What’s influencing the current state of SaaS security compliance?
As a host to a variety of data ranging from less sensitive corporate information to highly critical IPs, employee records, and more – SaaS products are also serving as a pivotal entryway for some of the top concerns driving the security compliance imperative, especially with the increased use of AI in SaaS. Let us take a closer look.
Democratizing SaaS
SaaS applications may have revolutionized how organizations procure and deploy software, but each app employs unique settings and terminologies to delineate its security features. Subsequently, there is no universal guidance document that can fit all scenarios when configuring these settings. Further, product owners must navigate through disparate security configurations, each requiring tailored approaches for compliance adherence. This absence of standardized guidelines inevitably leads to more inconsistencies in security posture across applications, exposing sensitive data to vulnerabilities. For example, according to a recent report, roughly 10% of all breaches in the leaky Salesforce Community sites were caused by ‘configuration confusion.’
Identity as a Safety Net
Threat actors continually focus on potentially compromising authorized user accounts within SaaS applications. Once they gain access, these adversaries typically employ various up-to-date Techniques, Tactics, and Procedures (TTPs) to maneuver through the system and locate valuable data. Therefore, traditional network perimeters are no longer adequate in safeguarding sensitive data. The attack on Microsoft using malicious OAuth apps to breach accounts is an ideal example. The threat actors employed password spray tactics on accounts without MFA, focusing on targeted user identities. Notably, identity—specifically, the management and security of user identities and access rights—has emerged as the new frontline defense or de facto perimeter for SaaS applications.
Cross-border compliance & geo-specific tenants
In order to keep data segmented and adhere to different local regulations, the coming years will see a significant rise in geo-specific tenants and the added efforts in securing them. Each geo-specific tenant requires its own setup and management tailored to the specific rules of that region. Including setting up security measures and encrypting data according to local standards like GDPR in Europe or other regional privacy laws. Managing multiple tenants across varied regions only adds to the complexity of ensuring consistent security practices. For example, the AWS SuperGlue vulnerability that was exposed to cross-tenant boundaries, with failure of data isolation being one of the many causes. Here, the security of, say, one instance of a SaaS-based application does not guarantee the security of all tenants.
Misconfigurations or insecure APIs
Accounting for almost 63% of enterprise security incidents, default misconfigurations, for instance, in a SaaS-based application’s ‘Access Control Lists’, can lead to unauthorized users pulling data from company records. Based on the nature of the data leaked, misconfigurations can turn into an onerous fine. Further, any vulnerabilities present in APIs, since they serve as vital components underpinning the functionality and connectivity of SaaS and cloud platforms, will lead to immediate exposure of sensitive data to unauthorized users. Much like the Hubspot data breach, wherein the application’s insecure API keys exposed the sensitive data of over 1.6 million users.
Is it safe to say offensive security drives defensive security in the SaaS compliance landscape? Maybe. In Cisco’s platform breach, nation-state-backed hackers were exploiting two zero-day vulnerabilities in their firewalls for as long as five months. The latest network compromise being against their Adaptive Security Appliances (ASA) firewalls. Another example could be the Snowflake breach, which exposed the confidential data of as many as 165 customers, reportedly owing to threat actors bypassing authentication mechanisms.
Security by design, not as an afterthought
By embedding security best practices at every phase of product development, be it architecture, design, or coding, businesses can proactively mitigate risks and ensure robust protection for their SaaS offerings.
Take for example, Crowdstrike, in its root-cause analysis for the global outage affecting 8.5 million Windows systems revealed tests during development and release of the Falcon EDR sensor did not uncover the latent out-of-bounds read issue, thereby resulting in a system crash.
Given the nature and longevity of such incidents, the crucial need for integrating security into the product engineering lifecycle cannot be overstated. Here’s a bird-eye view of a few best practices.
- Early Threat Modeling: Identify potential security threats and vulnerabilities during the design phase to proactively implement countermeasures.
- Secure Coding Practices: Adhere to secure coding guidelines and best practices such as data encryption, input validation, and authentication and authorization to minimize coding vulnerabilities.
- Continuous Testing and Validation: Conduct security testing regularly, like penetration testing and code reviews, to identify and address security weaknesses beforehand.
- Secure Deployment and Configuration: Use configuration management tools to maintain consistent and secure deployment environments, minimizing configuration drift or potential misconfigurations.
- Monitoring and Incident Response: Establish real-time monitoring mechanisms to detect anomalous activities and promptly respond to security incidents, minimizing potential impacts.
- User Education and Awareness: Educate users about security best practices and ensure they understand their role in maintaining the security of their data and interactions with the SaaS product.
Notably, with the current advancements in AI, including SaaS Security Posture Management (SSPM) tools, many of these best practices can now leverage the power of AI, especially in monitoring and automating compliance.
Product engineering with a security-first mindset not only strengthens the overall cybersecurity posture of SaaS offerings but also makes security a shared responsibility across all teams, right from the design stage through deployment to support. Partnering with SaaS providers who have this mindset makes for compliant products that not only mitigate legal and regulatory risks but also build on customer trust, which is critical to the end outcome.