Trespassers will be prosecuted. Trespassers will be shot. Trespassers will be… you don’t want to know.
No one likes trespassers on their property, whether that property is a home, a barn, a field, an office building… or a database.
What is a data breach?
A data breach is a digital trespassing incident. Someone unwanted and unwelcome has entered the place where your data resides. They may have just looked around and left; they may have vandalized your property; they may have walked away with your valuables.
Preventing digital trespassers gets harder when it comes to SaaS data that lives in the cloud, where boundaries are fuzzy and edges are blurred. Door locks, alarm systems and security guards just aren’t helpful here.
Trespassers will be prosecuted - but that won’t necessarily erase the damage they’ve done. Much better to keep them out in the first place. How do you do that - and why is this becoming an increasingly important issue?
SaaS: The Up-and-Coming Data Breach Target
In a 2023 survey of over 3000 IT professionals on cloud security, SaaS applications were voted the top target for attackers. Why does SaaS present an ever more tempting cyber target?
Part of SaaS’ appeal for cyber attackers is the amount of data available within SaaS systems. In a 2023 study we conducted, medium-sized companies had nearly 1.5 million
assets on average stored in SaaS applications, whereas large companies had roughly 5.5 million assets. Since SaaS is only getting more prominent as enterprise technology, with the average organization using about 130 different SaaS apps and adding 20-30 additional apps per year, the amount of data stored in SaaS will continue to increase.
Additionally, SaaS applications are attractive to would-be attackers because breaching one system can potentially give an attacker access to a vast amount of information and data from multiple tenants. This promise of an “attack one, get lots free” deal increases the motivation of bad actors to target SaaS systems.
Is SaaS More Vulnerable to Data Breaches?
Many of SaaS’ strengths that contribute to its popularity among enterprises are simultaneously weaknesses when it comes to security.
Empowered end users
SaaS applications provide employees with enhanced control over data, allowing them to easily access, manage, analyze and share information in real-time. Information can also be easily shared with and accessed by parties outside the company, such as vendors or contractors. This decentralized control enables higher levels of efficiency and productivity, which is one of the reasons for SaaS’ growth in popularity.
The tradeoff of decentralized data control is that there are now more links - and consequently more weak links - in the data security chain. Insider threats, whether intentional or accidental, are a primary risk when it comes to SaaS data breaches.
API ecosystem
API-based integrations are an integral part of most SaaS applications. Need more functionality? Just connect another application! SaaS integrations allow seamless connectivity with other tools and systems, enriching the application’s functionality and streamlining business processes.
The downside of seamless connectivity? When we’re all connected, it’s much easier to jump from one of us to the other. In 2022, a malicious actor used stolen OAuth tokens from Heroku, a Salesforce subsidiary that integrated with GitHub, to connect to GitHub’s systems as Heroku. He was thereupon able to access the data of any GitHub user who had integrated Heroku.
SaaS Data Breach Costs are Heavy
Unfortunately, when it comes to a data security breach, you pay for it even if you’re the victim. Data breach costs are both financial and reputational.
A notable example is the 2019 Capital One data breach, where a hacker exploited a configuration vulnerability in Capital One's infrastructure on AWS, gaining unauthorized access to the personal information of over 100 million customers in the United States and approximately 6 million in Canada.
Capital One had to pay an $80 million fine imposed by the U.S. Office of the Comptroller of the Currency (OCC) for failing to establish effective risk assessment processes before migrating its IT operations to a public cloud environment, as well as a $190 million settlement with customers affected by the breach. This data breach also had a notable impact on Capital One's reputation.
A SaaS data security breach is an incident you want to avoid at all costs. But even “TrespaSaaSers Will Be Prosecuted” signs won’t keep motivated bad actors off your data estate. So what will?
The Keys to SaaS Data Breach Prevention
In a nutshell, the following are breach prevention best practices when it comes to SaaS:
- Ensure complete system and event visibility
- Regularly review permissions, access and exposure
- Prioritize anomaly-based alerts
- Educate the end user
Let’s take them one by one.
