SaaS environments are emerging as an âunaddressed blind spotâ in enterprise cyber security for Australian and APAC organisations, according to SaaS security management firm Obsidian Security. This issue is partially attributed to confusion around the shared responsibility model in SaaS contracts.
In September, Obsidian Security, which announced that it is expanding operations across Australia and APAC, said it expects a surge in local organisations re-evaluating their SaaS security strategies once they complete ongoing cloud security reviews.
Andrew Latham, who has joined Obsidian from Crowdstrike as senior sales engineer for Asia-Pacific and Japan, told TechRepublic that local organisations should move beyond paper checklists when assessing SaaS vendor security. He also noted many customers still misunderstand the SaaS shared responsibility model.
SaaS software estates becoming âfrontline for cyber threatsâ
SaaS attacks are rising in frequency, Obsidian noted, and the consequences are growing more severe. This yearâs breach at Ticketek, an Australian event ticketing company, saw the data of 17 million people become exposed after a threat actor gained access to a third-party provider.
âThe implicit trust many organisations have in SaaS providers to configure applications for them often leaves sensitive data unknowingly exposed,â Chisholm said. âUnawareness of the shared responsibility model can leave SaaS applications unsecured, posing a huge risk to businessesâ and individualsâ data.â
SEE: More than 3 in 4 tech leaders worry about SaaS security threats
Latham said SaaS vendor risk in Australia and APAC is comparable to other global markets.
âSaaS platforms are ubiquitous, with easy access from anyone or anything connected to the Internet,â he explained. âWhat weâre seeing globally is a shift away from complex attacks where endpoints are targeted to access and exfiltrate data, towards simpler attacks aimed at account takeover and data stored in SaaS Systems.â
Obsidian found that more business-critical information is migrating to SaaS. While the number of SaaS applications in use varies widely, Productiv research estimated that companies with fewer than 500 employees use an average of 253 apps â rising to 473 apps for companies with over 10,000 employees.
SaaS shared responsibility model not being assessed in-depth
Organisations often misunderstand their role in the SaaS vendor shared responsibility model for security.
Typically, SaaS vendors and customers collaborate to ensure robust data security. For example, vendors may be responsible for underlying infrastructure security, such as data centers, while customers may primarily manage aspects like user access management or application configuration.
âMost organisations are in the process of securing their Infrastructure-as-a-Service real-estate as they move more workloads to the cloud,â Latham said. âWhat most donât realise is that there is a Shared Security Model that all cloud providers, including SaaS, implement.â
He added: âWith IaaS, you can implement your own controls. However, with SaaS you cannot. There is a broad assumption the SaaS provider is taking care of the security of the customer data, but they often arenât.â
Paper-based questionnaires not enough to assess SaaS vendor risk
Paper-based questionnaires are often used during procurement to verify SaaS vendors meet security requirements. Latham said these questionnaires may not provide deep enough insight into how a SaaS provider manages security and protects against risks to data, such as account takeovers.
SEE: Nearly a third of companies suffered a SaaS security breach last year
âThe biggest issue would be to understand that a paper-based questionnaire is not enough when assessing a new SaaS provider,â Latham said. âMany recent high-profile breaches have been account takeovers. These kinds of attacks, in relation to the Shared Responsibility Matrix, are above the line where the SaaS vendor takes responsibility.â
SaaS supply chain risk like âdark side of the moonâ
Extended third- and fourth-party software supply chain risk is common in the SaaS market.
Though organisations assess primary SaaS providers, these vendors often integrate with multiple SaaS vendors themselves in a complicated SaaS mesh, making it difficult to assess real risks to data.
âItâs analogous to the dark side of the moon,â Latham said. âThere is up to 10 times as much data transfer happening between third- and fourth-party SaaS systems than there is visible at the âfront door.â
âWhile the supply chain might suggest a SaaS provider is a known supplier of services required to support the business, itâs all the unsanctioned integrations that are an issue,â he added.
These integrations can appear âinnocent on the surface,â but when exploited can allow adversaries to exfiltrate SaaS data unbeknownst to the SaaS tenant.
âThere are many examples where trusted integrations with third- and fourth-party SaaS vendors are abused, exposing data to unauthorised users,â Latham explained.
Obsidian Security expects focus on SaaS after cloud
Australian companies can be thankful that, unlike in some other parts of the world, the market has been largely free of SIM Swap attacks. These attacks occur when cyber criminals trick telecommunications companies into changing a victimâs mobile service to a SIM card that they control.
âACMAâs [The Australian Communications and Media Authority] requirements for identity checks for telecommunications providers has all but eradicated SIM swapping attacks, which are still prevalent in other regions,â said Latham.
However, the problem of SaaS security remains, though Obsidian believes it will soon become a focus.
âIn general, we see many Australian organisations have in-flight projects for IaaS workloads. Once completed, theyâll then look at SaaS. Other markets, like the US, are probably 18 months ahead, having finished their initial IaaS security projects and kicked off SaaS security projects,â Latham said.