SaaS Security Risks: It's the Users, Stupid
Black Hat workshop to discuss security concerns of software-as-a-service applications. Not surprisingly, uninformed users pose some of the biggest risks.
Software-as-a-service (SaaS) applications offer organizations convenience and constant feature refreshes without the need to install and deploy software on-premises. But SaaS also brings a host of security concerns that could open an enterprise's data to attack.
At the Black Hat USA conference in Las Vegas this week, security researchers from Adallom will present a workshop outlining some potential risks of SaaS applications that enterprises might not have considered.
Tal Klein, VP of Strategy at Adallom, explained to eSecurityPlanet that an often-cited challenge of SaaS is the risk of shadow IT, services and content being run outside of the domain and knowledge of an enterprise's IT department. Klein asserted that many IT users believethat simply encrypting their data protects them from cloud and SaaS risks. However, he noted, encryption typically only protects users if the SaaS provider itself gets compromised.
It is more common for attackers to go after individual users or corporate accounts with phishing campaigns and other attack techniques in order to steal user access credentials. "In that case it doesn't matter if the data is encrypted or not, because the attacker will still get access to the data," he said.
SaaS Users at Risk
With SaaS, the attack surface shifts from the traditional application deployment landscape. Instead of infrastructure itself being the primary target, attacks are moving toward users who hold access rights to data. Individual users of SaaS apps also typically do not have appropriate security controls in place to fully minimize risk.
One advanced technique that Adallom will walk through with Black Hat attendees is an attack that could potentially steal a user's Google login credentials. Using a malicious page sitting on Google Sites, the attack tricks users with a phishing email. Since the user is already logged into Google, the attacker can then pivot and gain access to the user's other Google Apps.
"If I were to share a Google Doc with a user, Google asks the user to authenticate to Google Apps anyway," Klein said. "So you can design an attack that looks like a legitimate document and have a real document at the end of the attack chain, but the login sequence is faked."
Users are not necessarily aware of the attack, because at the end of the click they get the document, Klein noted.
Adallom will also discuss social masquerading, attacks in which fake social media profiles that are trusted by the victims are created. For example, attackers could create a fake LinkedIn profile for the CEO of a company and then send requests to employees of that company. The requests could require users to already be logged into the social media site, which allows the attacker to potentially steal the user's access.
Session highjacking, which doesn't always need to be linked to phishing exploits, is another route to SaaS exploitation. "When a user hands over their login token, it provides more powerful access than simply handing over a username and password," Klein said.
Two-factor authentication is often recommended to prevent the risk of phishing attacks that go after user's login information. With two-factor authentication, a second password (or factor) is required to gain access to a site or service.
"With a token session highjacking, the attacker is tricking the user into authenticating into service they want access to and then forking the session and taking it over," Klein said. "Once the attacker has the token, the attacker is acting as the user inside the session."
One of Adallom's key messages is that a SaaS attack requires only the break-in stage. Once attackers have access, they have the data too.
While some may believe that SaaS providers have the responsibility to provide all user security, Klein argued that it's a shared responsibility model. While SaaS vendors should take steps to secure users, they cannot be accountable for human error, he said.
"SaaS attacks are often invisible, and they are fairly easy to execute," Klein said
To help prevent SaaS-related attacks, Klein recommends educating users about the risks. 'We also encourage organizations to get procurement teams involved in understanding the shared responsibility model," he said.
In addition, Adallom and competitors such as Netskope and Skyhigh Networks provide what is known as cloud access security brokers, which Gartner describes as "on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.