SaaS: Cyber Security vs. Detection
Many firms decide to use clouds for convenience. Some even use them for security, but they might be making a bad mistake.
I use clouds and SaaS cloud offerings for convenience and cost reasons. By design, I do not host my most sensitive data in the cloud. However many enterprises are making a fatal mistake in cyber security protection versus cyber security detection.
You may or may not be better off by using SaaS versus in house when deciding about which is more secure. However, when it comes to detecting a targeted attack, unless you take special precautions you me be slightly worse off or FAR more worse off in detecting security problems.
Lets compare SaaS for business applications (e.g. SalesForce) versus file sharing (e.g. Dropbox). These are vastly different from an IT security perspective.
For the record, applications like SalesForce and Dropbox appear to offer very good enterprise grade security and CAN even offer detection capabilities when augmented by OTHER solutions we sell that add visibility and control into the data access logs of certain SaaS applications by making use of API calls into audit trails where available.
In the case of business applications like SalesForce, some administrator defines data access rights and privileges to the data. Great, that makes sense.
However, when it comes to many file sharing applications and certainly personal versus enterprise solutions the end user decides the access rights! Let me say that again, the end user and not some administrator decides the access rights to files they use OR have copied!!! For instance, an end user can temporarily (we know how long that is…) or mistakingly grant public access rights to a file, a folder or even an entire share and you have NO clue when it's in the cloud. I've even seen some embarrassing examples to internal or channel training programs. Countless examples of internal price lists from either the manufacturer or partner. YouTube, file sharing, the list goes on…
Now add in concerns of data exfiltration and it gets even more concerning. Can you tell on your SaaS offering what records someone accessed before they resigned or were terminated? Wouldn't that be valuable if the hosted data is your crown jewels?
Another thought, if you're doing backups in the cloud or through a SaaS, are you encrypting it? How good is your access detection to backups data?
In terms of password breaches and lack of access detection, lets imagine a scenario… You have a user that used the same password for a personal account completely unrelated to your business that had it's password breached (e.g. Ashley Madison). Can you detect if someone else is using that user's credentials for your SaaS or cloud? Why not…? Wouldn't that be an obvious choice for a targeted breach?
Well over 90% of the clients we see haven't implemented or even thought of security detection concerns.