Cloud App Data

Don’t Leave Your Cloud App Data Vulnerable

When cloud computing was first introduced, most businesses were reluctant to try the apps being offered by public cloud service providers. Companies were mainly concerned about whether their data and other IT assets would be secure. 

Nowadays, that’s no longer the case. The apps offered by public cloud service providers — collectively known as Software as a Service (SaaS) apps — are popular among businesses. Companies use an average of 110 SaaS apps, according to one study. However, more than half of them admit to not investing enough resources to protect the data within the apps. This is problematic because SaaS apps are also popular among cybercriminals. 

For example, cybercriminals targeted companies using Microsoft 365 in January 2022. The attackers wanted to access employees’ Outlook apps so that they could read and send emails, change inbox rules, view employees’ contacts, examine calendars, and more, according to Microsoft. The cybercriminals did not access Outlook by stealing, guessing, or tricking employees into revealing their passwords. Instead, they used a consent phishing campaign. 

In consent phishing attacks, cybercriminals try to dupe SaaS users into giving a malicious app the permissions it needs to access data or other resources. In the January 2022 attack, the cybercriminals tricked Outlook users into granting permissions to a malicious app named Upgrade. 

The malicious apps used in consent phishing campaigns abuse OAuth request links. These links allow users to share information about their accounts with a third-party app or website, without having to give the app or site their passwords. 

Consent phishing attacks are not limited to Microsoft’s cloud apps. Any SaaS app that uses OAuth 2.0 authorization is vulnerable. For instance, cybercriminals have used this type of attack to access users’ data in Google Gmail

Consent phishing campaigns are on the rise, according to Microsoft, Proofpoint, and other threat analysts. So, too, are other types of cyberattacks that target SaaS apps. Defending against these attacks requires action from both SaaS providers and the businesses using their apps. 

Businesses’ Security Responsibilities 

One of the main advantages of using SaaS apps is that companies do not need to maintain or secure the apps or the infrastructure on which they run. SaaS providers are responsible for those tasks. However, companies have a few responsibilities. 

For starters, businesses are responsible for controlling and securing employees’ access to the SaaS apps. Failing to control and protect the account credentials that employees and groups use to access SaaS apps can result in cybercriminals compromising those credentials and using them to access app data. 

Companies also are responsible for properly configuring certain SaaS app settings. SaaS providers let companies configure some app settings (e.g., file-sharing options) so that the apps are customized for their environment. However, misconfigurations can open the door to cyberattacks. 

Finally, businesses are responsible for backing up their app data to protect against data loss. Although SaaS providers assume responsibility and take measures to protect against data loss due to operational failures (e.g., infrastructural breakdowns, natural disasters), the vast majority of them explicitly state in their terms and conditions that it is the company’s responsibility to protect against data loss due to accidental deletions and security attacks, according to a Forrester report

Security Measures That Businesses Can Take 

To secure employees’ access to SaaS apps, prevent setting misconfigurations, and protect against data loss, companies might consider taking the following security measures: 

  • Apply the principle of least privilege. Companies should limit employees’ access to (and permissions in) SaaS apps to the minimal level that will allow them to perform their job duties. In addition, the access should be in effect for the shortest time necessary. 
  • Use multi-factor authentication. Many SaaS apps offer multi-factor authentication (aka two-step verification). When multi-factor authentication is enabled, app users must provide two credentials when logging in, such as a password and one-time security code. This extra layer of security helps prevent unauthorized access to the app and its data. 
  • Stop malicious emails from reaching employees. Since consent phishing attacks are carried out through email, businesses should try to stop as many malicious emails as possible from reaching employees’ inboxes. Ways to do this include taking advantage of email servers’ security features (e.g., phishing and spam blockers), disabling automatic forwarding to external email accounts, and creating mail flow rules to block risky file attachments. Companies might also consider using an advanced email security solution, such as a secure email gateway. 
  • Double-check SaaS app settings. Although it takes time to double-check app settings, it is time well spent. Improperly configured settings can give cybercriminals what they need to attack a company. 
  • Educate employees. It is important to educate employees about cybersecurity in general as well as specific cyberthreats associated with the SaaS apps they are using. For instance, employees should learn about consent phishing emails and how to spot them. 
  • Back up SaaS app data. Since most SaaS providers explicitly state in their terms and conditions that it is the customer’s responsibility to protect against data loss due to cyberattacks and accidental deletions, it is important to regularly back up SaaS app data. This can be accomplished several ways, including using a cloud-to-cloud backup service or an on-premises backup solution. 

These security measures provide a good starting point for protecting your company’s SaaS app data. MicroAge can help you determine additional measures your business can take based on the SaaS apps being used and your IT environment. Contact us today. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts

Cybersecurity strategies banner, stratégie cybersécurité

Top 5 Cybersecurity Strategies for Your Business

Whether it’s our personal identity, our banking, or possessions in our home, security is a topic we all think about every day. But are you…

Read More
Managed Services Gérés

How Managed Services Can Help Your Business During COVID-19

Businesses across the globe are heavily reliant on technology to maximize their efficiency. This has become more evident during this COVID-19 pandemic. The dependence on…

Read More
cyber incident response plan

What Should Be Included In A Cyber Incident Response Plan

Protecting your business against cyberattacks involves ensuring that you have in place the different security layers including protecting the network, patching applications, protecting the endpoints,…

Read More
electronic signature

The Benefits of Electronic Signatures for SMBs

An electronic signature is a process of attaching an encoded signature to an electronic document. Electronic signatures are legally binding based on federal and provincial…

Read More

Cyber Resilience: How To Protect Your Business In A Connected World?

It’s hardly new, nowadays digital technology pervades practically every aspect of our lives. In many contexts, this ever-so-useful practical and accommodating reality also involves a…

Read More