SaaS risks come into focus

Sometimes, security risks are hiding in plain sight

My company is pretty much all in with software as a service (SaaS). At this point, in fact, only three major applications live on our corporate network: our source code repository, bug tracking system and departmental fileshares. And most of our users don’t need those applications to get their jobs done, instead relying on another 90 or so applications, all of which live on the internet and thus are available from anywhere in the world. (There are a few exceptions, for applications that are configured to restrict access by IP address.)

We won’t be backing off from SaaS, of course. Employees love the convenience that SaaS provides, and IT has seen SaaS migration reduce operational overhead, speed up deployments, streamline integration and minimize single points of failure. Nonetheless, there are drawbacks, especially from my security point of view.

The crux of the problem is that many of our employees work remotely and do not come into any of our offices, and with SaaS applications at their disposal, they don’t need to establish a VPN connection to our network in order to do their jobs. They only need an internet connection. Left untethered to the network for long stretches of time, their PCs aren’t backed up. That’s an invitation to trouble.

This came home to me last week when I was, in fact, at home, working remotely for a couple of days to prepare a presentation for top executives on threats to the business. I included some slides about ransomware, and specifically CryptoLocker, which is currently the most widely disseminated variant. CryptoLocker encrypts files on a victim’s hard drive and demands a ransom in exchange for the decryption key. There are many countermeasures to prevent falling victim to ransomware, such as effective patch management, robust endpoint protection (antivirus) and user awareness training. But one of the most effective controls is doing regular backups of PCs.

When you have a complete backup for a PC that gets hit by CryptoLocker, you can simply re-baseline the PC and restore files from the backup. With that thought in mind as I sat in my home office (a.k.a. the kitchen table), I decided to open my Symantec Backup Exec agent to check the status of my local files. What I found was that my files were in a “pending network” status — not being backed up. The reason was simple: I hadn’t been in the office, using the corporate network, and I hadn’t connected via VPN. That’s unusual for me, but not at all for a big chunk of our workforce.

I’m not claiming that this was a particularly insightful revelation. Sometimes, though, things that should be obvious only reveal themselves to us when we’re able to focus on a particular topic that normally gets brushed aside from our thoughts in the course of day-to-day crisis management. But having finally seen this truth, I couldn’t ignore it. I had arrived at my revelation by thinking about ransomware, but it’s not the only reason that a lack of backups could mean trouble. A lost or stolen laptop or a crashed hard drive are among the other potential threats. (We use Google Docs for file collaboration, but that’s not a substitute for backups.)

And PCs that don’t talk to the network on a regular basis have other problems besides a lack of backups. New domain policies don’t get pushed to those PCs, and we use group policy to enforce configuration policies, as well as Microsoft’s System Center Configuration Management (SCCM) to manage operating system and some third-party application patching. If the PC never connects to the network, SCCM is unable to properly inventory the system or provide metrics regarding compliance. And you just can’t rely on end users to properly patch applications such as Java, Flash and other risky Adobe applications. They forget, are lazy or don’t see such patching as a high priority.

What’s more, we can’t conduct periodic security scans of PCs that don’t connect to the network. I have a weekly Tenable Nessus job configured to scan the DHCP address range of PCs assigned to our corporate network. If a PC is not on the network, I have no visibility. Worse, PCs that don’t get scanned for long periods of time and become infected or compromised are a major threat when they finally connect to the network. That’s a good way to propagate malware on the network or give a bad actor access to the corporate network or even a conduit to our production network, where our intellectual property resides.

I was back in the office the next day, and my PC was backed up and scanned soon enough. But I know that many remote workers have no need to do the same anytime soon. I talked to the head of IT, who fully agrees with my concerns. We plan to deploy a robust endpoint-protection solution that doesn’t rely on being connected to the corporate network. We’re also looking at either architecting our current environment or choosing a cloud-based solution to manage PCs and security policies regardless of where the PC is located and will evaluate what it will take to remove administrative privileges while still affording users the ability to work wherever they happen to be.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickGoogleMicrosoftSymantecTenable

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place