Cloud security isn’t a one-way game. Both businesses and providers are responsible. Ensure you fulfill your part of the shared responsibility in SaaS.
In light of the rising popularity of cloud services, security has become one of the top priorities among cloud service providers. Preventing cloud incidents is critical for your reputation, revenues, and compliance. But don’t think your cloud provider is almighty. Your share of the responsibility is no less.
The shared responsibility model is the commonly used approach to cloud security is a. It outlines the provider’s responsibility for maintaining a secure and continuously available service and the organization’s duty to ensure the secure use of the service. Such service providers as Microsoft Azure, Google Cloud, and IBM Cloud use the shared responsibility model.
At the same time, responsibility shifts depending on the level of cloud deployment between the Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and Software-as-a-Sservice (SaaS). In short, the IaaS provides businesses with the largest share of responsibility, including the host infrastructure and network security. The SaaS model, on the other hand, typically requires companies to share responsibility for access control and other application-level security configurations. More on this read in our blog post about a shared responsibility model in cloud security.
So, let’s start with SaaS and figure out the bare minimum you should consider to ensure your share of the responsibility is properly addressed.
Cloud technologies offer unprecedented flexibility. This flexibility relates to data and systems storage, access, and management. Cloud computing allows to store, process, and transmit enormous amounts of data. It also simplifies the data access and management process, thereby extending business opportunities. Furthermore, cloud technologies enable a more flexible remote working model. Thus, the benefits of cloud computing cannot be overestimated.
But there’s another side to the coin. As you migrate your assets to the cloud, the attack surface for hackers increases exponentially. Criminals can’t stand but use this “beautiful” opportunity to access sensitive data and steal it for financial gains. Unlike in a traditional attack, when attackers target a particular set of IP addresses or a specific localized data center, attacks on clouds exploit any weakness found in code, configurations, and deployments. Considering that SaaS usually contains data from many customers across the globe, the consequences of every cloud attack may be catastrophic.
The security vulnerabilities in the cloud environment prompt companies to protect sensitive data while demonstrating their responsibility and compliance.
Customers’ data, and other sensitive information are the most important assets. And the worst is to think that data privacy and security are the cloud provider’s responsibility. SaaS does provide physical security, host infrastructure, network, and application-level controls of the solution. However, the responsibility for access controls and other security configurations, such as back-ups, often lies with the customer.
We are not questioning the reliability of the SaaS providers. However, even though SaaS companies do their best to ensure their part of cloud security, they can’t guarantee security when it comes to user-driven controls. They are also powerless when customer data leaves the cloud to interact with other systems or when the user’s cloud credentials get compromised.
So, consider the primary actions YOU can take to ensure your part of shared responsibility in the SaaS cloud.
Your business’s cloud-based assets are as vulnerable as your employee’s credentials. Stolen credentials are one of the most common ways how hackers access cloud-hosted data. With stolen or guessed user credentials, hackers can log into applications and services businesses use.
First, better protect all your cloud-based accounts with multi-factor authentication (MFA) which is not typically enabled by default. With MFA, you would ensure that only authorized personnel can access sensitive data. It is one of the cheapest security controls that require users to provide, at a minimum, two verification factors to access a resource. These include at least two of the following: knowledge (password or PIN), possession (e.g., hardware MFA tokens, smartphones), and inherence (fingerprints or voice recognition).
The most frequently used are one-time 4 to 8 digits passcodes, generated at every authentication request and received via email, SMS, or a mobile app.
Want to learn more about exactly what MFA is? Take a look at our blog post, Reinforcing the Weakest Security Link With Access Controls, to get all the details.
Are you sure your employees need access to those specific applications or data? Providing excessive access to an account puts more at stake if that account is compromised.
Managing access is challenging, especially if you are a large organization. Grinding and maintaining proper data access can be messy with many existing accounts and the conveyor of new hires, promotions, relocations, etc.
However, we are here not to look for excuses. We gathered to make results. Despite the complexity of the task, employees’ roles should be defined based on their job needs. The best way to do it is to think of roles as labels attached to an identifiable access pattern.
Setting proper authorization levels is your business’ part of the responsibility. It ensures that your employees can only access the data necessary to do their job. Assigning access control shrinks the opportunities for hackers. Furthermore, many regulations and standards, such as HIPAA, PCI-DSS, ISO 27001, etc., require strong access controls to be implemented.
Are your former employees still having accounts on SaaS applications used by the business? Stop it immediately. At least one in four ex-employees is left with access to critical data, and 20% of organizations say they have undergone data breaches from their former employees, a survey says.
Workforce members typically have access to several applications and systems. Businesses must ensure that all accounts for departing employees are revoked as soon as possible. Also, conduct periodic access reviews to identify what information users can access so any excessive access can be adjusted when necessary.
As we mentioned, hackers often gain access to secured information by stealing users’ login credentials. Social engineering techniques such as phishing, spoofing, and piggybacking come in handy. Whether you maintain your part of the responsibility for cloud security, the human factor still remains one of your most significant weaknesses. To understand the actual scale of the situation, just consider that 85% of all data breaches involved human errors, as Verizon DBIR 2021 report concludes.
Cybersecurity awareness training plays a critical role in reducing cybersecurity threats, including phishing and social engineering. Key training topics typically include password management, privacy, email security, Internet security, and physical and office security. More on security awareness training read in our post – Security Awareness Training. Important Things to Know.
Imagine a situation when a hacker obtains the account password of one of your employees and corrupts data in the cloud. Or visualize a case when the employee cleans out his inbox and folders. Compromising data availability is a serious oversight that negatively impacts an organization’s reputation and compliance.
Most cloud service providers can provide you with the possibility to store data. However, no one can ensure timeless storage. You are responsible for checking with your cloud provider the conditions and timeframes of data back-ups. Make sure to discuss back-ups with your SaaS providers.
Review cloud application audit logs for suspicious activities. SaaS solutions should write the logs that record administrative activities and access within your cloud resources. In short, the logs help you answer “who did what, where, and when?” within your system.
In general, they should provide the following audit logs:
Reviewing the cloud application audit logs for suspicious activities helps you monitor your cloud-based data and systems for possible suspicious behaviors such as data misuse, password guessing attacks, and other threats.
There is always much to be done to make your cloud-based assets more secure. Many businesses can’t manage this internally due to different reasons such as lack of resources, time, or skills.
Planet 9 team can take your part of the shared responsibility. Our cloud security experts will assess your cloud infrastructure and provide recommendations for addressing identified security and compliance gaps. Depending on the client’s internal resources, expertise, and availability, Planet 9 can perform all the remediation work, position the client to execute remediation on your own, or supplement the client’s team.
Here we have described what your share of responsibility looks like in SaaS. Continue reading our blog to learn about shared responsibility in other cloud computing services, such as IaaS and PaaS.
If some questions regarding data security in the cloud remain unanswered, please, contact our Planet 9 team, and we’ll be happy to assist!