One of the frequently touted advantages of using software-as-a-service (SaaS) solutions is their maintenance-free and supposedly inherently secure nature. These services are maintained by their providers and users do not have to worry about configuring, troubleshooting, and updating them. Things are not as simple as that, though.
SaaS solutions are far from invulnerable and they can become serious cybersecurity problems. While it can be said that securing them is mostly not the responsibility of users, it is important to emphasize that they are still predisposed to various forms of cyberattacks. One report says that 40 percent of SaaS assets are at risk for data leaks because of poor or lack of management.
Organizations need to employ prudent security measures to avoid creating opportunities for bad actors to introduce malicious software or find vulnerabilities they can exploit in the SaaS solutions they are using.
Office 365: A gateway to devastating SaaS cyber attacks
Office 365 is one of the most popular SaaS solutions for business productivity right now with millions of users worldwide. It is naturally targeted by cyber attacks. Unfortunately, Office 365 security is a concern not many take seriously. Organizations are not paying that much attention to the risks, and this has led to serious consequences.
A number of documented cyber attacks have taken advantage of Office 365’s weaknesses. The most notable of which is arguably the infamous supply chain attack on the SolarWinds Orion software, which was accomplished through the so-called Golden SAML technique. SAML is an acronym for Security Assertion Markup Language, an open standard employed when authenticating and authorizing data exchanges between parties.
SolarWinds CEO Sudhakar Ramakrishna confirmed that an Office 365 email compromise played a role in the massive attack. Reportedly, a company email account was hacked and used to gain access to the accounts of staff at SolarWinds. “We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles,” Ramakrishna wrote in a blog post.
There have been no studies that specifically estimate the cost of SaaS attacks. However, the SolarWinds incident can serve as a good indicator of how costly these attacks can get. One study found that the affected companies lost on average 11 percent of their annual revenue because of the SolarWinds problem.
Organizations need thoughtfully implemented defensive measures to secure Office 365 against various threats including business email compromise, data breaches, and phishing. It is advisable to provide employee awareness programs, ML-based phishing prevention, malware defenses, and comprehensive attack vector coverage. It also greatly helps to employ a multi-layered security solution that addresses issues at the virtualization, network, application, and physical levels (more on this in the discussion on attack methods below).
“Microsoft 365 is a gold mine,” as response manager Doug Bienstock says as he points out that “the vast majority of data is probably going to be in Microsoft 365, whether it’s in the contents of individual emails, or files shared on SharePoint or OneDrive, or even Teams messages.”
A variety of attack methods to watch out for
A study published in the journal Transactions on Machine Learning and Artificial Intelligence lists several cyber attacks that can be used on SaaS services. These are categorized into four according to their type of security issues, namely virtualization level, application level, network level, and physical level security issues.
Virtualization level attacks result in software interruption and modification including deletion. Attackers may use social engineering, storage, and data center vulnerabilities, as well as virtual machine weaknesses. Examples of these attacks are DoS and DDoS, hypervisor rootkit, and virtual machine escape.
In application-level attacks, the target is often the modification of data at rest and in-transit. It entails the hijacking of sessions and the dismantling of confidentiality and privacy policies. Examples of these attacks are SQL injection, cross-site scripting (XSS), and other app-based attacks aimed at exploiting session management, authentication, and configuration vulnerabilities.
Meanwhile, network-level attacks generally focus on firewall misconfiguration and the analysis of network traffic and potential threat exposures that have not been ignored or undetected by organizations. Examples of these are DNS attacks, sniffers, and IP address reuse exploitation.
Lastly, as the phrase suggests, physical level attacks involve bold attempts to compromise the physical hardware used by organizations. Cybercriminals may steal the hardware to extract data, introduce modifications, or inject malware. Phishing attacks may also be used to gain access to the physical equipment of the organization operating a SaaS service.
These attacks are not that different from the usual attacks other organizations face, including those that use on-prem solutions. It would be imprudent to fall for SaaS providers’ exaggerated claims of superior security. There are some advantages in using SaaS, but these should not make users let up on their security posture.
SaaS provides convenience to users as well as to attackers
One of the remarkable benefits of using SaaS solutions is the synchronization of data and services across devices. Users do not need to redo configurations and customizations and create new copies of their files whenever they do something using new devices. This convenience is not only advantageous to users; it also benefits bad actors.
The report on cybercriminals targeting the cloud-based digital distribution platform Discord is an example of how SaaS can become a tool for attackers. There is a tendency for security problems to worsen as organizations use multi-cloud systems and build hybrid enterprise IT infrastructure. One security firm released a report in February this year, revealing that 91 percent of companies experienced API security problems while over 80 percent were uncertain if their APIs were compromised.
Some organizations may over-rely on security tests
The security testing market is expected to hit $15.74 billion in 2026 with a CAGR of 20.74 percent for the 2021-2026 forecast period. There is a growing demand for security validation products and services as organizations acknowledge the importance of ascertaining the efficacy of existing security controls.
The reliance on security testing can be a risk for organizations, though. Penetration tests and other security validation strategies are indeed useful, but they may create a false sense of security especially in view of the SaaS environment dynamics.
The findings generated by a pentest or security validation routine, especially if it is not continuous, become invalid the moment a privileged user accesses the SaaS environment through an endpoint that has not been covered by the tests. Additionally, a third-party application may not be updated or a misconfiguration may arise and result in a security weakness, which is not reflected in the security validation outcomes.
SaaS solutions provide numerous advantages. The claims of better security compared to on-prem solutions also holds water to some extent because users are not left to deal with security on their own. SaaS providers usually go the extra mile to make sure that their systems are easy to use and highly secure at the same time.
However, the security benefits and conveniences are not guaranteed. It is still important to pay close attention to cloud security especially in cloud complex environments involving numerous users and applications. It can be difficult to detect attacks and institute the necessary mitigation and remediation measures with so much going on in a system or network.