SaaS Application Risk Assessment
As businesses today migrate critical workloads, data, and services to cloud environments, security must be a top priority. When performing security risk assessments of cloud SaaS environments, an essential consideration is cloud SaaS applications. How do applications introduce risk in cloud SaaS? What are the attack vectors against which organizations must protect? Let’s look at SaaS application risk assessment and tackle the subject of application risk in the cloud.
2021 – More security risks than ever before
There is no question there has ever been a greater risk to your business-critical data than right now in the present. Business-critical data is under attack by cybercriminals, and they are using very clever and effective ways to get their hands on your data. One of those highly effective threats to your data is ransomware. With ransomware, the end goal is to make your data inaccessible by encrypting it and demanding a ransom payment to restore access. Hackers are also commonly threatening to release your data to the Internet if ransom payment is not made.
This year has already been littered with high-profile news reports of large-scale ransomware attacks on critical service industries. These include ransomware attacks on Colonial Pipeline, a major fuel supplier to the Eastern U.S., and JBS, the world’s largest meat supplier. These attacks led to millions of dollars in ransom payments and widescale fallout on the mass populous due to suspended operations by both companies.
Note the following statistics to put the risks in perspective:
- Cybercrime is up 600% as a result of the COVID-19 pandemic
- 45% say their processes are ineffective at mitigating attacks
- 66% have experienced a cyber attack in the past 12 months
- Businesses are expected to be attacked by ransomware every 11 seconds in 2021
To combat the cyberattacks epidemic, companies must carefully analyze the risks to business-critical data, processes, services, IT infrastructure, and cloud SaaS applications through a risk assessment.
What is a risk assessment?
First of all, what is a risk assessment, and why is it important? Performing a proper risk assessment is a crucial part of your organization’s overall cybersecurity plan as it helps identify and uncover risks to your business from a cybersecurity standpoint. In addition, the risk assessment helps shed light on possible attack vectors for business-critical data, crucial business systems, cloud SaaS applications, and other infrastructure that may be critical to your business.
A risk assessment helps your business identify the specific risks that are most likely to threaten your organization and prioritize these accordingly. You don’t want to spend vast amounts of time and resources protecting against threats that, in reality, won’t affect your business and then underestimate or overlook dangers that could potentially cause significant damage.
It helps to see an overall “picture” of the infrastructure landscape. Therefore, a cybersecurity risk assessment in 2021 should include many pieces of information, including, but not limited to:
- Network topologies and layouts
- Current known vulnerabilities
- Processes and procedures
- Data locations and threats
- Cloud assets, data, and applications
Only after identifying assets that need to be protected and may be at risk can a company put a risk management system in place. The NIST Risk Management Framework helps manage this lifecycle.
NIST Risk Management Framework
The National Institute of Standards and Technology (NIST) has developed a Risk Management Framework (RMF) that provides a process that integrates security, privacy, and cyber risk management activities into a security system life cycle. Note the steps involved in the NIST RMF:
- Prepare – Includes all cybersecurity and other activities to prepare the organization to manage security and privacy risks
- Categorize – The step to categorize the information processed, stored, and transmitted. It is based on the impact analysis
- Select – The NIST SP 800-53 controls to protect the system are selected based on risk assessments
- Implement – Implement controls
- Assess – Assess the controls put in place to note if these are effective and producing the desired results
- Authorize – Business leaders and stakeholders make a risk-based decision to authorize the system
- Monitor – Monitor risks to business-critical systems and any controls implemented
Taking this systematic approach to managing the tremendous threat landscape helps ensure cybersecurity risks are addressed continually and dynamically. Let’s now pinpoint focus on cloud SaaS applications and see why it is vital to perform a SaaS application risk assessment.
Security risks with cloud SaaS applications?
Businesses are using the cloud and migrating their data and services to cloud environments in unprecedented numbers. The COVID-19 pandemic has accelerated the move to the cloud as companies continue to support the distributed workforce. Cloud Software-as-a-Service platforms such as Google Workspace and Microsoft 365 saw massive growth in 2020 until now, and the trend looks to continue.
Cloud SaaS environments such as Google Workspace and Microsoft 365 allow businesses to move rapidly without the need to worry about the physical infrastructure and all the other complexities involved with running an on-premises data center. Cloud environments function “as-a-Service,” making cloud storage, services, and applications just a few clicks away.
Cloud SaaS environments, including Google Workspace and Microsoft 365, include access to thousands of cloud SaaS applications that can extend the native functionality of the cloud SaaS environment. It is highly appealing to businesses that need additional capabilities for the remote and on-premises workforce for collaboration and communication.
However, despite the tremendous capabilities that cloud SaaS applications or other software such as browser plugins offer to organizations migrating business-critical resources to the cloud, they can be riddled with cybersecurity threats to your business. How so?
