The widely accepted software-as-a-service (SaaS) delivery model contains significant flaws and is “quietly enabling cyber attackers”, introducing widespread vulnerabilities that could undermine the global economic system, according to a leading financial services chief information security officer (CISO).
In an open letter to third-party suppliers, JPMorgan Chase CISO Patrick Opet this week criticised software companies for making SaaS the default, and often the only, format in which software can now be delivered, trapping customers into relying on service providers and concentrating risk into these organisations.
He said that while this model can be efficient and innovative, it is now clear that it “magnifies the impact of any weakness … creating single points of failure with potentially catastrophic system-wide consequences”.
“At JPMorganChase, we’ve seen the warning signs first-hand. Over the past three years, our third-party providers experienced a number of incidents within their environments. These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers and dedicating substantial resources to threat mitigation,” wrote Opet.
Although he did not point the finger at the suppliers involved in any of the many widespread supply chain incidents that have occurred in the past few years, Opet lamented that the problem seemed to be getting worse rather than better, with software suppliers failing on multiple other issues “intrinsic” to SaaS, such as not securing vulnerable authentication tokens, giving themselves privileged access to customer systems without appropriate consent or transparency, and inviting downstream fourth-party suppliers into their systems.
Automation and artificial intelligence (AI) are further compounding these problems, he added, and all of these weaknesses are well-known to adversaries, borne out by changes in tactics among Chinese threat actors, who increasingly favour targeting organisations with deep access into their customer bases.
Three-step plan
In his missive, Opet set out three core steps SaaS providers should be taking to address these issues before they become insurmountable.
He called on the industry to prioritise cyber during the design phase, building in or enabling security features by default; modernise security architectures to optimise SaaS integration in such a way that mitigates risk; and collaborate better to halt threat actor abuse of connected systems.
Mark Townsend, co-founder and chief technology officer at AcceleTrex, a startup specialising in tech marketing and referrals, said Opet’s letter spoke to wider frustrations among customers that IT suppliers are not doing enough to ensure the security of their products and services.
“The rush to stay ahead of the competition has led to several issues over the years. A balance needs to be made and demonstrated to the market,” said Townsend.
“When buying SaaS, you’re buying a system deployed by a vendor that you are trusting your data to. Many will provide an annual pen test report and demonstrate alignment with SOC2 and other standards, but as the author points out, a lot happens within these apps, and the infrastructure that enables them, over the course of a year.
“The security of these systems is fairly opaque and requires a bit more transparency between the vendor and the consumer as to how the data is secured.”
Townsend added: “You can’t be too prescriptive without giving the vendors an easy out. It inspires constructive conversations that I think are necessary and important to have.”
Reversec’s Donato Capitella and Nick Jones, principal consultant and head of research respectively, said Opet rightly highlighted critical challenges faced by the industry in regard to the adoption of SaaS, notably the concentration of risk in a few big providers and reduced visibility making proactive incident detection and response much harder for customers.
“At a practical level, there are two very common areas where SaaS applications fail to provide adequate security. The first is gating single sign-on functionality behind additional cost or the “enterprise” price plans, forcing users to make a trade-off between adequate identity security and cost,” they told Computer Weekly in emailed comments.
“The second is comprehensive, high-fidelity audit logging, which is often also gated behind expensive plans or add-ons, if available at all. These limitations hinder an organisation’s ability to prevent, detect and respond to attacks against their SaaS estate.”
Capitella and Jones added: “We hope that SaaS vendors see this open letter as a call to arms and work towards providing a hardened, secure-by-default experience to their consumers.”
