Most Attractive Targets SaaS
"SaaS" stands for "Software as a Service", which is the new hot topic on the market. It is so hot, it radiates light. Of course all vendors are jumping into the SaaS bandwagon, and for a reason. The usual benefits/reasons that are given to new clients are: 01 There is no upfront cost involved._, _02 There is no admin and setup overhead._, _03 In the long term it costs less._, _04 And it scales quite well (patching, bug fixes and machine power are instant).
So in CONFidence, I wanted to attend a talk which looked quite interesting. However, it turned to be the most brutal commercial I have ever seen. I had left after the first 15 minutes but I learned something interesting. I learned who their clients are and how their SaaS works.
In summary, company X was bragging about their awesome SaaS product which will put an end to all your problems. Local agents, which reside within your network, monitor various kinds of activities and backup critical data with constant push backs to the SaaS. That data is analyzed with some overestimated forensics engine witch in tern tells you whether your security perimeter has been breached. And if NASA and NATO are using it why shouldn't we? Why? That's the question.
"Why?" Well, it makes the SaaS more attractive target. It makes total sense for attackers to crack into some 3rd-party organization which provides access to a couple of hundred client network then hacking into each client network individually. Do you agree? Anyone who has been long enough in this field knows that there isn't an impenetrable target, so don't start with the usual "yes but if the SaaS network is secure...". Such kind of thing does not exist. Some targets take longer to break into but at the end all it is need is some good mental health, optimism and persistence in order to be successful.
Recently, I saw another presentation related to email security. Again, the vendor was showing off their SaaS. Again, the SaaS will put the end of all your email problems. It will eliminate all your SPAM but leave your important business communications untouched. All you have to do is to use their mail servers which are located in some scalable data warehouse. If your infrastructure fails then you can still access your emails through their Web console.
It makes total sense but what they don't mention is what will happen if they get hacked, which they probably will if they continue showing off with their client base which consists of several well recognized law firms, hundreds of government agencies, a couple of well-recognized enterprises and so on. If they get hacked, the attackers will have so much data on their hands that they can easily play it all out on the stock market and make a couple of gazillions for example. Or maybe even sell it to the mob or some other organization that might be very interested in buying.
In conclusion, I need to say that SaaS is not necessary a bad thing. It makes total sense sometimes. But, you have to be conscious. Just because you've outsourced all your email to some organization, this doesn't mean that now you can stop worrying about your email security anymore. In fact, if you really do save money, this is a perfect opportunity to spend them all on security professionals who know what they are talking about. At the end of the day, money is energy and energy becomes useless if it doesn't transform from one form into another.
The security model is often shared. The security of the server depends on the security of the individual clients, while the security of the individual clients depends on the security of the server they are interacting with.In a similar way, the SaaS security model is shared between itself and its clients. And we all know what too much sharing leads to.