Ensure complete system and event visibility
If you can’t see it, you can’t protect it. In order to protect your SaaS systems against infiltration and manipulation, you need to be aware of everything that’s going on within them. What is ‘everything’?
‘Everything’ begins with the entities interacting with your data. That includes:
- all users - both employees and parties external to your organization - and the different levels of data access that each has
- all the third-party applications with permission to access your SaaS systems and data
Now that you’ve established which entities are active within your data ecosystem, you need clarity as to all the data assets present there. That means all Google Drive files, Dropbox folders, Github repositories, Slack channels… and the list goes on.
The need for visibility is relevant to the interactions between entities and assets, which includes every single time a data asset is:
- Created
- Modified
- Moved
- Shared
- Deleted
This incredibly detailed, comprehensive mapping of your SaaS data ecosystem and traffic is not simple to create, and it certainly can’t be done manually. But it is the requisite foundation of any serious effort to protect your organization against data breaches.
Regularly review permissions, access and exposure
Not only do you need to have a map of your SaaS data ecosystem, you need to refresh it regularly. A senior executive left the company for a competitor. So why does he still have access to over 10,000 SaaS assets? (Yes, we actually found that in a client audit.) That is a security problem waiting to happen, and only with regular review can the problem be spotted and remedied.
This piece of the puzzle also requires automation to be effectively performed at the scale of the typical SaaS ecosystem.
Prioritize anomaly- and context-based alerts
One of the most underestimated foils of your data breach prevention efforts is ‘the boy who cried breach’:
Many SaaS data security policies set to trigger alerts, even if they technically make sense, end up being too broad. Take a policy like “alert anytime someone shares a file with sensitive data with a party outside the organization”. In many organizations, the legal or accounting team may routinely share files containing PII with external contractors. If your information security team gets too many false positives like that, their sensitivity may become dulled and increases the likelihood that they will miss a true problem.
On the other hand, if you make the security policy more specific, so that the chances of false positives decrease, you may end up excluding problematic cases that should be caught and reviewed by your security team.
An anomaly-based alert system (whether in conjunction with or independent of policy-based alerts) is critical for successful alert triage. AI and machine learning technology is often a core component of anomaly identification. Many CASBs (Cloud Access Security Brokers) combine awareness of user authorizations and identity with log analysis and behavior analytics to identify anomalous user activity.
So you can still have your “alert anytime someone shares a file with sensitive data with a party outside the organization” policy. But when the accounting team shares a file containing sensitive data with a bank or a pension fund, while it may trigger a policy alert, it won’t trigger an anomaly-based alert - because that is normal behavior within your organization. If someone from the marketing team shares a file containing sensitive data, however, that will trigger an anomaly-based alert.
Ideally, anomaly-based alerts should be complemented by context-based alerts. Even if sharing sensitive files with external financial organizations is usually normal for accounting, if an accountant who is about to leave your company for a competitor shares sensitive files with an external organization, it would be prudent to investigate. An alert system that takes HR and other contexts into account will raise red flags in the appropriate places.
When your information security team is able to focus on and prioritize addressing anomalies and contextually incongruous behavior, it reduces alert fatigue and increases your chances of catching and stopping truly problematic activity.
Educate the end user
Cybersecurity education is always important, but nowhere more so than in SaaS, where the end user has such power over data exposure. While many organizations have standalone cybersecurity education programs, much more effective is educating the user in context: when they have actually initiated problematic activity.
Some CASB solutions provide not only awareness and alerts for security teams, but also immediate implementation of remediation processes. If an employee shares a file containing sensitive data, for example, an automated workflow can block the share and inform the employee why, or trigger a warning asking the employee if they are sure it is safe to share. In this way, not only is the problematic activity remediated, but the end user learns more secure practices for the future.
Data trespassers will be stopped
Data breaches have tremendous costs, both financial and reputational, so it pays to take precautions. By getting a full, every-last-detail view of your SaaS data ecosystem and the activity within it, using automation to review regularly, implementing anomaly-based alerts so
your security team can focus on what is truly important, and educating the end user so that overall security improves naturally over time, you’ll be doing what it takes to stop digital trespassers at the door.