Think your SaaS provider has your information security completely covered? Think again
Think your SaaS provider has your information security completely covered? Think again

As the first decade of cloud computing draws to a close, confidence in the way SaaS- and cloud service providers manage data protection and security is very high. Occasionally surveys will highlight concerns, but these are significantly diminished compared to past years.

Most SaaS providers' security standards are much stronger than the typical SaaS user – a factor driving the widespread adoption of more SaaS-based apps, for more mission-critical functions. This perception is accurate – to a point.  True, many SaaS providers are on the cutting edge when it comes to fortifying their defenses, and handle much of the day-to-day work involved in keeping users' data and apps secure, including installations, maintenance, upgrades and patches.

But did you ever stop to consider all the threats that lie on the user's own side – over which no SaaS provider, no matter how reputable or secure, has even the slightest bit of control or jurisdiction?  These threats include:

Ransomware - Cloud file solutions (Google Drive for example) create a second copy of local data which is stored in the cloud. This means if your data is backed up to the cloud, it is protected and secured from ransomware attacks, right? Wrong. If you're infected with ransomware, the files on a local hard drive will be held at ransom (by encryption) and any backup copies in a cloud file solution will be overwritten when the computer is synced.  This means the “backup” data is now essentially also being held for ransom, and the provider (like the SaaS user) is completely hamstrung.

Insider threats - The term “insider threat” tends to evoke images of malicious employees lurking in the shadows, attempting to steal critical information. The reality is that this type of evil insider is infrequent at most companies, and the real threat is way more likely to be innocent employees who are blissfully unaware they're actually engaging in risky activities.

Consider, for example, an employee that innocently sends data from a SaaS-based email service to their personal email address, in order to circumvent a file-size limit prescribed for work email. Or an employee who saves data to a personal USB thumb drive, smartphone or tablet in order to work on it at home. The motivations behind these behaviors are good, even commendable – employees trying to maximize their productivity and get more work done.

But behaviors like this can create significant security hazards - potentially exposing sensitive corporate data if devices are lost, stolen or fall into the wrong hands, or if the employee simply leaves their job for a competitor. There have even been instances if employees creating industry collaboration groups that include employees of competitors. Everyone may be acting in good faith up front, but this creates openings and exposures beyond the view of corporate IT.  

Suspicious Third-Party Apps

Industry research shows the use of third-party apps within enterprises has increased 30 times over the past two years. This is largely driven by the “shadow IT” trend, where employees deploy software modules on their own, without express IT authorization. Many of these apps connect with SaaS-based applications – which is where the security concerns arise.

Third-party applications can enhance the SaaS experience by offering features and tools that aren't natively available. Employees can sign up for free or low cost services that can be expensed without major scrutiny. Examples may include new types of messaging, calendar or accounting software. Once again, employees' goals and intentions may be in the right place – increasing their productivity. But if any one of these apps is backed by a malicious actor, that actor all the sudden has a free access pass to the organization's critical data and apps.

Protect Yourself – And Your People

Any SaaS user needs to never forget the importance of protecting themselves, particularly regarding the growing ransomware threat. Proper backup is the only true protection for SaaS users – and all organizations for that matter – to guard against ransomware attacks. Cloud-to-cloud backup, which automates data backups from one provider to another, can help avoid the dangerous practice of putting all of one's eggs in one basket.

Regarding insider threats and third-party apps, SaaS users must focus on protecting their people. Organizations should instill a culture of security and implement training on how employees can avoid certain practices that inadvertently create risk – including clicking on unfamiliar links in emails, sending data to personal devices and email accounts, and adopting third-party services.

Given the speed at which most workers are moving today, it can be helpful to supplement this training with automated protections and supports – for example, automated solutions that identify and delete risky data sharing practices; alert IT to risky or unusual user behaviors and audit and blacklist suspicious third-party apps. Companies must make clear the reasons for certain restrictions, as well as the fact that surveillance is not a dirty word. Rather, it can provide an added layer of protection to innocent and well-intentioned employees as they themselves try to navigate a growing range of threats.

In summary, enlisting a SaaS-based provider does not resolve users from the ultimate responsibility of securing and safeguarding their SaaS-based data and applications. New threats are constantly evolving alongside the cloud, necessitating a shared endeavor where SaaS providers and users reinforce each other, and the user addresses critical client-side blind spots.