All posts by bradthies

How cloud service providers can halt hackers – with smart security protocols and reporting

When you call yourself "the global leader in secure content collaboration," you can't afford security gaffes.

Huddle, a SaaS tool used throughout the U.K. government, learned that the hard way when a BBC journalist logged into its system and was redirected to the wrong account. Imagine his shock when he realized he had access to confidential KPMG financial data. 

Luckily for Huddle, the journalist left the sensitive information untouched, but he wasn't about to leave the story untold. The world soon knew of Huddle's head-scratching glitch: When two users signed on during a 20-millisecond period, they received identical authentication codes. The first to gain entry could be directed to either user’s account.

Of course, Huddle acted quickly to fix the flaw. But the security mistake left its mark on Huddle's reputation, especially, no doubt, among flagship clients like KPMG.

Security protocols to implement pronto

Although it's easy to point fingers at Huddle, other cloud service providers (CSPs) should take the chance to review their own security operations. Without the following four security processes, they're but one opportunistic hack away from a storm of upset clients, lawsuits, and unflattering media attention:

Multifactor authentication: Password-gated portals are the norm among cloud-based services, but passwords are far too easy to crack or steal. In addition, CSPs should require a secondary, and perhaps even tertiary, form of authentication. Be it a phone-based approach or a token device, a multifactor login system is part and parcel of the security responsibilities that infrastructure-as-a-service, platform-as-a-service, and software-as-a-service providers share with their clients. 

Patch management: There's a reason your Windows or Mac computer constantly wants to install security updates. Software providers use patches to plug security holes found or created by hackers before they infect other systems. Without patch management systems in place, CSPs are at risk of malware and, more common today, ransomware. The bigger the CSP, the more likely it is to become a hacking target, making patches all the more important. 

Credential management: Companies often share login information internally, but that leaves the keys to their kingdom in many hands. Eventually, that information could get in the wrong person’s pockets. Ensuring each user has his or her own credentials helps CSPs hold users accountable for their behaviors. It also prevents what happened when Amazon Web Services’ S3 buckets leaked due to misconfiguration. Because IaaS companies manage servers and hardware for downstream PaaS and SaaS providers, they have a particular responsibility to manage credentials carefully. 

Key management:  Picture a cul-de-sac where every resident knows where the master key is stored that can unlock any house on the street. What happens when one person moves away but the locks aren’t changed? That master key, used to decrypt encrypted data, could later be used to break in by practically anyone. This is often how CSPs unknowingly manage their security keys. Key management systems are critical and can save an organization in the event of a breach of third-party cloud systems that the organization may not control.

Communicating your security steps

Just as IKEA provides detailed setup and use instructions for its customers, CSPs must share security best practices associated with their systems. This includes explaining their own security protocols to clients and prospects. Not only is transparently communicating security features the ethical thing to do, but it can also boost sales through greater client trust.
To get the word out about your cloud service's security, start with these three strategies: 

Draft a public-facing communications strategy: You already have a website, so use it to educate people on your security measures. You don’t have to give away the recipe to your secret sauce, but do pull together a whitepaper outlining your services and tying them to security best practices. Your sales, marketing, and technology teams may want to create a security toolbox of whitepapers to reflect different industries' and environments' security needs.

Arm your sales force with detailed protocol content: Every salesperson for your company should be able to prove to prospects that your security protocols meet their compliance challenges. Again, consider creating a series of whitepapers that map out your processes for technical personnel, auditors, vendor risk managers, and C-suite parties. Technical jargon won't help most businesspeople, and most technical roles will expect more than surface-level explanations.

Develop third-party audit reports: The best assurance of your company's security comes from a third-party audit. Be sure that your report not only provides external validation of your protocols, but also explains how they apply in the real world. For example, the SOC 2+ report offers enhanced reporting that can address multiple compliance and assurance needs. If your CSP provides financial services in the state of New York, such a report should show how you meet its financial cybersecurity standards through features like multifactor authentication. Or if your company deals in medical data, the report should prove that your protocols align with HIPAA standards. 

CSPs operate in a world where trust is golden. But like real gold, that trust can be easily contorted or broken by breaches or other security flaws. Maintaining or mending trust takes a twofold approach: proper protocols to deter cybercrime and smart reporting to ensure clients know they're protected.

What security roles should SaaS providers have on their teams?

For those at software as a service companies, it’s easy to forget that cloud services still aren’t standard at most companies. 

According to a BetterCloud report, just 43 percent of organisations today operate primarily on cloud services. By 2020, however, BetterCloud expects that figure to hit 73 percent, and by 2022, it predicts that 86 percent of firms will default to cloud services.

Increased cloud usage obviously benefits cloud service providers. But as SaaS services increase in popularity, so do opportunities for hackers to compromise them. Data breaches in the U.S. cost companies about $225 per compromised record, with healthcare data breaches costing a whopping $380 per record. 

