Rise of SaaS increases vulnerability to insider threats

A new study finds that file sharing applications are a particular problem in SaaS security, with accidental exposure of information being the biggest source of internal threats.

A new study finds that the complexity and security issues of SaaS applications are a key problem for organizations of all types. The biggest risks come from popular file storage and content sharing apps, and from user error rather than malicious insiders or compromised sources. The data comes from SaaS operations management vendor BetterCloud’s first insider threats report, the “State of Insider Threats in the Digital Workplace 2019.”

The data comes from two sources, which include both perceptions and customer data.

“We did a survey with customers and prospects and asked them some very pointed questions on what they felt about insider threats,” said Shreyas Sadalgi, BetterCloud’s Chief Business Strategy Officer. “We had been seeing a trend over last 18 months around insider threats. So we also went back into our own product data and analyzed it and anonymized it to protect privacy. That was the second part of the study, and the conclusions reflect facts from both aspects.”

The survey sample included 491 executives, ranging from C-level executives to IT admins to security engineers, and from organizations ranging from SMBs to large enterprises across many industries.  The second part is based on data from over 2,000 BetterCloud customers.

The report defined an insider threat as a current or former employee, contractor, or business partner who has access to an organization’s network, systems, or data and is one of three groups:

  • Compromised (exploited by outsiders through compromised credentials)
  • Malicious (intentionally causes harm, either for personal or financial gain), or
  • Negligent (well-meaning, but accidentally exposes sensitive information)

Based on the data, the report concluded that insider threats are being fundamentally transformed, and made more dangerous by the rise of SaaS applications. These apps contain new attack vectors and data leakage points, which is leading to a new type of insider threat. With the rise of SaaS apps, data now lives in these apps, not in endpoints. In 2017, companies used 16 SaaS apps on average, up a third from 2016. 73 per cent of organizations said over 80 per cent of their apps will be SaaS by 2020. This explosion of SaaS apps in turn, has given end users more freedom when using SaaS apps, and given IT less control.

“These SaaS platforms have been democratized to the end user, but with that, much responsibility for the care of assets is moved to the end user,” Sadalgi indicated. “As a result, if the end user implements the wrong setting, the file gets shared publicly. Box had an issue with negligent configurations which exposed several companies’ data.”

This changed environment is a key reason why 62 per cent of respondents believe the biggest security threat comes from that category of well-meaning but negligent end users. Only 21 per cent thought malicious actors were the biggest threat, with only 17 per cent thinking compromised users were the main insider danger.

“Many insider threats are simply the result of wrong settings and configurations in SaaS applications,” Sadalgi emphasized.

Another issue is that the quick rise of SaaS has created dangerous blind spots precisely because it is new, and many security professionals are still learning it. Best practices are rudimentary, and 78 per cent of those surveyed said they were just getting started managing SaaS apps or teaching themselves.

“Like any kind of problem, awareness is the first step to prevention,” Sadalgi said “Things are happening because security isn’t familiar with the problems. We have gone into a customer environment and found people who were no longer with the company had left file sharing links turned on. The company found this out two years later. So in the meantime, you had confidential data flowing out because a pipe was left open. Security doesn’t know they exist. C level won’t know about it at all. It only comes up to that level once a breach happens.”

Security also has not been top-of mind in most SaaS applications, Sadalgi said.

“It is something they tend to overlook,” he said. “SaaS vendors build for productivity, which includes exposing connectivity to APIs. Security is an afterthought.”

A third major issue is that file sharing permissions and configurations are complex, making misconfigurations easy. 75 per cent of the survey respondents believe that the biggest insider risks come from cloud storage/file sharing and email. 41 per cent believe that cloud storage/file sharing is the biggest danger, which BetterCloud says makes sense because that’s where their valuable data tends to be stored.

“We see the content sharing apps – Google Drive, Dropbox, Box, Slack, OneDrive – as the biggest threat,” Sadalgi said.

“The vulnerabilities in SaaS won’t lessen demand for SaaS, any more than when we discovered computer viruses, we didn’t stop using computers,” Sadalgi indicated. “Adoption of SaaS will increase regardless. There are solutions to mitigate that risk. We specifically built out our application from an inside-out approach, unlike a CASB, whose users feel vulnerable because it sits in the middle of traffic and looks into the app from the outside. We also co-operate closely with each SaaS vendor, understanding their APIs.”

The report also found that while almost all those surveyed 91 per cent said they feel vulnerable to insider threats. Yet at the same time, only 26 per cent of C-level execs say they have invested enough to mitigate the risk of insider threats, while 44 per cent of IT managers said this.

“The report by itself should be an eye opener to C-level execs to do something about this,” Sadalgi stated.