which was then pushed to about 18,000 customers. Interestingly, neither investigators from SolarWinds nor Microsoft detected any vulnerabilities in the Office 365 code that could be exploited by the hackers. Both point to the theft of credentials, rather than a vulnerability.
The incident took place in 2019 and according to threat researchers, has affected over 100 U.S. private corporations and nine federal agencies’ networks. These included Microsoft, Cisco, and Deloitte, as well as the Pentagon, the Department of Homeland Security, and beyond. Based on a 2021 IronNet report, the affected companies lost, on average, 11% of their annual revenue.
Thousands of Zoom Meeting Recordings Available Online
When the pandemic hit, Zoom saw an unprecedented surge in popularity, from 90 million daily users in December 2019 to 200 million in March 2020. Apart from the increase in the company’s stock price, this has sparked a wave of data privacy concerns.
For example, in April 2020, researchers discovered thousands of private Zoom meeting recordings on the open web, so anyone could watch and even download them. Was that the result of a massive data breach? Not at all. The trick is that Zoom allows users to save their recorded meetings in their preferred location without a password. This is further exacerbated by the fact that you can save the recording with its default title, which is the same as the topic of the e-meeting. As a result, if you save your video, say, in Amazon Web Services (AWS) S3 buckets, anyone can find it via a simple cloud storage search.
SaaS Security Best Practices
Based on the 2021 SaaS Security Survey Report, 89% of surveyed companies reported SaaS misconfigurations as one of three major cybersecurity threats. Researchers found this to be the main source of cybersecurity issues presented in the report.
In other words, it’s not that the SaaS apps have inherent security flaws, but the way we use these apps is the key cause of software-as-a-service security mishaps. An article on cloud security states that by 2025 as many as 99% of cybersecurity incidents will simply be the customer’s fault. So, how can you ensure the security of your SaaS applications? Here’s what we recommend.
Evaluate All Your Risks
In cloud-first settings, most (if not all) applications are integrated into a single ecosystem. That said, you should regularly audit each app in terms of compliance, available access restrictions, the level of protection against hacking attempts, and so on. This will allow you to define and assess all risks each app poses to your cloud environment.
Automate as Much as You Can
There’s no denying that continuously monitoring a whole lot of third-party apps is a daunting task — that’s one reason many organizations fail to keep tabs on all their apps and detect issues in time. To ensure that nothing slips through the cracks, we strongly recommend you take a closer look at automation tools, such as SaaS Security Posture Management (SSPM) solutions. They can do the job for you.
Many researchers agree that misconfigurations — in particular poor access management, their key variety — pose a serious SaaS cybersecurity risk. To mitigate this, make sure you get the maximum out of each app’s security settings. Is there multi-factor authentication? Switch it on. Does your app allow for various levels of user access permissions? Analyze who will be using the tool and set up permissions accordingly.
Embrace the Least-Privilege Access Policy
Minimize the number of users who can access your corporate data as much as you can. Follow the rule of thumb: if a given user access restriction doesn’t negatively affect your workflow, go with it. This will help avoid incidents similar to the one that faced Jira users.
People tend to be careless with corporate data. DoControl found 20% of all corporate SaaS assets are being shared internally with a link and 18% externally, exposing data to non-authorized users. Developing app usage standards to guide your staff will help minimize data leaks like these.
Educate Your Staff
The lax attitudes toward corporate assets might also stem from the fact that some employees perhaps are not trained in how to manage data responsibly, or are unaware of the need to do so. A formal security awareness program with regular training sessions will fix this. It’ll also reduce the risk of attacks carried out with the help of social engineering techniques.
Modern SaaS environments are “overpopulated”. Research demonstrates that over half of applications within an average SaaS stack haven’t been used in over six months. Having so many apps that might contain sensitive data is an unreasonable risk. So, get rid of excess apps whenever they are detected.
Carefully Scan Each App Before Onboarding Any to Your Stack
The more apps you have — the more serious cybersecurity risks you expose your data to. Given that, be particular about each and every app you’re planning to use for your business. The following questions will help you filter out unreliable vendors:
- Does the design of the access control system allow for the prevention of network security issues?
- Do the access settings contain various levels of user access restrictions?
