Obsidian Security Warns of Rising SaaS Threats to Enterprises

SaaS environments are emerging as an “unaddressed blind spot” in enterprise cyber security for Australian and APAC organisations, according to SaaS security management firm Obsidian Security. This issue is partially attributed to confusion around the shared responsibility model in SaaS contracts.

In September, Obsidian Security, which announced that it is expanding operations across Australia and APAC, said it expects a surge in local organisations re-evaluating their SaaS security strategies once they complete ongoing cloud security reviews.

Andrew Latham, who has joined Obsidian from Crowdstrike as senior sales engineer for Asia-Pacific and Japan, told TechRepublic that local organisations should move beyond paper checklists when assessing SaaS vendor security. He also noted many customers still misunderstand the SaaS shared responsibility model.

SaaS software estates becoming ‘frontline for cyber threats’

SaaS attacks are rising in frequency, Obsidian noted, and the consequences are growing more severe. This year’s breach at Ticketek, an Australian event ticketing company, saw the data of 17 million people become exposed after a threat actor gained access to a third-party provider.

“The implicit trust many organisations have in SaaS providers to configure applications for them often leaves sensitive data unknowingly exposed,” Chisholm said. “Unawareness of the shared responsibility model can leave SaaS applications unsecured, posing a huge risk to businesses’ and individuals’ data.”

SEE: More than 3 in 4 tech leaders worry about SaaS security threats

Latham said SaaS vendor risk in Australia and APAC is comparable to other global markets.

“SaaS platforms are ubiquitous, with easy access from anyone or anything connected to the Internet,” he explained. “What we’re seeing globally is a shift away from complex attacks where endpoints are targeted to access and exfiltrate data, towards simpler attacks aimed at account takeover and data stored in SaaS Systems.”

Obsidian found that more business-critical information is migrating to SaaS. While the number of SaaS applications in use varies widely, Productiv research estimated that companies with fewer than 500 employees use an average of 253 apps — rising to 473 apps for companies with over 10,000 employees.

SaaS shared responsibility model not being assessed in-depth

Organisations often misunderstand their role in the SaaS vendor shared responsibility model for security.

Typically, SaaS vendors and customers collaborate to ensure robust data security. For example, vendors may be responsible for underlying infrastructure security, such as data centers, while customers may primarily manage aspects like user access management or application configuration.

“Most organisations are in the process of securing their Infrastructure-as-a-Service real-estate as they move more workloads to the cloud,” Latham said. “What most don’t realise is that there is a Shared Security Model that all cloud providers, including SaaS, implement.”

He added: “With IaaS, you can implement your own controls. However, with SaaS you cannot. There is a broad assumption the SaaS provider is taking care of the security of the customer data, but they often aren’t.”

Paper-based questionnaires not enough to assess SaaS vendor risk

Paper-based questionnaires are often used during procurement to verify SaaS vendors meet security requirements. Latham said these questionnaires may not provide deep enough insight into how a SaaS provider manages security and protects against risks to data, such as account takeovers.

SEE: Nearly a third of companies suffered a SaaS security breach last year

“The biggest issue would be to understand that a paper-based questionnaire is not enough when assessing a new SaaS provider,” Latham said. “Many recent high-profile breaches have been account takeovers. These kinds of attacks, in relation to the Shared Responsibility Matrix, are above the line where the SaaS vendor takes responsibility.”

SaaS supply chain risk like ‘dark side of the moon’

Extended third- and fourth-party software supply chain risk is common in the SaaS market.

Though organisations assess primary SaaS providers, these vendors often integrate with multiple SaaS vendors themselves in a complicated SaaS mesh, making it difficult to assess real risks to data.

“It’s analogous to the dark side of the moon,” Latham said. “There is up to 10 times as much data transfer happening between third- and fourth-party SaaS systems than there is visible at the ‘front door.’

“While the supply chain might suggest a SaaS provider is a known supplier of services required to support the business, it’s all the unsanctioned integrations that are an issue,” he added.

These integrations can appear “innocent on the surface,” but when exploited can allow adversaries to exfiltrate SaaS data unbeknownst to the SaaS tenant.

“There are many examples where trusted integrations with third- and fourth-party SaaS vendors are abused, exposing data to unauthorised users,” Latham explained.

Obsidian Security expects focus on SaaS after cloud

Australian companies can be thankful that, unlike in some other parts of the world, the market has been largely free of SIM Swap attacks. These attacks occur when cyber criminals trick telecommunications companies into changing a victim’s mobile service to a SIM card that they control.

“ACMA’s [The Australian Communications and Media Authority] requirements for identity checks for telecommunications providers has all but eradicated SIM swapping attacks, which are still prevalent in other regions,” said Latham.

However, the problem of SaaS security remains, though Obsidian believes it will soon become a focus.

“In general, we see many Australian organisations have in-flight projects for IaaS workloads. Once completed, they’ll then look at SaaS. Other markets, like the US, are probably 18 months ahead, having finished their initial IaaS security projects and kicked off SaaS security projects,” Latham said.