Hackers know that crime pays when it comes to cloud data breaches. Unfortunately, they also know that plenty of SaaS providers and their clients are wholly unprepared to prevent attacks.

SaaS firms’ security obligations

Because they offer a software service, SaaS companies own more security responsibilities than traditional software businesses or even their platform-as-a-service and infrastructure-as-a-service peers.

Unlike PaaS or IaaS providers, SaaS companies must manage access to all levels of their applications. When SaaS providers fail to meet that responsibility, client data can be compromised. 

The worst part of such breaches is that they’re typically preventable. A simple configuration error, for example, led to an Amazon Web Services breach this past June. The data of nearly 200 million U.S. voters was exposed, including names, birth dates, home addresses, phone numbers, and voter registration details. 

Data breaches do not happen in a vacuum. Each brings greater distrust to an industry in which trust is already hard to come by. Today, just 13 percent of IT decision makers say they trust public cloud services. 

For SaaS providers, keeping customers’ data secure isn’t just smart business; it’s key to the entire industry’s success. To prevent breaches and earn customers’ trust, SaaS providers need a crack data security team.

Hiring for SaaS security

Every SaaS provider, from Microsoft to niche app shops, must build a security team that either reports to the chief information security officer or emulates that structure by disseminating responsibilities.

Regardless, the following four roles are absolutely necessary for SaaS companies to come alongside customers in managing security:

SecDevOps professional

At companies using traditional on-site infrastructures, applications are protected by “moats,” including the network layer and various security applications. In the past, this was enough. But in today’s multitenant SaaS world, crowds of hackers and bots prod for weaknesses in SaaS providers’ — and, by extension, their customers’ — castle walls.

To stay a step ahead, SaaS companies typically turn to a DevOps approach, with developers writing code and reviewing and integrating it into the code base. But these teams are typically missing a critical member: a DevOps hire focused on security.

SecDevOps professionals go by many titles, perhaps most commonly information security engineer. In a nutshell, this person’s role is to unravel insecure, lazy development habits.

Just like a quality assurance tester for a new product feature, SecDevOps personnel evaluate coding practices to recognise and shore up vulnerabilities. Their tools include risk modeling, threat assessments, and penetration testing throughout the development and deployment process.

To find the right fit, give candidates a take-home test that includes the identification and explanation of insecure code. Developing this test might take time, but having candidates solve an actual code challenge for the company could counterbalance that time expenditure. To quickly spot talent, look for individuals who are familiar with Microsoft’s Security Development Lifecycle methodology or the Open Web Application Security Project’s top 10 data security vulnerabilities.

Identity manager

SaaS organisations need stronger security than organisations offering on-premise or non-SaaS deployment models. To that end, they must hawkishly manage how, when, and by whom their applications are accessed.

Don’t assume that an application is secure simply because it’s hosted by AWS. A Corvette might park in a garage full of expensive tools, but without a trained mechanic maintaining it, the car won’t last long in any environment. 

In the SaaS world, that mechanic is an identity manager, and his or her job is to manage access credentials and architect a role-based security program. It’s easy to hand permissions to any team member who asks for them, but without an identity management expert’s oversight, those permissions can quickly become security liabilities. And the longer an organisation goes without proper role management, the more difficult implementing those rules becomes.

Governance and risk manager

The job of this role is twofold: to establish a process for communicating the company’s security requirements to relevant parties, including clients, employees, and regulators, and to enforce and evolve those mechanisms, revising them as business or regulatory needs change. 

Without a documented governance process in place, SaaS companies are slow to respond to new threats and ineffective at enforcing existing policies. Conversely, a cumbersome, outdated governance policy may cut into business productivity or lead employees to ignore important security steps. 

The governance and risk manager, then, works to achieve the right balance of security and agility. By understanding the risk exposure of the company’s stakeholders and the types of data in need of protection, he can prioritise security programs without slowing the business down. 

There’s no single background that makes a great governance and risk manager. Start searching for experienced individuals on industry forums such as ISACAISC2; and other governance, risk, and compliance communities.

Security operations manager

Like SecDevOps hires, security operations personnel can go by many titles. Regardless, their role is to detect and prevent threats and, if a breach does occur, manage the response. 

In practice, that requires the security operations team to develop a five-part plan to identify, protect, detect, respond to, and recover from cybersecurity threats. A SaaS provider without any of those capabilities exposes not only its business, but also the businesses of its customers to costly breaches. 

Information security professionals of all stripes, including security operations personnel, are in short supply. When choosing between candidates, look for certified information systems security professionals, but don’t discount others with experience in the trenches and the hunger to learn. 

As SaaS becomes the standard operating model for companies large and small, data threats will only deepen. Don’t wait for a breach to start searching for talent; invest in a security team now, and strengthen your SaaS operation for years to come.