In December, Nick Woodcraft from GDS asked the NCSC to join the Technology Leaders Network meeting on Software as a Service (SaaS) to discuss cloud security myths. Other speakers included Tom Read (Chief Digital and Information Officer at Ministry of Justice UK) explaining how there are now credible SaaS options for almost all enterprise applications, and Andy Beale (Chief Technology Officer HMG) on why the Internet is OK.
From our discussions with users, we know that there are a wide range of opinions about cloud security - and SaaS in particular - ranging from the unrealistically positive to the extremely negative. The goal of this meeting was to try to address a few of the myths that have grown up around SaaS, hopefully without saying 'it depends'. Here's a (slightly edited) version of what I said there.
"Moving from on-prem to SaaS can - and should - raise a number of cyber security questions for your organisations. Even without moving your current in-house services to the cloud, there are many SaaS offerings which you and your teams may be already using or considering, which should raise similar questions.
The first thing to say is that there’s often a lot of fear, uncertainty and doubt, around cloud and cyber security. On the one hand, there are those that say it’s too risky, and simply shouldn’t be done under any circumstance. On the other, there are those who say there are zero risks, and even having the conversation about it is delaying our collective move to the cloud.
At the NCSC we try to cut through the myths and get to the facts. We think the answer is somewhere between the two positions. Yes, cyber security things change when you start to use SaaS. Some will get more challenging, others will get better. It's not all doom and gloom, but neither is it a silver bullet that means cyber security risks disappear. On balance we think well-engineered SaaS is better for security than the alternatives - I'll explain why in a moment.
Let’s start with the big challenges that are brought up around the security of SaaS offerings. The big ones are:
My services are going to be exposed to more attackers once they’re outside of my organisation’s control. Yes, this can certainly be true. For example, if you’ve got an internal instant messaging application which runs on servers that don’t connect to the Internet, then using something like Slack changes this equation. Information you care about is now on services that are inherently more connected that they previously were.
Lots of services - by definition - need to interact with the Internet and other services and users beyond your organisational boundary, so this point is often a bit misleading. For example, think about email as a service. Attack vectors here are likely to be via the main access protocols with the Internet (SMTP, IMAP, TLS etc.) which you have, regardless of where servers are physically located. In a world of massive connectivity, it is increasingly unlikely that your services will be internal only. So the mitigation of having zero connectivity with the wider world isn't going to be feasible in the future - if it even is today.
I will be sharing my platform with lots of other people, some of who may wish to cause me harm. Yes, absolutely. This is pretty much inevitable when it comes to using cloud services. There are lots of other tenants and users, and you can't know the intentions of them all. The vast majority will be legitimate users of the platform and service, and security issues are not going to be as a result of malfeasance on their part (although could potentially come from their inaction or inattention to securing their use of the service). However, we see attackers trying to compromise commonly-used services and platforms on a regular basis. Most of this is unrelated to your specific use of the service, but some could of course be targeted.
The challenge is exacerbated when you think about how many higher level services are built. The 'supply chain' for SaaS can get impressively complicated without the provider even realising this is the case. It is common for providers to make use of a range of third party services to build their own service, which will inevitably be cloud services themselves. There are turtles all the way down. The service you are using may have been built with cyber security in mind, and may be operated by a strong cyber security team. However, the dependencies they've taken on third parties can render these protections nugatory.
For example, picture a collaboration platform which is used by lots of companies for internal information sharing within their enterprises. The collaboration platform itself could be attacked; access controls between different user groups may not be sufficiently robust, and lead to unauthorised information disclosure. Alternatively, the underlying infrastructure - maybe Platform or Infrastructure as a Service - could be attacked. Maybe not to directly compromise this collaboration tool or your use of it, but the upshot is the same; your information is compromised, without your ability to observe or influence events.
It's not all bad news though. By using SaaS (and indeed, PaaS and IaaS), my services are generally going to benefit from a well-resourced and focused security engineering team. Not an absolute given, but regularly the case. Consider whether your IT security engineering team is going to be better or worse at security management for a major commodity product, offered - as a service - by the major vendor who developed it. Who is going to be able to roll out patches and hotfixes for security problems faster, and be more able to monitor for problems as a result? Even if your team is really good at this (well done!) is this always going to be true? Are you reliant on one or two key individuals?
You get the benefit of security at scale. If the SaaS offering is well run, then the provider should be looking across all of their customers and connections to observe security patterns, to do transactional monitoring, and to learn what unusual activity on their platform looks like, meaning you should be protected before the problems reach yours. We often speak about the benefits of sharing threat information to protect each other. In a well-run SaaS provider with many customers, this should essentially be happening for you, behind the scenes.
One of the concerns I've heard is a fear that when you start using SaaS, you lose control of your information, and your users will 'do bad things' with it as a result. Maybe this is true, but it's also a fear that is indicative of a broader problem. Our research suggests most users are motivated primarily by trying to do their job, and will use the tools and techniques put in front of them to their best ability. SaaS offerings may feel at times like an uncontrolled and uncontrollable space where your staff will share private data in an unconstrained fashion. Our experience is that this can be true, but that it’s better to provide them with easy to understand guidance on which tools are appropriate to use, and where to seek help, rather than to ban them altogether. This latter approach often results in people using services anyway, without any organisational visibility or understanding of the risks.
There’s a point about best use of our scarce security resources. I assert it is better to spend our local security effort on problems unique to our organisations, rather than worrying about patching, maintaining, and monitoring services that others can do better than us. If we think about email again, there are some tasks I think it's better for a local security analyst to spend their time on. For example, they're probably well-placed to look for misconfigured mailbox rules and unexpected accesses - such as if an executive has accidentally granted the entire organisation full read access to their mailbox, rather than just to their PA. Better they do this than worry about patch Tuesday and whether they can come in out of hours to apply a hotfix.
Finally, using SaaS opens up some interesting cyber security opportunities. As you use an increasing number of third party services, some useful centralisation points emerge, such as around identity and monitoring. Using federated identity solutions means an easy 'movers and leavers' process, ensuring the right accesses for the right individuals. Coupled with appropriate investment in logging and review, this data source can help to enrich access decisions, and tailor your organisation's use of SaaS to the data, the users, the devices, etc. that makes sense.
This is of course a very quick review of some of the major considerations about SaaS - there are lots of other points which I'd encourage you to think about, which are captured in the NCSC's 14 cloud security principles. As always, I'd encourage you to use these as a guide when considering the use of a particular service in a particular circumstance - not every principle is always relevant, and some situations will naturally require extra thought and care. Services differ in the protection they offer.
In summary, I would like to leave you with the message that whilst SaaS is not a silver bullet for cyber security, in many situations the security benefits outweigh the risks. I'd encourage you to look beyond the hype and fear, and work out what really matters to you when protecting your data, whether it is on-prem or in the cloud."
Jon L (speaking at the Technology Leaders Network)
Tech Director for Assurance