SaaS (or Software as a service) applications generate large amounts of unstructured data that is difficult to manage. Data is said to be the oil of the digital age, driving business growth. But just like oil, the dissemination of data entails a number of problems.
According to the British Assessment Bureau, more than 60,000 hacking attempts are made every day just in the UK – and the number is only increasing as telecommuting has weakened the traditional office security perimeter, opening up many access points for hackers.
But there’s another question that worries IT security teams: How much cloud SaaS security data is at risk? This is because the use of SaaS applications such as Facebook, Zoom, or DropBox is out of control as employees work from home away from the eyes of IT.
According to Rewind, on average, enterprises use 3-4 times more SaaS applications than their IT department knows, and BetterCloud predicts that in 2022, 90% of enterprises will rely on them to complete their business tasks.
This lack of visibility, combined with the lack of information about which employees have access to applications and their sensitive data, points to gaping holes in companies’ security systems.
The problem of unstructured data
While SaaS applications store large amounts of structured and unstructured data, it is the latter that poses the greatest challenges for companies, such as selfies, video and audio files, and even email files.
The lack of a proper identity policy that could govern employee access to these SaaS applications and their data is one of the top cybersecurity risks for organizations, with unstructured data being a major factor in the growth of security compromise.
To better understand the risk companies are exposed to in relation to SaaS applications and data, as well as the state of unstructured data and related security practices, SailPoint recently conducted a study with Dimensional Research that demonstrated how complex the task of data security and control is.
We see that 92% of companies are moving their unstructured data to the cloud. However, 76% of companies faced security issues, including unauthorized access, data loss, regulatory fines, and more.
More than 40% of respondents admitted they don’t know where their unstructured data is. Nearly all of the companies surveyed cited managing access to unstructured data as difficult, citing multiple challenges such as being too large, not having a single solution to access multiple storages, and not having access visibility that shows where the data is and who owns it.
No wonder companies are spending record amounts on cybersecurity to protect their digital transformation gains. According to the Canalys report, investing in new technologies is the top priority for security prevention spending for 50% of European companies.
However, despite their best efforts and intent, the number of successful attacks continues to rise like never before, with Canalys reporting that “more accounts have been compromised in just 12 months than in the previous 15 years combined.”
SaaS Protection Solutions
In the SaaS / FaaS scheme, the protection of the service infrastructure is entrusted to the provider. If you use a service from a major provider, then it is guaranteed to have the basic mechanisms of protection, monitoring and response, fault tolerance, backup, and system recovery.
For example, you can read about the information security architecture of Google cloud services at the link. But protecting the content of the service remains the prerogative of the user, whether it be mail correspondence, files on a file resource, or application source code.
Many SaaS and FaaS providers offer built-in protection mechanisms – for example, Advanced Threat Protection in Microsoft Office 365. They implement the minimum required set of protection features, but, as a rule, are shallow and not customizable enough. Another example is Google App Engine, which offers built-in firewalls (including a DDoS filter) and Google Cloud Security Scanner, an application scanner.
It is possible to use traffic redirection through your own filtering node. In particular, mail flow protection through an additional filtering hop. For web applications, the use of WAF solutions as a reverse proxy. You can organize any filtering policies you need on your site, similar to traditional methods. But this option is difficult to organize in terms of routing and can lead to the appearance of a bottleneck (BottleNeck) in the face of the content gateway.
Which products on the market help secure customer data when using SaaS/FaaS/PaaS/CaaS cloud services:
- In the case of SaaS, this is Cloud Access Security Brocker (CASB).
- The fPaaS or CaaS option can be secured using the Cloud Workload Protection Platform (CWPP) solution.
- In the case of serverless applications or FaaS, the user can use static code analysis and API Gateway.
In the case of CASB, integration with cloud products is done through Representational State Transfer (REST) APIs and does not require redirecting e-mail traffic or using a web proxy. Either a node is added and integrated as a forward or reverse proxy. The best option is to use a hybrid installation. CASB allows you to scan incoming and outgoing mail for malware and apply security policies. The solution performs the following main functions:
- Monitoring and audit. Shadow IT tracking – use of third-party services. Shadow IT refers to IT devices, software, and services that are present in an organization but are not maintained by the IT department. They are not on the balance sheet of the IT department, their status and work are not controlled, moreover, the IT department may not know anything about them at all. These include Amazon AWS, GPC, amoCRM, and more.
- Protection against phishing attacks and phishing URLs. Sometimes additional analysis and detection of Business Email Compromise (BEC) attack using artificial intelligence (AI) and machine learning.
- Find and block known malware, including hidden exploits. Sometimes search for unknown malware by machine learning mechanisms, sandbox file analysis, internal obfuscation detection techniques.
- Implementation of Data Loss Prevention (DLP) functions, including file-sharing resources.
Each of the considered models of cloud services has its own technological and investment advantages and occupies its own niche in the market. However, regardless of the model chosen by the customer, the service provider must keep in mind the need to supplement the service with information security threat protection functions.
From this point of view, an effective strategy for providing services that minimize the risks of downtime, reputational costs, and the negative impact on the business of customers is the design of protection systems, the development of plans for responding to information security incidents, and the involvement of professional teams of performers for implementation.