By now, we’ve all heard the prediction by Gartner: Through 2025, 99 percent of all cloud security failures will be the customer’s fault. Common “customer’s fault” scenarios include over-privileged users, laxity in security enforcement, and monitoring and detecting configuration drifts.
While emphasizing the greater responsibility by cloud service customers, this prediction also illustrates the increasing maturity and security features of cloud services. Although I agree with this prediction, you should not accept it lying down. This isn’t a nut that’s impossible to crack. In fact, the Infrastructure-as-a-Service (IaaS) market has a history of using Cloud Security Posture Management (CSPM) solutions to monitor and detect configuration deviations. It is now time, however, to evolve this approach to the Software-as-a-Service (SaaS) market.
Even in the best of times, according to one security-focused publication, misconfigurations represent the greatest risk to security, compliance, and system uptime. IBM reported a stunning 424 percent year-to-year increase in data breaches due to cloud misconfigurations caused by human error in 2018. This year, with COVID-19, IT teams are struggling to keep up with massive changes to day-to-day operations and the accelerated rate of cloud adoption associated with remote and virtual workforce. It is a perfect recipe for error.
Take the case of Avon, the cosmetics brand. The company, which was alleged to have suffered a ransomware attack in June of this year, found itself at the center of a significant new security incident after inadvertently leaving a Microsoft Azure server exposed to the public internet without password protection or encryption. Discovered by a security tool comparison service, the vulnerability meant that anybody who possessed the server’s IP address could have accessed an open database of information.
As organizations attempt to tackle the security of SaaS applications, they will immediately face a challenge right off the bat—beyond the ones they may have experienced with IaaS security. Each SaaS application is very unique. Salesforce, Office 365, and Workday are all considered business-critical SaaS applications, yet each application is designed to address the specific needs of their organizations. Security for CRM services as-is would not be applicable to office productivity suites or HR applications. This is far cry from the typical standardization of IaaS providers (i.e., AWS, GCP or Azure) by organizations.
You’ll soon realize that you cannot realistically tackle this challenge manually. It is not practical to staff up enough resources to have in-house experts across all critical SaaS applications. For example, just to keep up with Salesforce’s latest software updates, you would need to read through hundreds of pages of release notes. Unfortunately, correctly configuring new features covered among the hundreds of release notes could be the difference between smoothly operating SaaS and SaaS applications with significant data exposure.
This is where we can learn from the proven solutions available today and focus on evolving to meet today's SaaS needs. The role of current-generation CSPMs is to continuously monitor enterprise cloud environments and identify gaps between their stated security policies and the system’s actual security posture. At their core is the detection of vulnerabilities resulting from misconfigurations, as well as the option to assure compliance by remediating any violations.
Examples of violations could include lack of encryption on databases or application traffic, overly liberal account permissions, or the absence of multi-factor authentication. Identifying misconfigured network connections, as well as data storage directly exposed to the internet, would be other examples of CSPM uses.
Imagine taking this proven technology and combining it with in-depth knowledge of business-critical SaaS applications. Add to that the flexibility of managing and monitoring individual applications or the entire SaaS environment coupled with compliance and regulatory policies. That is what the new SaaS Security Posture Management (SSPM) market is poised to deliver.
The sooner we move as an industry to adopt the new category of security solutions for SaaS, the better position we’ll find ourselves in preventing data exposures, regulatory, and other security issues. While the overall percentage of security failures attributed to cloud customers may be accurate, we can lower the overall number of failures with the right tools in place.
Brendan O’Connor is CEO at AppOmni.