Home
»
Blog Main

SaaS Breaches: How to Think about Security in Cloud Apps and Services

By

The increasing sophistication of attack groups

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups. This is due to a combination of several trends we are seeing:

  • Increased potential financial gain for attackers justifies a larger investment in attacks, allowing criminal threat actors to build campaigns with substantial resources. Resources that were formerly only available to state level actors.
  • There’s continuous leakage of cyber capabilities from state-level actors to the private market, including a wealth of knowledge and skill formerly unavailable to criminal groups.
  • The line between state-level attacks and criminal threat actors is disappearing. Certain nation states encourage (or willingly ignore) criminal cyber activities as part of the new age of the Cyber Cold War, making it easier for criminal threat actors to build up a substantial force.

The state of security in cloud applications and services

Naturally, the increased sophistication of adversaries creates a huge issue as organizations increasingly use software as a service (SaaS), platform as a service (Paas), and infrastructure as a service (IaaS) to deliver applications and services. While these cloud services reduce the need for complex software and hardware management, the mesh of applications and services creates new complexities for security teams. In this asymmetrical space, where attackers need only one success and defenders need to succeed at preventing intrusions and attacks 100% of the time, it is almost impossible to prevent breaches by threat actors that have (nearly) the same resources and skills as a nation state.

The potential implications of critical identity provider SaaS breaches

Breaches to SaaS providers can have significant implications, particularly when it comes to identity providers (such as Okta and Azure Active Directory). As organizations have increased cloud adoption, the world has transitioned from the classic perimeter (that is, the physical network in the office, protected by a firewall) into an era of the identity-driven perimeter. As some often say, “identity is the new perimeter,” meaning that the main gateway to the organization is through your identity providers.

Today, most large organizations rely on Single-Sign-On (SSO) as their main security gateway, allowing users to identify themselves through a single, secure identity provider, and propagating this identity through the entire organization. This aligns with the zero-trust model, where all users are authenticated, authorized, and validated before gaining access to applications and data — and users only have access to the resources they need to perform their jobs. Zero trust depends heavily on identity and creates controlled environments in which identity truly is the new perimeter for organizations. While combining zero-trust with identity provider solutions alleviates risks associated with separate identities per resource, it creates a new risk when the single, main identity provider is breached, as we recently saw in the Okta breach.

While in this specific case the breach scope was limited, a substantial compromise of any identity provider could enable an attacker to impersonate any user in any organization using that identity provider, allowing them to gain access to almost every resource in the organization. In many cases, this would also allow attackers to impersonate administrator users, gaining full control of every customer.

It is important to note that while these identify providers provide various controls to reduce potential attacks (such as Multi Factor Authentication and IP Risk Profiling, for example) – once the vendor itself is compromised, these controls may all potentially be circumvented.

How to protect or prepare your organization for SaaS, PaaS, and IaaS breaches

In a complex environment of software, platforms, and applications offered as services, global organizations and startups alike continuously update and change their applications and services. This brings new capabilities and innovations to market quickly — but also makes it challenging for security teams to stay on top of changes or know where to focus their attention. And although each provider does their best to release secure solutions, we cannot rely on the providers themselves to ensure security across the complex ecosystem existing in most organizations.

Complex incidents like the LAPSUS$ breaches (whose targets included Microsoft,  Samsung, Nvidia, Ubisoft, Globant, and, of course, Okta) demonstrate two important things. The first one, which has been part of every good security posture for years (yet many organizations fail to sufficiently implement it) is that security requires multiple layers. Only through that approach can organizations guarantee that the breach of a single provider will not allow for full compromise of the organization.

The second important approach, which is becoming more and more apparent in the last few years, is that at the end of the day, while we strive to minimize our exposure to breaches, the complexity of today’s computing and cloud systems makes it almost impossible to avoid. Therefore, most organizations are likely to suffer breaches. It is imperative for organizations to build their cyber resilience and increase their ability to respond quickly and efficiently to breaches, so that they can bounce back with minimal impact to normal operations.

Learn the 9 fundamental ways cloud incident response is different
Last updated:
May 18, 2022

Don't miss these stories:

Ransomware Strikes Azure Storage: Are You Ready?

There’s been a recent surge in cloud ransomware attacks. Examples of such attacks were observed by Sophos X-Ops, which detected the ransomware group BlackCat/ALPHV using a new Sphinx encryptor variant to encrypt Azure storage accounts by employing stolen Azure Storage account keys. The BlackCat/ALPHV ransomware group is the same entity that claimed responsibility for infiltrating MGM’s infrastructure and encrypting more than 100 ESXi hypervisors.

Deciphering Shadows: Insights and Observations from the MGM Breach

On September 12, 2023, the world woke up to the news of another significant cyber-attack, this time on MGM Resorts International, a renowned name in the hotel and casino industry. The incident affected their operations across various locations, including iconic Las Vegas.

Think You Have All the Cloud Forensics Data You Need? You Probably Don't

Logs are everywhere—the digital records of events and actions that have taken place in every hardware system, application and network. All of yourdigital environments generate a log of some form.

Want to see the future of IR for cloud and SaaS? Request a demo of IR2
SOLUTIONSBLOGABOUTworking at mitigaCONTACT
Copyright ©️ Mitiga Security Inc. All rights reserved | Terms of Use | Privacy Policy