6 Security Risks to factor in while Adopting SaaS Applications

Infrastructure? Who needs it. Today, organizations are moving away from traditional on-premises software and related infrastructure and embracing cloud-based offerings (SaaS). As a result, SaaS services provide attractive, often necessary options to reduce capital expenditure, operational overhead, and deployment time, which contribute to increased business agility.

The increased agility is not without risks, however. Often, internal business units will seek new SaaS applications without consulting or obtaining approval from appropriate IT or security departments in an effort to keep projects moving. The risks associated with SaaS are increased further by organizations that use multiple SaaS services, managing, protecting, and reporting on each of them separately.

SaaS application deployments have increased dramatically over the past few years, which means you need to keep an eye out for these six primary SaaS security risks.

1. Phishing remains a threat

With over 90% of successful cyberattacks beginning with phishing emails, email remains the most common threat vector. Phishing emails are used by cybercriminals to trick victims into delivering payloads with malicious attachments or URLs, to gather credentials through fake login pages, or to commit fraud through identity theft. Phishing attacks are also becoming more sophisticated, as well as often targeting specific individuals.

The use of SaaS email (e.g., Office 365 or G Suite) and other productivity apps hasn't helped address phishing. Instead, cloud-based attacks have continued to crop up as enterprises continue to increase their adoption of SaaS email and productivity apps. Since cloud-based applications require authentication from users to access their accounts, and those authentication processes are controlled by industry-standard protocols, including OAuth, cloud phishing is set to be the next frontier.

As an example, cybercriminals used highly sophisticated phishing attacks to bypass Microsoft security controls against O365, such as baseStriker, ZeroFont, and PhishPoint. The majority of secure email gateways, such as Mimecast, could not prevent phishing emails.

Another phishing attack targeted Google's Gmail in 2017 with a believable-looking email asking for permission to access users' email accounts and documents. Google's OAuth protocol was exploited in this attack.

2. Account takeovers open the door

Threat actors use account takeover attacks (ATOs) to compromise employees' credentials by either launching credential phishing campaigns against an organization or by buying credentials on the Dark Web if third-party data leaks have compromised employee credentials. Once the credentials are stolen, threat actors can now access additional information or elevate their privileges. There is a possibility that a compromised account will remain undetected for a long period of time, or even fall into the wrong hands altogether.

3. Data theft still profitable no matter where it’s stored

When organizations migrate to the cloud, they are concerned about the risk of data breach. It is deemed acceptable to move and store corporate data outside the corporate data center, where the corporate IT department has no control or visibility, but is accountable for data security.

SaaS applications can store data such as customer information, financial information, personally identifiable information (PII) and intellectual property (IP). A cybercriminal will generally target a specific application or exploit a security weakness to exfiltrate data.

4. Loss of control may result in unauthorized access

Cloud computing also poses the risk that the IT department no longer has complete control over which users have access to what data and how much access they have. Accidental deletions of data are possible. Employees can also leak confidential information to unauthorized users.

5. Viruses with zero-day vulnerabilities are unknown

Software-as-a-service applications, such as file storage and file sharing services (e.g., Dropbox, Box, OneDrive, etc.) are becoming a strategic threat vector for the spread of ransomware and zero-day malware.

Bitglass reported that 44% of cloud applications scanned showed some form of malware. Attacks conducted within SaaS environments are difficult to detect and stop, since users may not be aware that they are being attacked.

Files and data are automatically synced between devices when using SaaS applications. Malware can also propagate through this channel. Malicious PDF files or Office files would need to be uploaded to cloud storage or file sharing apps. The storage or sharing SaaS apps would handle syncing.

6. Compliance and audit

The GDPR, and several laws that govern industries such as healthcare (HIPAA), retail (PCI DSS), and finance (SOX) require auditing and reporting tools to demonstrate cloud compliance. All sanctioned applications must be capable of logging user activity, ensuring sensitive data is secure, and enabling audit trails.