- Do you need to comply with regulations, like GDPR or HIPPA (or any other regulation relevant to your case)
- Are you ready to undertake external cybersecurity checks?
- Do you hold any cybersecurity certifications, such as ISO?
- Can your customers control where their data is stored?
- Where do you store the app data? Is it with a prominent cloud provider, like AWS, or a private data center?
- Do you encrypt data in transition and at rest?
- How long do you retain data in your app before deleting it?
- How do you prevent the user data from being lost in a natural disaster?
This is the basic SaaS security checklist, and other considerations might be necessary for your particular business. But here comes the next challenge. For example, you’ve realized that your current customer support platform happens to have numerous security vulnerabilities and you want to switch to a more secure option. So, the question is, is there a secure way to migrate your data easily from one platform to the other? Find the answer below.
How Help Desk Migration Stays Clear of Cybersecurity Risks
If you’re looking to migrate your help desk data securely, there’s no need to scour the internet for a trusted data migration vendor. Just let our data migration automated solution — Help Desk Migration — do the job for you safely. Here are some of the SaaS security standards we follow to safeguard your data.
At Help Desk Migration, we strongly believe that an app’s security in terms of its design is purely the vendor’s responsibility. Migrating help desk data with our service is safe due to the following measures:
- Employee access protection. All devices our employees use to access our service are encrypted (so no onlooker is able to read it), none of them can sign into our web apps without two-factor authentication. Besides, the Help Desk Migration Platform administrators, as well as remote employees, use a VPN. Additionally, only authorized tech engineers can access the source code, implement Custom Migration, and resolve technical issues upon the support team’s request.
- Data retention policy. We remove all the migration data ten days after the Demo Migration and five days after the Full Migration (we can shorten or prolong the retention period upon your request). And we don’t store client passwords.
- Production environment protection. We go above and beyond to ensure that our development team can work on our service in a protected environment. This includes a slew of measures, including public/private key exchange instead of passwords to access servers, two-factor authentication for the admin panel, strict firewall configuration, and so on.
- Infrastructure. Our entire infrastructure is located in Germany and hosted by AWS. We install and manage all data silos within this infrastructure, except for the backup copies stored by AWS S3. Besides, we’re very particular the physical security of our servers and services.
- Protection of data in transit and at rest. Our private network is heavily secured with firewalls, anti-DDoS safeguards, let alone regular network posture assessments. SSL encryption protects the data that flows over the internet. We also use disk encryption to safeguard static data, so only authorized users can read it.
Although our service is secure by design, we take a variety of organizational measures to eliminate even the slightest chance of leakage. These include:
- Confidentiality. Before onboarding, all our employees sign a special clause in the employment contract, which obligates them not to disclose any confidential information associated with the Help Desk Migration service.
- Business continuity.
- We pledge to provide our services for at least six months.
- Security audits. We regularly scan our systems for vulnerabilities and make upgrades where necessary.
- Disaster recovery. We take all the necessary measures to make sure that your data remains intact after a natural disaster.
- Segregation of duties (SoD). To minimize risks, we adhere to SoD policies. This means that instead of giving a single employee full control of a certain process, we disperse this function among multiple team members.
And of course, no reliable SaaS solution is complete without a variety of security settings, allowing users to benefit from complete protection. When it comes to Help Desk Migration, these include:
- Two-factor authentication. Our sign-in procedure isn’t limited to the traditional combo of a password and email. We recommend turning on two-factor authentication for increased security.
- Access monitoring. In Migration Wizard — our tool that allows you to customize your data structure — all user activity is stored. You can view the IP address, device data, and the time of the login.
We also recommend our users change their passwords and restrict access permissions granted to us to move their data five days after migration. If you think you’ve spotted a vulnerability, we are always happy to discuss it.
We take pride in our large portfolio of compliances, which we keep updated and often add to. For the time being, we adhere to HIPAA, EU GDPR, ISO/IEC 27001:2013, and PCI DSS.
This is a brief overview of how we ensure safe data migration. If you are willing to learn more about what measures we take to protect your data, you can take a look at our Security Policy page, familiarize yourself with our Service Level Agreement, or ask us to fill out a security questionnaire.