Unboxing SaaS to reveal out of the box pain points

I’m thankful that we have finally gotten past much of the fear, uncertainty, and doubt associated with the cloud.  This has given rise to wholesale adoption by many companies to such a point that the long and laborious system installation and configurations of the past are mostly forgotten.  Unfortunately, the ease and speed of cloud adoption have also led to some complacency.  It is far too common for companies to purchase and use a SaaS solution with the assumption that it is ready to use “out of the box.”  While these services may be fully functional, they are far from secure.

Your first thought might be to accuse cloud service providers of offering a substandard product, but this is not the case.  It all comes down to expectations.  Cloud ease of use has many thinking of it just like any other product.  We buy a car and expect it to have passed safety tests, so a new car should be safe to drive.  However, it is easy to forget that most accidents occur not from faulty manufacturing but faulty use.  Similarly, SaaS solutions need a bit of configuration before they can meet your security needs.  Let’s explore some of the most common gaps.

Insufficient logging

Logs provide a record of what has occurred on a computing system—for example, logging into your email to retrieve new messages, downloading a file, or updating a document.  These events, as well as system actions, can all be tracked in log files.  SaaS solutions often have many options for what is logged and how long such data is retained.  This may seem unimportant until a system is compromised and log files are needed to identify the scope of impact, root cause, and remediation steps.  The default settings on many services do not capture enough information for a thorough investigation.  This can put your company in an uncomfortable position where you cannot determine if data was exposed, how much data was exposed, and how the system was compromised.

Standard Authentication Mechanisms

The usernames and passwords that have served us for decades are insufficient for today’s threat environment.  Multifactor authentication (MFA) is now the standard for protecting account access, and it must be enabled on cloud services before it can be used.  Many cloud services support various MFA options so that a company can choose one that works best for them, such as one they have already adopted elsewhere.

Decentralized Identity Management

The average employee is using dozens of cloud applications.  This can be a nightmare for organizations to manage and difficult to secure when employees change positions or leave the company if each system has its own account.  Instead of managing access independently per application, many cloud services support integration with the company’s existing enterprise identity management system.  Once the service is connected, accounts across many platforms can be managed and associated with a single identity.

Improper Privilege Assignment

Those who purchase cloud services do not always fully understand the rights and privileges employees need to perform their jobs.  It may seem easy to give employees heightened privileges to do whatever might come up in the course of their job, but this leaves many employees with a host of privileges and access to data that they do not need.  This access can be abused, either by employees or by a malicious outside if an account is compromised.  Employees with elevated privileges might also accidentally perform wide-ranging actions with serious repercussions.

Cloud services offer many options to configure which parts of the service can be accessed and what functions can be performed.  It is critical for companies to establish roles that match job duties and then assign permissions that provide only the access and functions necessary to perform those duties.  When done correctly, new accounts can be provisioned by assigning the correct role to the individual, and they will then receive all the permissions associated with that role.  This process requires an understanding of how the application will be used and the different types of roles involved.  It is best to design access at the beginning to avoid unnecessary changes and security risks associated with improper privilege assignment.

Lack of Compliance

Cloud services make it easy for companies large and small to do business in a wide range of countries and regions where regulations may specify differing requirements for handling data.  Some of the most well-known requirements are GDPR and CCPA, privacy regulations from the EU and California that specify how consumer data must be handled, when it must be deleted, and how much information companies must supply to consumers regarding the information they collect, and how it is used.  Additionally, regulations may specify where data can be stored.

SaaS solutions often support these requirements, but they must be configured to capture and supply the data to the right people.  For example, you may need to specify which regions the cloud service will store your data.  This also includes the locations where data may be housed when primary servers are unavailable or where backups are stored.   Some solutions have compliance portals where information can be easily searched, protected, migrated, or purged.  Make sure you familiarized yourself with the options available to ensure they meet your compliance needs

Wrap Up

Now that we have unboxed the gaps, what should you do to ensure that the package meets your needs?  Firstly, consider conducting a configuration audit of the SaaS systems you are currently using to identify additional items that should be configured.  Secondly, assign responsibility to someone in the organization to track changes to SaaS solutions and determine how that impacts your security risk profile.  Lastly, ensure due diligence in SaaS selection by conducting an assessment of the features available and your business and compliance requirements.  Reevaluate providers annually to ensure that they are still meeting your needs as the security threat environment changes.

About the author

Eric Vanderburg is the Vice President of Cybersecurity at TCDI and a well-known author, blogger, and a thought leader.  He is also affiliate faculty at Cleveland Marshall College of Law and serves on several boards.  Vanderburg is best known for his insight on cybersecurity, privacy, data protection, and storage and has published books on storage networking and cloud computing. He is passionate about sharing cybersecurity and technology news, insights and best practices. He regularly presents on security topics and publishes insightful articles. You can find him throughout the day posting valuable and informative content on his social media channels.


Hot Topics

Related Articles