When cloud computing was first introduced, most businesses were reluctant to try the apps being offered by public cloud service providers. Companies were mainly concerned about whether their data and other IT assets would be secure.
Nowadays, that’s no longer the case. The apps offered by public cloud service providers — collectively known as Software as a Service (SaaS) apps — are popular among businesses. Companies use an average of 110 SaaS apps, according to one study. However, more than half of them admit to not investing enough resources to protect the data within the apps. This is problematic because SaaS apps are also popular among cybercriminals.
For example, cybercriminals targeted companies using Microsoft 365 in January 2022. The attackers wanted to access employees’ Outlook apps so that they could read and send emails, change inbox rules, view employees’ contacts, examine calendars, and more, according to Microsoft. The cybercriminals did not access Outlook by stealing, guessing, or tricking employees into revealing their passwords. Instead, they used a consent phishing campaign.
In consent phishing attacks, cybercriminals try to dupe SaaS users into giving a malicious app the permissions it needs to access data or other resources. In the January 2022 attack, the cybercriminals tricked Outlook users into granting permissions to a malicious app named Upgrade.
The malicious apps used in consent phishing campaigns abuse OAuth request links. These links allow users to share information about their accounts with a third-party app or website, without having to give the app or site their passwords.
Consent phishing attacks are not limited to Microsoft’s cloud apps. Any SaaS app that uses OAuth 2.0 authorization is vulnerable. For instance, cybercriminals have used this type of attack to access users’ data in Google Gmail.
Consent phishing campaigns are on the rise, according to Microsoft, Proofpoint, and other threat analysts. So, too, are other types of cyberattacks that target SaaS apps. Defending against these attacks requires action from both SaaS providers and the businesses using their apps.
Businesses’ Security Responsibilities
One of the main advantages of using SaaS apps is that companies do not need to maintain or secure the apps or the infrastructure on which they run. SaaS providers are responsible for those tasks. However, companies have a few responsibilities.
For starters, businesses are responsible for controlling and securing employees’ access to the SaaS apps. Failing to control and protect the account credentials that employees and groups use to access SaaS apps can result in cybercriminals compromising those credentials and using them to access app data.
Companies also are responsible for properly configuring certain SaaS app settings. SaaS providers let companies configure some app settings (e.g., file-sharing options) so that the apps are customized for their environment. However, misconfigurations can open the door to cyberattacks.
Finally, businesses are responsible for backing up their app data to protect against data loss. Although SaaS providers assume responsibility and take measures to protect against data loss due to operational failures (e.g., infrastructural breakdowns, natural disasters), the vast majority of them explicitly state in their terms and conditions that it is the company’s responsibility to protect against data loss due to accidental deletions and security attacks, according to a Forrester report.
Security Measures That Businesses Can Take
To secure employees’ access to SaaS apps, prevent setting misconfigurations, and protect against data loss, companies might consider taking the following security measures:
- Apply the principle of least privilege. Companies should limit employees’ access to (and permissions in) SaaS apps to the minimal level that will allow them to perform their job duties. In addition, the access should be in effect for the shortest time necessary.
- Use multi-factor authentication. Many SaaS apps offer multi-factor authentication (aka two-step verification). When multi-factor authentication is enabled, app users must provide two credentials when logging in, such as a password and one-time security code. This extra layer of security helps prevent unauthorized access to the app and its data.
- Stop malicious emails from reaching employees. Since consent phishing attacks are carried out through email, businesses should try to stop as many malicious emails as possible from reaching employees’ inboxes. Ways to do this include taking advantage of email servers’ security features (e.g., phishing and spam blockers), disabling automatic forwarding to external email accounts, and creating mail flow rules to block risky file attachments. Companies might also consider using an advanced email security solution, such as a secure email gateway.
- Double-check SaaS app settings. Although it takes time to double-check app settings, it is time well spent. Improperly configured settings can give cybercriminals what they need to attack a company.
- Educate employees. It is important to educate employees about cybersecurity in general as well as specific cyberthreats associated with the SaaS apps they are using. For instance, employees should learn about consent phishing emails and how to spot them.
- Back up SaaS app data. Since most SaaS providers explicitly state in their terms and conditions that it is the customer’s responsibility to protect against data loss due to cyberattacks and accidental deletions, it is important to regularly back up SaaS app data. This can be accomplished several ways, including using a cloud-to-cloud backup service or an on-premises backup solution.
These security measures provide a good starting point for protecting your company’s SaaS app data. MicroAge can help you determine additional measures your business can take based on the SaaS apps being used and your IT environment. Contact us today.