May 18, 2022

SaaS Breaches: How to Think about Security in Cloud Apps and Services

By

The increasing sophistication of attack groups

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups. This is due to a combination of several trends we are seeing:

  • Increased potential financial gain for attackers justifies a larger investment in attacks, allowing criminal threat actors to build campaigns with substantial resources. Resources that were formerly only available to state level actors.
  • There’s continuous leakage of cyber capabilities from state-level actors to the private market, including a wealth of knowledge and skill formerly unavailable to criminal groups.
  • The line between state-level attacks and criminal threat actors is disappearing. Certain nation states encourage (or willingly ignore) criminal cyber activities as part of the new age of the Cyber Cold War, making it easier for criminal threat actors to build up a substantial force.

The state of security in cloud applications and services

Naturally, the increased sophistication of adversaries creates a huge issue as organizations increasingly use software as a service (SaaS), platform as a service (Paas), and infrastructure as a service (IaaS) to deliver applications and services. While these cloud services reduce the need for complex software and hardware management, the mesh of applications and services creates new complexities for security teams. In this asymmetrical space, where attackers need only one success and defenders need to succeed at preventing intrusions and attacks 100% of the time, it is almost impossible to prevent breaches by threat actors that have (nearly) the same resources and skills as a nation state.

The potential implications of critical identity provider SaaS breaches

Breaches to SaaS providers can have significant implications, particularly when it comes to identity providers (such as Okta and Azure Active Directory). As organizations have increased cloud adoption, the world has transitioned from the classic perimeter (that is, the physical network in the office, protected by a firewall) into an era of the identity-driven perimeter. As some often say, “identity is the new perimeter,” meaning that the main gateway to the organization is through your identity providers.

Today, most large organizations rely on Single-Sign-On (SSO) as their main security gateway, allowing users to identify themselves through a single, secure identity provider, and propagating this identity through the entire organization. This aligns with the zero-trust model, where all users are authenticated, authorized, and validated before gaining access to applications and data — and users only have access to the resources they need to perform their jobs. Zero trust depends heavily on identity and creates controlled environments in which identity truly is the new perimeter for organizations. While combining zero-trust with identity provider solutions alleviates risks associated with separate identities per resource, it creates a new risk when the single, main identity provider is breached, as we recently saw in the Okta breach.

While in this specific case the breach scope was limited, a substantial compromise of any identity provider could enable an attacker to impersonate any user in any organization using that identity provider, allowing them to gain access to almost every resource in the organization. In many cases, this would also allow attackers to impersonate administrator users, gaining full control of every customer.

It is important to note that while these identify providers provide various controls to reduce potential attacks (such as Multi Factor Authentication and IP Risk Profiling, for example) – once the vendor itself is compromised, these controls may all potentially be circumvented.

How to protect or prepare your organization for SaaS, PaaS, and IaaS breaches

In a complex environment of software, platforms, and applications offered as services, global organizations and startups alike continuously update and change their applications and services. This brings new capabilities and innovations to market quickly — but also makes it challenging for security teams to stay on top of changes or know where to focus their attention. And although each provider does their best to release secure solutions, we cannot rely on the providers themselves to ensure security across the complex ecosystem existing in most organizations.

Complex incidents like the LAPSUS$ breaches (whose targets included Microsoft,  Samsung, Nvidia, Ubisoft, Globant, and, of course, Okta) demonstrate two important things. The first one, which has been part of every good security posture for years (yet many organizations fail to sufficiently implement it) is that security requires multiple layers. Only through that approach can organizations guarantee that the breach of a single provider will not allow for full compromise of the organization.

The second important approach, which is becoming more and more apparent in the last few years, is that at the end of the day, while we strive to minimize our exposure to breaches, the complexity of today’s computing and cloud systems makes it almost impossible to avoid. Therefore, most organizations are likely to suffer breaches. It is imperative for organizations to build their cyber resilience and increase their ability to respond quickly and efficiently to breaches, so that they can bounce back with minimal impact to normal operations.

Learn the 9 fundamental ways cloud incident response is different

Don't miss these stories:

March 23, 2023
How Okta Passwords Can Be Compromised: Uncovering a Risk to User Data

Mitiga's research team uncovered a data risk to Okta users due to passwords that can be present in logs. This article outlines the risk and attack method.

March 14, 2023
Samsung Next Invests In Mitiga, Brings Total Funding to $45M

Mitiga, the cloud and SaaS incident response leader, today announced the completion of a Series A Round bringing total funding to $45 million led by ClearSky Security, with participation from Samsung Next and existing investors Blackstone, Atlantic Bridge and DNX.

March 1, 2023
Google Cloud Platform Exfiltration: A Threat Hunting Guide

If you’re wondering if the cloud era is here, you need only look at the latest stats. 67% of enterprise infrastructure is now cloud-based and 94% of enterprises use cloud services.1 It’s no wonder that public clouds like Google Cloud Platform (GCP) have become a new playground for threat actors. There is a lot to exploit.

Want to see the future of IR for cloud and SaaS? Request a demo of IR2
SOLUTIONSBLOGABOUTCAREERSCONTACT
Copyright ©️ Mitiga Security Inc. All rights reserved | Terms of Use | Privacy Policy