Cloud App Data

Don’t Leave Your Cloud App Data Vulnerable

When cloud computing was first introduced, most businesses were reluctant to try the apps being offered by public cloud service providers. Companies were mainly concerned about whether their data and other IT assets would be secure. 

Nowadays, that’s no longer the case. The apps offered by public cloud service providers — collectively known as Software as a Service (SaaS) apps — are popular among businesses. Companies use an average of 110 SaaS apps, according to one study. However, more than half of them admit to not investing enough resources to protect the data within the apps. This is problematic because SaaS apps are also popular among cybercriminals. 

For example, cybercriminals targeted companies using Microsoft 365 in January 2022. The attackers wanted to access employees’ Outlook apps so that they could read and send emails, change inbox rules, view employees’ contacts, examine calendars, and more, according to Microsoft. The cybercriminals did not access Outlook by stealing, guessing, or tricking employees into revealing their passwords. Instead, they used a consent phishing campaign. 

In consent phishing attacks, cybercriminals try to dupe SaaS users into giving a malicious app the permissions it needs to access data or other resources. In the January 2022 attack, the cybercriminals tricked Outlook users into granting permissions to a malicious app named Upgrade. 

The malicious apps used in consent phishing campaigns abuse OAuth request links. These links allow users to share information about their accounts with a third-party app or website, without having to give the app or site their passwords. 

Consent phishing attacks are not limited to Microsoft’s cloud apps. Any SaaS app that uses OAuth 2.0 authorization is vulnerable. For instance, cybercriminals have used this type of attack to access users’ data in Google Gmail

Consent phishing campaigns are on the rise, according to Microsoft, Proofpoint, and other threat analysts. So, too, are other types of cyberattacks that target SaaS apps. Defending against these attacks requires action from both SaaS providers and the businesses using their apps. 

Businesses’ Security Responsibilities 

One of the main advantages of using SaaS apps is that companies do not need to maintain or secure the apps or the infrastructure on which they run. SaaS providers are responsible for those tasks. However, companies have a few responsibilities. 

For starters, businesses are responsible for controlling and securing employees’ access to the SaaS apps. Failing to control and protect the account credentials that employees and groups use to access SaaS apps can result in cybercriminals compromising those credentials and using them to access app data. 

Companies also are responsible for properly configuring certain SaaS app settings. SaaS providers let companies configure some app settings (e.g., file-sharing options) so that the apps are customized for their environment. However, misconfigurations can open the door to cyberattacks. 

Finally, businesses are responsible for backing up their app data to protect against data loss. Although SaaS providers assume responsibility and take measures to protect against data loss due to operational failures (e.g., infrastructural breakdowns, natural disasters), the vast majority of them explicitly state in their terms and conditions that it is the company’s responsibility to protect against data loss due to accidental deletions and security attacks, according to a Forrester report

Security Measures That Businesses Can Take 

To secure employees’ access to SaaS apps, prevent setting misconfigurations, and protect against data loss, companies might consider taking the following security measures: 

  • Apply the principle of least privilege. Companies should limit employees’ access to (and permissions in) SaaS apps to the minimal level that will allow them to perform their job duties. In addition, the access should be in effect for the shortest time necessary. 
  • Use multi-factor authentication. Many SaaS apps offer multi-factor authentication (aka two-step verification). When multi-factor authentication is enabled, app users must provide two credentials when logging in, such as a password and one-time security code. This extra layer of security helps prevent unauthorized access to the app and its data. 
  • Stop malicious emails from reaching employees. Since consent phishing attacks are carried out through email, businesses should try to stop as many malicious emails as possible from reaching employees’ inboxes. Ways to do this include taking advantage of email servers’ security features (e.g., phishing and spam blockers), disabling automatic forwarding to external email accounts, and creating mail flow rules to block risky file attachments. Companies might also consider using an advanced email security solution, such as a secure email gateway. 
  • Double-check SaaS app settings. Although it takes time to double-check app settings, it is time well spent. Improperly configured settings can give cybercriminals what they need to attack a company. 
  • Educate employees. It is important to educate employees about cybersecurity in general as well as specific cyberthreats associated with the SaaS apps they are using. For instance, employees should learn about consent phishing emails and how to spot them. 
  • Back up SaaS app data. Since most SaaS providers explicitly state in their terms and conditions that it is the customer’s responsibility to protect against data loss due to cyberattacks and accidental deletions, it is important to regularly back up SaaS app data. This can be accomplished several ways, including using a cloud-to-cloud backup service or an on-premises backup solution. 

These security measures provide a good starting point for protecting your company’s SaaS app data. MicroAge can help you determine additional measures your business can take based on the SaaS apps being used and your IT environment. Contact us today. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts

Google’s Chrome 68 Web Browser Will Flag All HTTP Sites “Not Secure”

In Google's eyes, websites using HTTP are not secure, so it is marking them as such, starting in the Chrome 68 web browser. Find out why Google is taking this stance.

Read More

When It Comes to Diagnostic Data, Windows 10 Is a Chatterbox

By default, Windows 10 sends a large amount of diagnostic data to Microsoft. If you are concerned about the types of data being sent, you might want to take advantage of the Diagnostic Data Viewer. Learn how to use this tool and what you can do if you do not like what you see.

Read More

Find Out What Data Microsoft Is Saving about You

If you use Windows 10 and have a Microsoft account, you can easily see the types of data that Microsoft has stored about you. Learn where you can find this data and how to delete it.

Read More

Why Using Gmail’s Confidential Mode Is Not a Good Idea for Businesses

As part of Gmail's redesign in 2018, Google introduced the Confidential Mode to protect sensitive information sent by email. Learn how it works and why you should avoid using it in your business.

Read More

What You Need to Know about Google Tracking Your Location

Google is tracking the whereabouts of billions of its customers, even when they tell the tech giant not to. Here is what you need to know about this practice, including how to minimize the amount of data being stored about you.

Read More