Cybercriminals know the tremendous appeal of cloud SaaS applications and the willingness of end-users to trust “application permission prompts” to install these applications that integrate with cloud SaaS environments. End-users are conditioned to simply “next” through the permissions requests of applications due to how most install applications on smartphones. Most do not scrutinize permissions requests of applications asking for permissions to cloud storage or cloud user identities.
It is a dangerous behavior that cybercriminals capitalize on with cloud SaaS applications. Malicious cloud SaaS applications or browser plugins masquerade as legitimate or even sanctioned cloud applications to coax users to grant permissions to the application. After the end-user grants permissions to the malicious application, it can now perform malicious actions on behalf of the user. This process is due to what’s known as OAuth permissions delegation.
When a user grants an application “permissions” requested, the cloud SaaS environment grants an OAuth token to the application. The OAuth token allows the application to act on the user’s behalf without having the user’s password. For legitimate applications, this is a good thing. However, granting an OAuth token to a malicious application that houses ransomware can be disastrous. OAuth tokens can provide very high-level access to an application. These tokens also bypass two-factor authentication and can only be revoked with manual intervention from the user. Below, a cloud SaaS application is requesting very high-level access to a Microsoft Office 365 environment. Note the permissions:
- Have full control of all site collections
- Maintain access to data you have given it access to
- Read and write calendars in all mailboxes
- Read and write all chat messages
- Read and write contacts in all mailboxes
- Read and write files in all site collections
- Read and write mail in all mailboxes
While the example below is from a legitimate application, a malicious application granted these types of permissions would be disastrous!
OAuth permissions request in Microsoft Office 365
With the literally thousands of cloud SaaS applications and browser plugins available to end-users in cloud SaaS environments, businesses must include SaaS applications in their proactive risk assessments for their organization. Due to the tremendous risk, these can present to business-critical data, companies must perform a proactive risk analysis of applications, application behavior, data they have access to, and other critical security metrics.
How can your organization follow the best practice risk analysis outlined in cybersecurity frameworks such as the NIST Risk Management Framework mentioned earlier to continually scrutinize cloud SaaS applications?
SpinAudit SaaS application automated risk assessment
Organizations moving to the cloud can be overwhelmed by security implications and concerns with cloud data and third-party applications. Performing a risk assessment of all cloud applications and browser plugins using manual efforts would be impossible. SpinAudit provides an automated way to assess third-party applications’ business, security, and compliance risks. Consider how SpinAudit helps to automate the risk assessment lifecycle of SaaS applications. It provides the following risk assessment automation:
- Continuous risk level analysis of applications – SpinAudit detects when new apps are installed or uninstalled. It automatically reviews the application and identifies apps that have been blocked. Once SpinAudit has blocked an app, its access is revoked any time a user attempts to install it in the cloud SaaS environment.
- User behavior analysis – Determine important cybersecurity information about user behavior, including when they are accessing, what applications they are using, which IP they are connecting from, and geolocation.
- Understand how cloud data is accessed and shared – See which files are accessed and shared with whom. Easily see if the information is shared publicly. Capture events in historical dashboards. Identify sensitive information such as Credit Card Numbers (CCNs).
- Implement security policies – Use granular policies in customizing apps and data audits, and domain audit-related policies. It allows for specific rule scopes, exceptions, and notification settings on a per-rule basis.
- Prepare – SpinAudit helps prepare your organization continually for new risks and threats in SaaS applications, abnormal user behavior, and other threats.
- Categorize – Using SpinAudit, businesses can continually categorize and gain visibility to data shared in the cloud, helping to categorize business-critical data in the cloud.
- Select – SpinAudit helps to align to NIST SP 800-53 controls to protect the system based on risk assessments
- Implement – SpinAudit helps to implement the controls needed to protect your data from new and emerging threats
- Assess – The continuous assessment of the environment using SpinAudit helps to determine if data is accessed in unauthorized ways or if rogue applications have access. It also helps to spot anomalous user behaviors and gauge the effectiveness of controls in place.
- Authorize – Using the blacklist/whitelist functionality of SpinAudit, CISOs, SecOps, and other decision-makers can approve or disapprove cloud SaaS applications in the environment.
- Monitor – SpinAudit continually monitors the cloud SaaS environment. Even if applications were once deemed safe, Spin would recategorize these applications if the automated risk assessment of the application changes due to behavior.
Imagine having a fully automated risk assessment and risk analysis platform with actionable intelligence. SpinAudit delivers these capabilities and many others in conjunction with the SpinOne platform. It helps to tip the balance for organizations in the cybersecurity war.
Learn more about the SpinAudit automated risk assessment functionality and the SpinOne suite of cybersecurity solutions here.