The Office of Inspector General (OIG) for the Department of Veterans Affairs last week issued a report that claimed that a division in the VA’s Office of Information Technology (OIT) used SaaS applications and application programming interfaces (APIs) that did not meet federal security requirements.
Federal agencies running cloud apps must abide by the guidelines specified by the government’s Federal Risk and Authorization Management Program, known as FedRAMP.
The OIG report found that the VA’s Project Special Forces (PSF) put the data of VA employees and veterans at risk by advocating the use of the following nine unauthorized apps: DropBox, Google Drive, iCloud, GitLab, SlideShare, Evernote, Basecamp, Datadog, and PagerDuty. The OIG also said PSF did not meet VA security requirements when developing application programming interfaces (APIs) and in two instances used alternative APIs than what was required.
OIG issued the report in response to allegations made in April 2019 about PSF’s security practices. VA’s OIT concurred with the findings and said they would review all the SaaS apps in question and make sure appropriate controls are put in place. They will also fix the APIs and create alerts for any API abuses to better manage the situation.
Having a robust SaaS security management process in place is critical both for government organizations and in the private sector, said Tim Bach, vice president of engineering at AppOmni. Unfortunately, Bach said SaaS security often gets overlooked, a situation that often stems from organizations not realizing that SaaS has evolved and grown to become part of the critical infrastructure stack.
“SaaS applications are increasingly complex and today store data and business processes that are just as critical and sensitive to the organization as what has traditionally been considered critical infrastructure,” Bach said. “SaaS applications aren’t inherently insecure. In many ways, they are more secure than legacy on-prem systems. But SaaS applications are dynamic by nature. There are a growing number of connected third-party applications that are typically part of SaaS ecosystems, the constant onboarding and offboarding of users, and regular vendor updates. To prevent configuration drift, government and corporate SaaS environments need to be continuously monitored to ensure that permissions and configurations reflect the organization’s intent and that sensitive data is secure.”
Ray Kelly, a fellow at NTT Application Security, said public facing websites are often a front door to private information when not secured properly. In one instance, the OIG report details how the VA’s web application provided an API that did not pass security requirements, a cause for concern given the type of PII the VA collects because improperly secured API’s can easily lead to excessive data exposure.
“The good news is that it appears the checks and balances between government offices are working,” Kelly said. “The OIG report provides specific information regarding the policies breached and specific web applications that need to be brought up to standards.”
Jason Kent, hacker in residence at Cequence Security, added that just like most organizations that have implemented systems with APIs, the security implications are often misunderstood. Kent said simple concepts like authentication and authorization are often overlooked and result in unauthorized access.
“In this case it seems to have been caught,” Kent said. “As suggested in the report, analysis of all traffic on APIs is important to understanding that the system is not only responding correctly, but actually gets used in the intended manner. Often when organizations begin performing this analysis, several other issues come to light.”
