SaaS Breaches: How to Think about Security in Cloud Apps and Services

By

The increasing sophistication of attack groups

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups. This is due to a combination of several trends we are seeing:

  • Increased potential financial gain for attackers justifies a larger investment in attacks, allowing criminal threat actors to build campaigns with substantial resources. Resources that were formerly only available to state level actors.
  • There’s continuous leakage of cyber capabilities from state-level actors to the private market, including a wealth of knowledge and skill formerly unavailable to criminal groups.
  • The line between state-level attacks and criminal threat actors is disappearing. Certain nation states encourage (or willingly ignore) criminal cyber activities as part of the new age of the Cyber Cold War, making it easier for criminal threat actors to build up a substantial force.

The state of security in cloud applications and services

Naturally, the increased sophistication of adversaries creates a huge issue as organizations increasingly use software as a service (SaaS), platform as a service (Paas), and infrastructure as a service (IaaS) to deliver applications and services. While these cloud services reduce the need for complex software and hardware management, the mesh of applications and services creates new complexities for security teams. In this asymmetrical space, where attackers need only one success and defenders need to succeed at preventing intrusions and attacks 100% of the time, it is almost impossible to prevent breaches by threat actors that have (nearly) the same resources and skills as a nation state.

The potential implications of critical identity provider SaaS breaches

Breaches to SaaS providers can have significant implications, particularly when it comes to identity providers (such as Okta and Azure Active Directory). As organizations have increased cloud adoption, the world has transitioned from the classic perimeter (that is, the physical network in the office, protected by a firewall) into an era of the identity-driven perimeter. As some often say, “identity is the new perimeter,” meaning that the main gateway to the organization is through your identity providers.

Today, most large organizations rely on Single-Sign-On (SSO) as their main security gateway, allowing users to identify themselves through a single, secure identity provider, and propagating this identity through the entire organization. This aligns with the zero-trust model, where all users are authenticated, authorized, and validated before gaining access to applications and data — and users only have access to the resources they need to perform their jobs. Zero trust depends heavily on identity and creates controlled environments in which identity truly is the new perimeter for organizations. While combining zero-trust with identity provider solutions alleviates risks associated with separate identities per resource, it creates a new risk when the single, main identity provider is breached, as we recently saw in the Okta breach.

While in this specific case the breach scope was limited, a substantial compromise of any identity provider could enable an attacker to impersonate any user in any organization using that identity provider, allowing them to gain access to almost every resource in the organization. In many cases, this would also allow attackers to impersonate administrator users, gaining full control of every customer.

It is important to note that while these identify providers provide various controls to reduce potential attacks (such as Multi Factor Authentication and IP Risk Profiling, for example) – once the vendor itself is compromised, these controls may all potentially be circumvented.

How to protect or prepare your organization for SaaS, PaaS, and IaaS breaches

In a complex environment of software, platforms, and applications offered as services, global organizations and startups alike continuously update and change their applications and services. This brings new capabilities and innovations to market quickly — but also makes it challenging for security teams to stay on top of changes or know where to focus their attention. And although each provider does their best to release secure solutions, we cannot rely on the providers themselves to ensure security across the complex ecosystem existing in most organizations.

Complex incidents like the LAPSUS$ breaches (whose targets included Microsoft,  Samsung, Nvidia, Ubisoft, Globant, and, of course, Okta) demonstrate two important things. The first one, which has been part of every good security posture for years (yet many organizations fail to sufficiently implement it) is that security requires multiple layers. Only through that approach can organizations guarantee that the breach of a single provider will not allow for full compromise of the organization.

The second important approach, which is becoming more and more apparent in the last few years, is that at the end of the day, while we strive to minimize our exposure to breaches, the complexity of today’s computing and cloud systems makes it almost impossible to avoid. Therefore, most organizations are likely to suffer breaches. It is imperative for organizations to build their cyber resilience and increase their ability to respond quickly and efficiently to breaches, so that they can bounce back with minimal impact to normal operations.

Learn the 9 fundamental ways cloud incident response is different

Don't miss these stories:

Want to stay up to date on the latest Mitiga news and research? Subscribe to our blog!