Recently, I talked about an unexplored, but potentially devastating issue in InfoSecurity magazine: default Software-as-a-Service (SaaS) configurations. Sure, they're convenient. Technically, they're the recommended ones by the SaaS provider. But you must remember that enterprise SaaS providers do not prioritize security; they are interested on user experience and usability.
Further along these lines, this article explores how the small inconvenience of monitoring and tweaking SaaS configurations is a small inconvenience that pays dividends.
The Insider Threat Isn't What You Think
In security parlance, an “insider threat,” usually refers to a disgruntled employee seeking revenge on their company. However, another security threat looms from well-meaning insiders just trying to do their jobs.
Widely-used cloud platforms, such as Office 365 from Microsoft or G Suite from Google, are often administered by IT professionals tasked with all aspects of configuration. Security is not their primary focus. As with most SaaS, the default settings are tuned to empower end-users with full control over collaboration and data access. The default settings often weigh easy access and usability over better security.
At the same time, these desirable capabilities provide ample cause for end-user mistakes that lead to data and security breaches. Revisiting those defaults can go a long way to limit vulnerabilities.
With that in mind, it’s no surprise that Gartner predicts that “through 2023, at least 99% of cloud security failures will be the customer’s fault.” (Gartner clients can read the full document here.) As Gartner emphasizes in the report, organizations often lack the knowledge, budget, or sense of urgency to optimize their cloud environment. Hackers know that cloud assets are more uniformly configured and share the same defaults settings, making each vulnerability relevant to huge numbers of end-users across numerous organizations.
Some Breaches Start With Misconfigurations
Some large-scale data breaches have been due to public file shares, unencrypted data, compromised accounts, and weak password settings.
In many of these cases, the default settings — for example the unlimited ability to share data outside the organization — is partly to blame for the breach. While security-conscious firms may have opted for multi-factor authentication (MFA) enforcement on logins and password strength requirements, these are not among the “out of the box” settings.
On top of this, SaaS providers continuously (and sometimes drastically) update their environments with new features. Such updates naturally focus on backward compatibility and smooth upgrade for end-users, but may also introduce new security exposure. Since SaaS upgrades are pushed’ few admins have visibility into when they arrive, and almost no time to fully master all the related security configurations before they go live.
For example, in an effort to provide better security manageability in Office 365, Microsoft has changed the way admins manage threats by moving most configurations to the Security & Compliance Center. That said, the evolution of the administrator experience, coupled with potentially unclear and inaccessible documentation, still presents ongoing challenges to staying on top of cyber threats.
Account Takeover: The Common Hack in the Age of SaaS
Many organizations see a constant flow of credential harvesting phishing attacks. Those using Office 365 in particular have reported an uptick in compromised accounts.
This has significantly increased the need for enabling MFA, which is not part of the default settings. Although MFA creates friction for end-users, it is a must-have.
For example, setting up MFA in Office 365 is not straightforward. Microsoft offers two separate solutions — Active Directory Federation Services (ADFS) and Azure AD; then there’s third-party solutions such as Okta. On top of this, there are several non-default yet highly important configurations, such as disabling legacy authentication, which an admin needs to be aware of to properly deploy MFA.
Other more advanced technologies — such as conditional access, which uses signals like geography, sign-in risk, and more — that grant access to users can be implemented, but require additional configuration and therefore are generally only present in the most security-savvy organizations. At the very least, an automated mechanism to monitor logins should be a core requirement for any environment.
Keeping an eye on the permissions of highly empowered accounts (including admins) who are not part of the security team is also important. Security features that may limit usability, but tighten controls should be acceptable here.
Employees Don’t Need to be Hacked to Expose Your Data
The human element is the weakest link in every security strategy. Beyond compromised accounts, admins must also adjust permissions so that authentic users don’t accidentally leak confidential data.
This exposure can come in the form of mistakenly emailing confidential or personal data, sharing files publicly as opposed to restricting their use, or even leaving the door open to create hard-to-find email routing rules that would obfuscate sent and received messages from a hacker that appears in every way to be a real, authenticated user.
Common SaaS platforms often provide configuration options to mitigate that risk, for example, preventing shares outside the organization, not allowing inbox rules to send email to an external address, and more. After you learn these capabilities and assess your organization’s needs, make sure to configure those securely.
Never select a configuration just because it is the default.
Staying Ahead of Cloud Hackers
There are many additional configurations that help decrease the surface area of attack. Some areas of interest are mail flow rules, spam rules, and threat protection policies. At the same time, attack vectors constantly change and SaaS provides constantly add security features. But those are often not activated by default, and IT managers must continually train themselves and explore new features and configurations as those platforms continue to evolve.
By educating themselves on configurations across platforms, admins can better understand the impact of tuning on threat management. This can often be obtained by carefully checking release notes (sign up for automated alerts), and habitually visiting the SaaS vendors’ security center (at least monthly), for example.
When it comes to securing cloud-based collaboration environments, revisiting defaults, periodic review, and thoughtful monitoring of configurations are the first step towards securing your SaaS. Good configuration is good security!