Here’s a gentle introduction to off-prem security for SMBs
Backgrounder Without in-house staffing to set up or manage their IT estates, many small-to-medium businesses (SMBs) have migrated to cloud-based business applications, email, messaging, file sharing, and file-storage services.
But don’t think, just because you’ve handed the keys of your IT estate to somebody else, your days spent having to think about the security of your software, applications, and data are gone. They aren’t. SMBs are very much still in the cross hairs of hackers, from phishing, social engineering, and advanced malware to attacks via product vulnerabilities. And running your tech in the cloud doesn’t necessarily mean you’re immune to all that now.
And don’t forget there are steep costs in cleaning up an intrusion: Europe’s General Data Protection Regulation (GDPR) that activated in May 2018 can put any “data steward” on the hook for up to €20m or four percent of turnover – whichever is the greater – in the event of lost or stolen data. Either figure is enough to put a dent, or worse, into a typical SMB.
It therefore pays to remain vigilant, and know where the vulnerabilities in cloud-based software-as-a-service (SaaS) exist – and what you can do.
Welcome to the front door
The Cloud Security Alliance (CSA), a non-profit organisation that promotes best practice and security assurance within cloud services, has identified the primary security risks associated with hosting infrastructures. A top one is account login credentials used to access SaaS and that are susceptible to hackers who employ methods such as phishing to obtain credentials. In its 2019 Data Breach Investigations Report, Verizon noted a shift in focus among criminals adapting their tactics to hack cloud-based email services using stolen credentials.
Once in, an intruder is free to co-op the account and steal, edit, or delete account data at will (including such vital statistics as billing information). However, there is a secondary risk: once inside, an intruder can gain increasing levels of access to more critical systems – both cloud-hosted and on-premises. A compromised SaaS account can be hijacked to host malicious software that disguises itself to launch cyber-attacks on other systems. This type of “cloudjacking” has claimed some major victims in the last couple of years, including car maker Tesla. Elon Musk’s company was hit by hackers using a Kubernetes administrative console for cloud application management. They obtained AWS login details and established a cryptojacking operation based on the Stratum bitcoin mining protocol.
Additional weak points, according to the CSA, are external user interfaces and APIs, such as RESTful APIs deliberately exposed by the service provider for the benefit of developers and third parties and that should be protected but sometimes aren’t. Salesforce in 2018 revealed the existence of a vulnerability affecting customers using its Market Cloud Email Studio and Predictive Intelligence services had been caused by an API error.
One of the mantras coming from the cloud community is security – that they are the experts in data centres and service provisioning, who can secure their systems better than mere mortals. But events have proved they are as human as the rest of us. Malware has historically targeted servers, but recent years have seen attackers target system-level components, with variants like Meltdown, Spectre, and Foreshadow exploiting vulnerabilities in the same server CPUs and virtual machines (VMs) used by cloud providers as everybody else.
Analyst Canalys noted in 2018 how cloud-service providers were quick to reassure customers over the reliably of their services in the wake of Meltdown, but were also likely to try to reduce their reliance on Intel’s Xeon processors that were susceptible to attack so as to avoid becoming exposed in the future. Containers are also proving a risk. A vulnerability discovered in the runC runtime that’s the basis of Docker and other container engines lets hackers’ code break out of the container’s sandbox and gain root access to the host server.
When did you last check your AWS S3 security? Here’s four scary words: 17k Magecart infections
Human error is another problem, and it manifests itself in various ways. For instance, in the failure to patch known software and system vulnerabilities. A Ponemon Institute study [PDF] of 3,000 IT pros on behalf of ServiceNow found half of organisations were hit by one or more data breaches in the last two years. The rub is that 34 per cent say they knew their systems were vulnerable prior to attack, and 57 per cent were breached using a known but unpatched vulnerability.
We know data centres are complex environments and vulnerabilities caused by human error are common, but SaaS doesn’t eliminate the risk – it just puts it on a different level. According to Symantec’s latest Internet Threat Security Report, misconfigured servers and cloud infrastructure are a big target for hackers, with 70 million records stolen or lost from poorly configured Amazon Web Services (AWS) S3 buckets in 2018 alone. That’s a problem when you consider that some smaller SaaS providers have chosen to build their services on top of the AWS plumbing, and may therefore have configured things incorrectly.
Practical SaaS security protection
These architectural and plumbing problems can be damaging, though the task of getting around them is not insurmountable. SaaS providers do not go out into the world naked, but come, instead, wrapped in layers of control and defense. Having recognized that their basic security protection is not enough for some, service providers have begun to integrate third-party security tools into their cloud services and certify them for download, giving SMBs a wide range of protections to choose from.
Basic infrastructure-level protection is also common. This includes single sign-on (SSO) for user authentication that in the context of SaaS lets you access different on- and off-premises systems from the same device. Secure socket layer (SSL) certificates, encryption keys, Kerberos or security assertion mark-up language (SAML) protocols and two factor (2FA) or multi factor authentication (MFA) together provide much tighter protection against account takeovers and user credential compromises.
Cloud access security brokers (CASB) are now becoming more widespread and more effective, giving SMBs a defined tool that can automatically identify and control the SaaS applications being accessed by your employees. CASB can monitor and sanction transfer of data between on- and off-premises locations, with the ability to set permissions that govern what data is uploaded and with whom it’s shared.
Virtual firewalls can be deployed directly on SaaS infrastructure to protect data, using software-based micro-segmentation to monitor the workload and application traffic that passes between VMs in the data centre. This can help to prevent the lateral movement of malware across the virtual environment and stop it taking over virtual systems. Such firewalls also help in compliance and security governance, as you can set security policies and establish defined reporting processes. Cloud-based analytics engines can be used to monitor network traffic and content in real time for signs of unusual activity that could indicate a cyberattack is imminent or underway.
Hey China, while you’re in all our servers, can you fix these support tickets? IBM, HPE, Tata CS, Fujitsu, NTT and their customers pwned
If you are running a hybrid cloud – a combination of some service provider and your own, on-prem-based software or data – you have additional options. These include physical firewalls that protect data traffic transmitted between your offices and the SaaS provider, with direct-access virtual private network tunnels, and end-to-end encryption providing additional protection for any device accessing a hosted application.
This, however, does put more responsibility back on you. That could be a problem if you are short of the kinds of IT staff and resources common among most SMBs – and that may have been a factor in your decision to implement SaaS in the first place. Almost half (47 percent) of those surveyed by Ponemon said they had no understanding of how to protect their companies against cyberattacks.
Love it or hate it, SaaS is a force in IT. Want the power of the big dogs minus the hassle or cost of owning the software? SaaS it. Just don’t be lulled into thinking because you’ve outsourced the software all those years spent worrying about keeping applications, systems, data and users safe are also gone. Quite the contrary. Beneath the covers, SaaS is a security spaghetti: a meal of problems from the old world with a fresh selection of new worries running on a bigger scale. There are measures you can take to secure your SaaS – it’s just a matter of knowing what to look for.
Supported by SonicWall.