4920 Constellation Drive
White Bear Township, MN 55127-2218
email@example.com | 651.407.8555
Many companies use cloud apps like Microsoft 365, Google G Suite, and Salesforce without adequately protecting the data within those apps. Learn why this is problematic and how businesses can remedy the situation.
When cloud computing was first introduced, most businesses were reluctant to try the apps being offered by public cloud service providers. Companies were mainly concerned about whether their data and other IT assets would be secure.
Nowadays, that’s no longer the case. The apps offered by public cloud service providers — collectively known as Software as a Service (SaaS) apps — are popular among businesses. Companies use an average of 110 SaaS apps, according to one study. However, more than half of them admit to not investing enough resources to protect the data within the apps. This is problematic because SaaS apps are also popular among cybercriminals.
For example, cybercriminals targeted companies using Microsoft 365 in January 2022. The attackers wanted to access employees’ Outlook apps so that they could read and send emails, change inbox rules, view employees’ contacts, examine calendars, and more, according to Microsoft. The cybercriminals did not access Outlook by stealing, guessing, or tricking employees into revealing their passwords. Instead, they used a consent phishing campaign.
In consent phishing attacks, cybercriminals try to dupe SaaS users into giving a malicious app the permissions it needs to access data or other resources. In the January 2022 attack, the cybercriminals tricked Outlook users into granting permissions to a malicious app named Upgrade.
The malicious apps used in consent phishing campaigns abuse OAuth request links. These links allow users to share information about their accounts with a third-party app or website, without having to give the app or site their passwords.
Consent phishing attacks are not limited to Microsoft’s cloud apps. Any SaaS app that uses OAuth 2.0 authorization is vulnerable. For instance, cybercriminals have used this type of attack to access users’ data in Google Gmail.
Consent phishing campaigns are on the rise, according to Microsoft, Proofpoint, and other threat analysts. So, too, are other types of cyberattacks that target SaaS apps. Defending against these attacks requires action from both SaaS providers and the businesses using their apps.
Businesses’ Security Responsibilities
One of the main advantages of using SaaS apps is that companies do not need to maintain or secure the apps or the infrastructure on which they run. SaaS providers are responsible for those tasks. However, companies have a few responsibilities.
For starters, businesses are responsible for controlling and securing employees’ access to the SaaS apps. Failing to control and protect the account credentials that employees and groups use to access SaaS apps can result in cybercriminals compromising those credentials and using them to access app data.
Companies also are responsible for properly configuring certain SaaS app settings. SaaS providers let companies configure some app settings (e.g., file-sharing options) so that the apps are customized for their environment. However, misconfigurations can open the door to cyberattacks.
“One slight misconfiguration or unsafeguarded user permission presents a possible attack vector,” according to SaaS security experts. “The thing is that most organizations now have hundreds of SaaS apps. This amounts to hundreds of global settings as well as thousands to tens of thousands of user roles and permissions to configure, monitor, and consistently update. It’s no wonder there are so many exploitable misconfigurations with the sheer volume of settings and configurations.”
Finally, businesses are responsible for backing up their app data to protect against data loss. Although SaaS providers assume responsibility and take measures to protect against data loss due to operational failures (e.g., infrastructural breakdowns, natural disasters), the vast majority of them explicitly state in their terms and conditions that it is the company’s responsibility to protect against data loss due to accidental deletions and security attacks, according to a Forrester report.
Security Measures That Businesses Can Take
To secure employees’ access to SaaS apps, prevent setting misconfigurations, and protect against data loss, companies might consider taking the following security measures:
These security measures provide a good starting point for protecting your company’s SaaS app data. We can help you determine additional measures your business can take based on the SaaS apps being used and your IT environment.
Cloud Computing – Abstract 2 flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license