The SaaS Trap: IT Think They’re Doing a Better Job Than They Are
Cloud computing continues to revolutionize how businesses transform.
The sheer potential for rapid-scaling, uber-flexible tech stacks has led companies to jump aboard the cloud revolution with incredible haste. However, a key component that remains all too often overlooked is the fact that any new instance of public cloud is placed upon a teetering pile of loosely-connected apps. Top-heavy tech stacks present major issues for application security: here’s how to jump-start your DevSecOps and keep security at pace with rapid transformation.
The Importance of Cloud Security
Companies continue to incorrectly assume that cloud systems are packaged with inherent security. Though data stored on the cloud, and processes that utilize cloud computing, are safer from physical damage or loss, the reality is that the cloud is just as vulnerable to the vulnerabilities and misconfigurations that plague traditional software. The default settings provided by a new cloud instance are highly unlikely to satisfy even the most basic of corporate security requirements; this leads to a shocking number of avoidable cybersecurity incidents driven by cloud complacency.
Cloud data storage was revolutionary. Providing access regardless of geographical location, while keeping data safe from physical loss or theft, seemed like a dream come true for responsible data management. Amazon Web Services (AWS) is a major corporate provider of cloud storage; its multi-tenant infrastructure provides space for customer data through S3 buckets. The mismanagement of these S3 buckets is responsible for 16% of all cloud security breaches, with 1 out of 6 buckets – out of the 12,328 buckets identified – remaining openly accessible and completely free from access controls. These open buckets are regularly sniffed out via automated scripts – showing that attackers are already keenly aware of this stubborn blind spot.
Edutech giant Chegg recently received FTC action against them thanks to the gross mishandling of their cloud databases. For instance, Chegg used a single AWS access key for all employees and external contractors; this one key provided full admin privileges to every user. Chegg also routinely failed to rotate access keys – and even stored all highly sensitive data on its students in plain text.
These severe mishandlings resulted in no less than 4 separate data breaches occurring since 2017. Though Chegg has represented an astonishing new low for complacency, their plight shows the hidden dangers of cloud app security. With the rapid acceleration in apps that now drive crucial business functions, it is becoming increasingly difficult to oversee the unique security challenges of each component.
The Shadow Trap
A recent report by Torii shed some stark data on the true visibility that even IT professionals hold over their tech stacks. 60% of IT teams are in the dark when it comes to understanding their cloud spread. One of the greatest challenges to the ongoing defenses of vulnerable applications is their sheer volume. A key weapon in this fight against blind spots is communication: the acquisition and active management of cloud apps involve everyone from IT and procurement, to finance and security.
While the Torii report found that collaboration does occasionally occur between IT, finance, security, procurement, and HR – it’s a far cry from where it should be. 90% of IT leaders surveyed praised their collaboration with other teams. The reality, however, is far more isolated: only 20% of IT teams communicate with any sort of regularity, and a mere 5% collaborate on most of an organization’s business-critical tasks.
While IT attempts to bear the burden of security, less than a fifth of all respondents felt confident in aiding in the discovery and remediation of vulnerabilities. The highly-isolated layout of today’s app management is not working, as higher rates of data breaches and skyrocketing breach costs are laid solely on the shoulders of overloaded security teams. A complete view of the entire SaaS stack is now a necessity for businesses to secure sensitive data, ensure authorized access, and meet compliance requirements.
How to Secure The Full Stack
App security is a requirement from development to deployment. Developers are responsible for building the building blocks of application code; this alone must be subject to security considerations. Shifting left plays a more vital role in cloud-native environments, thanks to the fact that almost every component is formed at this critical development stage. Visibility may be one of today’s leading challenges, but automation has already proven itself in the realm of discovery.
A shift-left approach can be supported via the automated scanning of all artifacts, at all stages of the development lifecycle. Key to the full visibility process, organizations must scan container images at all stages of the development process. This artifact scanning must be prioritized depending on the context of each application: its business use, sensitivity, and impact are three key pillars of priority. Public-facing systems should be dealt with sooner than internal pieces, thanks to the greater attack surface that public apps represent.
Once a full inventory of software artifacts has been defined, your security foundation is granted the strength for the next stage of its security lifespan. Continuous security testing is a vital component of cloud-native security. It’s here you can choose whether to take the authenticated testing route or the non-authenticated one. The first describes a black box approach, where applications are tested from an outsider’s position. Though this may seem like an obvious choice, there is a lot to be said for authenticated testing. This can help patch severe security issues that would otherwise have been completely glossed over. Ultimately, both are required for lock-tight security.
The tools in question should, on an application level, identify vulnerabilities within the source code. The pen-testing tools should also actively test apps during runtime, while network vulnerability scanners identify any exposed weak points. Finally, this testing process should regularly occur during off-peak periods; though outages aren’t guaranteed, it’s still best to safeguard against widespread user disruption.