Enterprise cyber security for Australian and APAC organizations is facing a growing concern with SaaS environments emerging as an “unattended weak point,” stated SaaS security management company Obsidian Security. One of the contributing factors to this problem is the misconception surrounding the shared responsibility structure in SaaS agreements.
Obsidian Security, which is broadening its services in Australia and APAC, predicted a rise in local organizations re-examining their SaaS security tactics after completing ongoing evaluations of cloud security.
According to Andrew Latham, who recently joined Obsidian from Crowdstrike as senior sales engineer for Asia-Pacific and Japan, local organizations need to move past mere document checklists when evaluating the security of SaaS vendors. He also highlighted the prevalent misunderstanding among customers regarding the SaaS shared responsibility model.
SaaS software estates turning into the ‘frontline for cyber threats’
Obisidian highlighted the escalating frequency of SaaS attacks and the escalating severity of their consequences. For instance, a breach at Ticketek, an Australian event ticketing firm, this year resulted in the exposure of data belonging to 17 million individuals after a threat actor obtained access to a third-party provider.
“Many organizations implicitly trust SaaS providers to configure applications on their behalf, unwittingly exposing sensitive data,” Chisholm mentioned. “Lack of awareness about the shared responsibility model can leave SaaS applications vulnerable, posing significant risks to both business and individual data.”
SEE: Over 75% of technology leaders are concerned about SaaS security threats
Latham remarked that the SaaS vendor risk in Australia and APAC region is akin to that in other global markets.
“SaaS platforms are omnipresent, accessible easily from any connected entity or user,” he elaborated. “Globally, we are observing a transition from complex attacks, targeting endpoints for data access and exfiltration, to simpler attacks designed for account takeover and data stored in SaaS systems.”
Obsidian observed a migration of more critical business information to SaaS platforms. Although the number of SaaS applications in use varies significantly, Productiv research suggested that companies with fewer than 500 employees leverage an average of 253 apps, with this figure rising to 473 apps for companies with over 10,000 employees.
In-depth Evaluation Lacking for SaaS Shared Responsibility Model
Organizations often misconstrue their responsibilities within the shared responsibility model for security with SaaS vendors.
Usually, SaaS vendors and customers collaborate to ensure robust data security. For instance, vendors could be tasked with securing the foundational infrastructure like data centers while customers oversee aspects such as user access management or application setup.
“Most organizations are actively securing their Infrastructure-as-a-Service landscape as they migrate more workloads to the cloud,” Latham noted. “What many fail to realize is that there exists a Shared Security Model adopted by all cloud providers, including SaaS.”
He added, “With IaaS, implementing your controls is feasible. However, with SaaS, this liberty is absent. There’s a broad presumption that the SaaS provider is safeguarding customer data security, but this is often not the case.”
Traditional questionnaires inadequate for assessing SaaS vendor risks
During procurement, paper-based questionnaires are frequently utilized to verify whether SaaS vendors meet security standards. Latham argued that these questionnaires may not delve deep enough into the security practices of a SaaS provider and their ability to mitigate data-related risks like account takeovers.
SEE: Almost one-third of companies fell victim to a SaaS security breach last year
“The crucial point is recognizing that relying solely on paper-based questionnaires for assessing a new SaaS provider is insufficient,” stated Latham. “Several recent high-profile breaches have been initiated via account takeovers. In the realms of the Shared Responsibility Matrix, such incidents fall under the responsibility of the SaaS vendor.”
Complex third- and fourth-party software supply chain risks are prevalent in the SaaS sector.
Although organizations assess primary SaaS providers, these vendors frequently integrate with multiple other SaaS vendors in a convoluted SaaS network, making it challenging to gauge real data risks.
“It’s analogous to the hidden side of the moon,” Latham remarked. “There is almost tenfold data exchange happening between third- and fourth-party SaaS systems than what’s visible at the ‘front entrance’.”
“While the supply chain may indicate a SaaS provider as a recognized service provider essential for business support, it’s the unsanctioned integrations that pose a problem,” he further explained.
These integrations may seem harmless initially, but if exploited, they could permit malicious actors to access SaaS data without the tenant’s knowledge.
“There are various instances where trusted collaborations with third- and fourth-party SaaS vendors are exploited, resulting in data exposure to unauthorized entities,” Latham pointed out.
Anticipating Emphasis on SaaS Post Cloud Focus
Australian firms can be grateful as the market has largely remained free from SIM Swap attacks, unlike some other regions worldwide. SIM Swap attacks occur when cybercriminals deceive telecommunication companies into switching a victim’s mobile service to a SIM card under their control.
“ACMA’s requirements regarding identity verifications for telecom providers have nearly eradicated SIM swapping incidents, which are still prevalent in some regions,” observed Latham.
Nonetheless, the issue of SaaS security persists, with Obsidian foreseeing a forthcoming shift in focus towards it.
“In general, many Australian organizations have ongoing IaaS workload projects. Upon completion, their attention will shift towards SaaS. In contrast, other markets like the US are roughly 18 months ahead, having completed initial IaaS security projects and commenced SaaS security endeavors,” Latham stated.
About Author
