The year 2020 saw over 27 billion records exposed in the first half and 2019 saw about 14 billion records exposed. The driving force behind these incidents has been exposed databases and cloud service misconfiguration. Now, while enterprises may be deliberate and be cautious about adopting cloud, the ones that leverage SaaS solutions in ever-increasing numbers, have been pioneers at adopting public cloud services. This necessitates a solid SaaS evaluation capability. Taking the industry-standard checklists approach can help with basic hygiene. However, this approach has proven to be hardly adequate to build a comprehensive risk profile and help deter breaches, especially for mission-critical journeys. Here are four steps that can turbo-charge your organization’s SaaS evaluation capability:
By Ravi Ivaturi, Sr. Vice President – Digital Security Architecture at Citi
1. Understand the Product Architecture
Let loose your security architects on the SaaS product. A clear and comprehensive understanding of the product’s intended use and its implementation architecture is critical. Several facets of the architecture – logical, data flow, control flows, deployment architecture, and existing controls architecture need to be explored and understood. Any shortcomings in building this degree of detail will potentially lead to inadequately protected attack surfaces. Any assessment or checklist evaluation will be incomplete and even inaccurate without a deep understanding of the product’s architecture. Essentially, you need to get not just under the hood, but deep into the engine block.
2. Benchmark Against Known-good
Once the product architecture is well understood, the next step is to determine what is acceptable and what is not. A time-tested and proven approach is to benchmark against good design patterns. Let me elaborate with an example: public cloud platforms provide multiple ways to encrypt data stored on a file repository (e.g. AWS S3). Have a clear standard and design pattern on what option is acceptable, and for which scenarios it must be established internally. Any SaaS product leveraging S3 for storage can be evaluated against these patterns to determine risks owing to deviation. Now, obviously, this approach will require a good-sized library of design patterns with relevant controls. The good news is that a small set of services are used extensively. This makes it feasible to build an effective pattern-library in a short duration of time. A threat-based approach could also be adopted – given most data exposures happen due to misconfigured datastores; start with developing acceptable patterns for datastores. This will equip your SaaS security evaluation program to protect against threats that resulted in half of the data-exposures in the past two years!
3. The Misconfiguration Problem
Most SaaS vendors choose from one of the top three public cloud platforms. The single biggest security challenge faced by cloud deployments is a misconfiguration. We all are aware that Gartner predicts that, “Through 2025, 99% of cloud security failure will be due to a customer’s fault.” Sounds incredulous? Well, consider the Twilio S3 security incident from July 2020: Twilio distributes a JavaScript SDK that allows its clients to easily interact with its product. This SDK is hosted on an AWS S3 bucket for clients to download. Attackers were able to modify Twilio’s SDK and inject it with malicious code. The root cause is S3 bucket misconfiguration that allowed anyone on the Internet to write to the S3 bucket. While little has been disclosed on how the company was alerted to the breach, the bucket had been misconfigured since 2015. A security solution that actively looks for misconfiguration would have detected this issue within minutes. Twilio is not alone – you’ll be surprised to know how few vendors have implemented this control and in an effective way. So, absolutely insist that the SaaS provider implements a solution for actively detecting and alerting against misconfiguration.
4. Risk Visibility
As cloud adoption continues to explode, more and more organizations will end up with their data islands on public cloud platforms. Despite all the best efforts, there is going to be a varying degree of control implementation and operational effectiveness. The risks are only further augmented by lift-and-shift strategies that don’t account for the inherently different architectures of public cloud platforms. It is therefore imperative to ensure that the senior leadership has a clear line-of-sight into the SaaS product adoption, control state, and inherent risks. Any SaaS evaluation program will fall short despite its best efforts with the leadership being provided clear and explicit visibility into this aspect.
It would be remiss to not touch upon the people aspect. For implementing the above four steps effectively, teams with appropriate skills and specialization are a must. Unless an enterprise already has a proven team of security architects, operationalizing these four steps will require the infusion of external resources and upskilling the existing teams.
Conclusion
With the ever-growing data breaches, driven by misconfigured cloud services, it is imperative that enterprises enhance their SaaS evaluation capabilities. This can be achieved by ensuring that the evaluation process includes steps to gain a deep understanding of the SaaS product architecture, benchmark against known good patterns, and providing a direct line of sight to leadership teams.
References
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
About the Author
Ravi is a cybersecurity leader with deep expertise in building cybersecurity programs for emerging technologies. He enjoys authoring technology articles, engaging with cybersecurity startups, and above all, solving problems. In his current role, Ravi heads the Cloud Security Architecture function for Citi’s Consumer division, providing security leadership for financial products used by millions of individuals across 19 countries. He also serves on Citi’s apex Security Architecture Council, providing oversight to enterprise-wide security architecture. With over 15 years of cybersecurity experience in the Financial sector, Ravi brings together a well-rounded experience and thought leadership in emerging-technology risks, security assessments, compliance, and technology risk management. Ravi holds a master’s degree from New York University in Computer Science.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
