Slashing your Attack Surface by Reining in Your SaaS Data Sprawl

Grant Miller
Feb 24, 2018

If you’re like most people, you probably didn’t hear about this recent breach experienced by Reddit. The attack was small in terms of sheer scale, but is notable nonetheless: It highlights some of the vulnerabilities of the SaaS model, where companies are encouraged to trust sensitive customer data with third parties that bear no real responsibility to those customers.

The attack was carried out by a hacker who compromised the credentials for a single employee at Reddit’s transactional email vendor, Mailgun. The criminal was then able to target a handful of Reddit users who had Bitcoin Cash associated with their accounts (via Reddit’s tipping systems), reset their passwords and steal their cryptocurrency. Two things stand out here:

  • The small, non-Reddit-controlled attack surface.
  • That the breach was announced publicly within less than a week of its execution.

However, the main reason that the attack was immediately discovered and verified is because the Reddit users lost the Bitcoin Cash that had been associated with their accounts. Because a digitally scarce asset was stolen, Reddit was immediately held responsible by its users, who could instantly verify that their funds were stolen.

Apart from planting an interesting (I think) idea in my brain about how cryptocurrency might be used as a real-time alert system for breaches, the Reddit-Mailgun attack also reiterated just how far and wide important data can travel in the age of SaaS—and how long it usually takes for breaches to be discovered. I believe most companies (and individuals) grossly underestimate these concerns.

What’s your visibility into your vendors’ practices?

The rate and state of massive data breaches has made many of us numb to the fact that our personal information and business secrets are spread out across myriad companies and their vendors. Consider for a minute that the average enterprise has more than 1,000 different SaaS vendors. Conservatively, those vendors average 250 employees apiece. Hence, the surface area of attack for each enterprise is increased by about 250,000 people. To err is human, as we all know too well, and we should expect a human error rate higher than 0.0004 percent (or 1 in 250,000).

And although the Reddit-Mailgun breach was discovered quickly, most are not. Compare that incident to last year’s Equifax breach, where it took months for anyone to even find out that Equifax had spewed the Social Security number (and then some) of nearly every American adult into the internet’s underbelly. To add insult to injury, most people did not even realize that Equifax was storing so much personal information about them.

Another example is the recent disclosure of a password-leaking bug in the Mixpanel web-analytics service, which resulted in Mixpanel’s servers accidentally harvesting user passwords on customers’ websites. The bug took 9 months to discover, and it took Mixpanel nearly another month after that to notify customers of the problem. For nearly a year, user login information was sitting unprotected on somebody else’s servers, and Mixpanel’s customers were clueless. That’s a financially risky situation for everyone involved.

Modernizing on-prem software for the cloud era

Helping mitigate these issues is one of the driving factors behind Replicated and our concept of modern on-prem software. Essentially, our platform lets SaaS companies deliver their applications as installed software, running and storing data behind customers’ firewalls. We’ve seen from our customers’ customers —a group that includes more than one-third of the Fortune 100 and some of today’s fastest-growing companies—that on-premises software is here to stay.

On-prem might mean something different today than it did a decade ago (it can, for example, run on IaaS resources and be continuously updated), but the rationale remains the same. Companies continue to manage their own infrastructure and applications in some capacity because there’s too much risk involved with outsourcing too much of it (and sometimes they’re required to).

I know for a fact that many SaaS providers are full of very smart people who take security very seriously, but real trust goes further than that. An enterprise running hundreds or thousands of third-party applications not only needs to trust all that code is secure, but also needs to trust security protocols and individual employees at all those vendors and, really, at those vendors’ vendors, as well. Many CIOs and CISOs would love to live in a world where they don’t have to choose between using popular cloud services and ceding all control, or not using those services at all.

It’s time to start reining in some of this data sprawl in a way that benefits enterprise buyers, SaaS vendors that want to sell to them, and everyone whose information is being stored. If you’re interested in learning more about how we make this possible, please give Replicated a test run or get in touch.

Photo by Thomas Kvistholt on Unsplash.