Image Copyright © BluOcean Digital 2024
Imagine you’re one of Mr. Cooper’s customers, and you have to make a payment to the major mortgage lending company as soon as possible. So, you open its website to do the deed – and come to a stop. A bright red banner glares at you from the top of the screen, announcing a system/technical outage. Mr. Cooper’s systems are down – and nobody knows why, how, or when they’ll be back up.
In October 2023, Mr. Cooper announced that it was attacked by an unauthorized third party. The target was an unsecured Google Cloud storage bucket, and the result was Mr. Cooper’s IT systems shutting down and over 2 million customers not being able to make payments through their online payment portal, which was a big hit for the major mortgage loan servicer.
As the number of third party SaaS applications being employed by businesses in their day-to-day operations increases, so does the amount of risk they are exposed to. SaaS applications are built on a shared infrastructure, and hence, if a security loophole gets discovered in a SaaS application, then its vendor isn’t the only one at risk. Rather, the data of every single company using that application gets compromised, exposing any insufficiently protected company to a potentially major breach.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
SaaS Strategies Have A Real Cost – For Security And For Growth
SaaS application breaches are almost inevitable. Many companies have hundreds of applications in their SaaS infrastructure, and the chances of security lapses and misses just increase as this number goes up. In 2023 alone, 200 million people, consumer accounts, and profiles were impacted by over 30 major breaches.
If you’re a technology leader, then SaaS breaches aren’t just about data loss or system failure. They’re also about disrupted technology growth and business.
SaaS security is the weakest link in any company’s business strategy, and for technology leaders, this detail should warrant deep concern. After all, a company’s SaaS infrastructure is driven by its technology strategy. It is also the tech leader’s responsibility to ensure the technology stack is supporting the business and not disrupting it. And when it comes to SaaS applications, if appropriate security measures are not taken, then your own tech strategy and SaaS infrastructure can put your company at risk.
SaaS-dependent tech strategies support critical business functions such as sales, HR, finance, etc.
Avoiding using SaaS applications is not practical, so it is critical for technology leaders to acknowledge their over-reliance on SaaS applications and proactively safeguard company data and customer trust.
What Technology Leaders Need To Understand About SaaS Security
SaaS is often marketed with security assurances and thus, SaaS security is deeply misunderstood by technology leaders. Not correcting these misconceptions is a risky game. To protect both their tech stack and tech fueled company growth, technology leaders need to understand how SaaS security actually works. Some basic facts about SaaS security are:
- All SaaS application vulnerabilities are not managed by the vendor: SaaS vendors do have measures in place to report known vulnerabilities to users, but the responsibility to address these vulnerabilities still lies with the customer.
- Third party integrations and APIs in your SaaS infrastructure are not secure by default: Without proper monitoring on the customer’s (the company) end, downstream integrations, API calls on SaaS applications, and other exposures like guest user access can easily result in data loss.
- SaaS use is not necessarily compliant with major regulations: A SaaS vendor’s compliance does not extend to customer data, identities, or applications built over their application by customers. Common misconfigurations and lack of monitoring of access in SaaS applications, can put companies at risk of legal and regulatory non-compliance.
- SaaS customers are contractually responsible for securing client data and its access: SaaS vendors are only responsible for protecting their own backend infrastructure. They do provide capabilities and controls as enable companies to protect their data better, but the companies using their services are the ones responsible for protecting themselves by using these capabilities or add-on third-party tools.
All of these misconceptions can be undone by understanding one, fundamental point: securing SaaS applications is a shared responsibility, and both the vendor and the company using the application are accountable for maintaining security. And for technology leaders, this becomes a partnership effort with their CISOs and application teams.
Technology Leaders and CISO Collaboration Is Crucial To Implement A Secure SaaS Strategy
While security leaders will undertake a comprehensive SaaS Security program, but there are certain steps that technology leaders should take to ensure that their company is well-protected, such as:
- In organizations with an expansive SaaS infrastructure, technology leaders need to prioritize securing SaaS applications that pose the highest risk to the business to ensure critical processes are protected. Attempting to tackle all applications in your SaaS infrastructure at once can easily result in things slipping through the cracks, potentially leaving critical vulnerabilities unaddressed.
- Technology leaders need to establish a governance framework that works with the security team to periodically evaluates new technologies being onboarded by their company – and not place security as an afterthought for SaaS applications. A structured SaaS sanctioning and SaaS risk assessment process will also help their company replace outdated or vulnerable systems and, thus, phase out less secure applications and processes as and when needed.
- Technology leaders should carefully design downstream integrations in SaaS environments and, where possible, sign support contracts with SaaS vendors for maintaining security and safeguarding their company against any fourth party risks.
Measures like these are a starting point for minimizing the risk your company is exposed to, no matter what SaaS applications it might be using. When high-value assets like customer data, transactions, IT systems, and so on are insufficiently protected, a very tangible business risk emerges.
The Move Forward for Technology Leaders
As is clear by now, technology leaders need to ensure that their companies are carefully monitoring how SaaS applications are configured and used. Incorporating security in your company’s SaaS expansion strategy ensures that SaaS applications effectively perform the functions they’re required for, and also that your infrastructure isn’t unnecessarily exposing your company to external risks.
However, getting the configurations right on all the applications that are part of your SaaS infrastructure is an uphill battle. This is where BluOcean comes in. Our experts know exactly how to configure different SaaS applications to help technology leaders secure their company against any threats stemming from their tech strategy – so let us help you figure out how safe your SaaS security infrastructure truly is and ensure it is as secure as it needs to be.
Sources
- https://bluoceancyber.com/chief-technology-officer-chief-information-officer/
- https://bluoceancyber.com/beyond-the-breach-rethinking-saas-security-after-cloudflares-encounter/
- https://bluoceancyber.com/are-your-saas-defenses-battle-ready-strategies-for-fortifying-your-saas-security/
- https://appomni.com/blog/2024-saas-security-forecast-and-predictions/
- https://www.forbes.com/sites/forbestechcouncil/2022/03/10/the-role-of-cto-in-security/?sh=25a54a03330c
- https://www.bleepingcomputer.com/news/security/mortgage-giant-mr-cooper-hit-by-cyberattack-impacting-it-systems/
- https://www.scmagazine.com/brief/over-2m-mr-cooper-customers-records-exposed-by-unsecured-database
Written by : Himanshi Mehra