​​​​​​Ben Johnson, former NSA and Chief Technology Officer (CTO) of SaaS application security firm, Obsidian, has found that businesses around the world are adopting Software as a service (SaaS) apps in droves for collaboration, ease of access to data and business continuity. With this increased adoption, comes the inevitable trend of state-sponsored actors merely logging in to steal data rather than having to break in. Here, Johnson talks to Security magazine about security issues associated with SaaS applications. 

Security: What is your name and background?

Johnson: I am the CTO and co-founder of Obsidian Security. Previously, I was CTO and co-founder of Carbon Black and previously worked for the NSA and intelligence community.

Security: Why is no one talking about security issues associated with SaaS apps?

Johnson: Organizations, security leaders, and executives are talking about the security and safe use of SaaS applications in their environments. Some teams are quite mature in their approach, while sadly most teams are trying to catch up to the business side of the house that went ahead and deployed these without a whole lot of security consideration. Now these security teams are trying to strategize on the best approach to bringing enterprise-grade security monitoring and capabilities to these applications that do not live within their infrastructure.

Security: What are some of the blatant security issues across these SaaS apps in major global brands?

Johnson: We've seen that SaaS apps are disparate and challenging to monitor for hygiene problems and suspicious activity. Typically we see an overabundance of privileged accounts, like global administrators, well above what should be required to properly function. Secondly, we often see a lot of behavior where users are logging in via VPNs and using unexpected devices (even Amazon Alexa) to access their accounts. Thirdly, we often see stale and lingering accounts, such as those no longer needed or those by employees or contractors who no longer work with the organization. Several times we have seen these lingering accounts compromised because no one is really keeping an eye on them, and then those accounts are able to access corporate documents, send spam, or worse.

Related to the recent SUNBURST/SolarWinds compromises, we have seen a large number of 3rd-party applications integrated into these various SaaS applications where the organization was unaware at how much bloat had accumulated. Does your Canon printer need to be able to read all your email and send emails as you? Does that test script by the consultant need full access to every employees email? We see those sorts of occurrences in virtually every environment.

Security: How can CISOs manage this influx of new adoption and cloud migration as the pandemic continues and adversaries increase efforts?

Johnson: CISOs need to get a handle on what exists, implement policies and processes to have enough of a pause to consider what risk will be added by adopting new applications, and then make sure their teams have enough visibility and access to be able to keep track of signs of maliciousness and to find those teachable moments where an employee had good intentions but accidentally shared a file publicly or installed a 3rd-party application they weren't supposed to. From here the security team can work on a more data-driven approach in building a security culture so that every use of these applications can both be more productive and introduce less risk into the organization.