Keeping Your SaaS Data Secure
As the software industry continues to move away from purchased client/server applications and toward cloud-based SaaS (software as a service) solutions, LMS administrators must rethink the means that they employ to keep their system free from attack, and most importantly, keep their data secure. Historically, client/server software was usually accessible only from devices on the local network, but cloud-based SaaS hosting exposes it to anyone in the world with an internet connection, so different strategies and disciplines must be employed to protect assets and maintain business continuity.
Personal Identifiable Information (PII)
The greatest exposure from SaaS application data breaches is loss of Personally Identifiable Information (PII)— any information that can be used to identify, contact, locate, or learn about a specific individual. A few examples of PII are:
- Name
- Date of Birth
- Social Security number
- Phone Number
- Email Address
- Employer
- Professional License Number
Occasionally some fields are removed from a shared dataset or report in a misguided attempt to prevent the information from being used to identify specific persons. This doesn’t always work. For instance, removing last names might not be enough— first names used in conjunction with department names can still allow someone to deduce the identities behind some of the records. Further, sometimes data from two different sources can be combined to drill down to discern with whom each record is associated.
There have been many high-profile data breaches over the last five years. Home Depot and the State of California each had over 50 million records stolen. J.P. Morgan Chase had 76 million records involved in a breach, and Yahoo had over a billion. These kinds of PII losses are expensive due to damaged reputations with customers, but can also saddle companies with legal woes, both civil and criminal. Sony had just 3,000 records stolen which may seem comparatively negligible, but they were human resource records—the individuals whose data was personally identifiable were highly placed executives and the stars of Sony Pictures’ films. Just this week (November 2017), Uber revealed that the names, email addresses, and phone numbers of 50 million customers were stolen. Breaches keep happening, and the stakes are high.
Attack Vectors
Criminals use a variety of techniques to break into SaaS applications and steal data. Sometimes they are targeting a specific organization, other times they are taking advantage of a specific system vulnerability, but often they simply cast a wide net to see what they can attack. These are most prevalent techniques.
Viruses
Viruses are malicious software programs that find their way onto a computer. They might attack a server, your PC, or even your phone. They exploit vulnerabilities that have not been identified and fixed by operating system vendors, and attack computers through a variety of paths, including USB flash drives, websites, and even over networks. They can sneak onto a computer without a user’s inadvertently triggering it.
Trojans
Trojans are named after the Trojan Horse that was used by Greek soldiers to sneak behind Troy’s walls. Similarly, a Trojan attack tricks a user into running a software application that ostensibly does one thing, but also installs malevolent software on the victim’s computer. Trojans arrive under a variety of subterfuges—email attachments and file downloads are most common. Sometimes an email will arrive from a known person with an attachment that contains a trojan because the sender’s email has been hacked, not because the sender is trying to do harm.
Phishing
Phishing attacks in the form of an email are intended to deceive the recipient as to the true origin of the email. For example, an email may appear to come from a bank, asking the recipient to log in to their account for some seemingly good reason. However, the link provided directs them to a faux site, and the username and password the victim uses is then used by the attacker to log in to the real site for purposes of theft or harm. Sometimes, these attacks are widespread—a recipient may get an email from a certain bank that they don’t have an account with—but the attacker sends out tens of thousands of emails, knowing that at least some of the recipients will have an account at the target bank. Other times, the attack is tailored to a specific user, which is called Spear Phishing, or even to a specific executive, which is called Whale Phishing.
Social Engineering
Perhaps the most effective, insidious method of compromising a system’s security is when an attacker calls (or emails) the victim and proports to be an official demanding action on the part of the user that opens access to the system. Techniques that might be attempted include the pretense that it is the police conducting an investigation, the support group from a vendor, or most commonly a member of the victim’s own IT department. Attackers are practiced at sounding convincing and can persuade a victim to convey critical information like passwords.
Defenses
In some cases, keeping a SaaS application safe requires dependence on others. For instance, SaaS vendors must be relied upon to keep their server infrastructure up-to-date and free of vulnerabilities that would leave data open to direct theft. Web Courseworks, like most SaaS vendors, has processes in place to ensure that our customers’ servers and applications remain secure through updates, security scans, and other best practices. You also may need to rely on your organization’s IT department to keep your PC updated and to install and maintain a good anti-virus product to defend against viruses.
So what can you do to protect your data? Quite a few things:
Don’t open unexpected attachments, and treat links on emails with skepticism
A common vector for malware, spyware (which can steal your passwords) and ransomware are emails that have falsely attributed origins. Be skeptical when clicking on links or attachments in emails, even if it appears to be from someone you know or work with.
Don’t respond to requests from unknown parties who call or send emails
If a badly intentioned person wanted to steal data from your organization’s SaaS application, they can easily find the names of employees on professional networking sites like LinkedIn and then contact them directly. Don’t fall prey to someone pretending to be in an official capacity demanding that you act in a way that leaves your site vulnerable to them.
Don’t allow generic accounts on your SaaS system
It is bad practice to create an account that is intended to be shared between authorized individuals. For instance, it is a poor idea to have a user account called “admin” that is shared between several administrators of an AMS, LMS, or ecommerce system. There is no way to trace an action back to a particular individual, and without traceability there can be no accountability. Furthermore, it is difficult to institute and enforce a good password-changing policy when multiple people are sharing an account. Instead, it is a much better idea for each administrator to have their own account with appropriate permissions applied.
Never share your password
Sharing a password is a poor practice for a several reasons. Often, the reason is to temporarily grant that person additional permissions on the system—best practices dictate that if they need elevated permissions then they should be granted on that person’s own account. Further, once you’ve lent your password, having them locked out of the system if they happen to leave the organization might be overlooked. Keep your passwords for use only by the creator.
Summary
SaaS applications are inherently safe—they are supported by staffs of professionals that are dedicated to keeping systems secure and data safe. But LMS administrators must show discipline in their IT practices to prevent a system intrusion by someone with bad intentions. These suggestions are a good reminder for maintaining security.
