SaaS risks come into focus

My company is pretty much all in with software as a service (SaaS). At this point, in fact, only three major applications live on our corporate network: our source code repository, bug tracking system and departmental fileshares. And most of our users don’t need those applications to get their jobs done, instead relying on another 90 or so applications, all of which live on the internet and thus are available from anywhere in the world. (There are a few exceptions, for applications that are configured to restrict access by IP address.)

We won’t be backing off from SaaS, of course. Employees love the convenience that SaaS provides, and IT has seen SaaS migration reduce operational overhead, speed up deployments, streamline integration and minimize single points of failure. Nonetheless, there are drawbacks, especially from my security point of view.

The crux of the problem is that many of our employees work remotely and do not come into any of our offices, and with SaaS applications at their disposal, they don’t need to establish a VPN connection to our network in order to do their jobs. They only need an internet connection. Left untethered to the network for long stretches of time, their PCs aren’t backed up. That’s an invitation to trouble.

This came home to me last week when I was, in fact, at home, working remotely for a couple of days to prepare a presentation for top executives on threats to the business. I included some slides about ransomware, and specifically CryptoLocker, which is currently the most widely disseminated variant. CryptoLocker encrypts files on a victim’s hard drive and demands a ransom in exchange for the decryption key. There are many countermeasures to prevent falling victim to ransomware, such as effective patch management, robust endpoint protection (antivirus) and user awareness training. But one of the most effective controls is doing regular backups of PCs.

When you have a complete backup for a PC that gets hit by CryptoLocker, you can simply re-baseline the PC and restore files from the backup. With that thought in mind as I sat in my home office (a.k.a. the kitchen table), I decided to open my Symantec Backup Exec agent to check the status of my local files. What I found was that my files were in a “pending network” status — not being backed up. The reason was simple: I hadn’t been in the office, using the corporate network, and I hadn’t connected via VPN. That’s unusual for me, but not at all for a big chunk of our workforce.

I’m not claiming that this was a particularly insightful revelation. Sometimes, though, things that should be obvious only reveal themselves to us when we’re able to focus on a particular topic that normally gets brushed aside from our thoughts in the course of day-to-day crisis management. But having finally seen this truth, I couldn’t ignore it. I had arrived at my revelation by thinking about ransomware, but it’s not the only reason that a lack of backups could mean trouble. A lost or stolen laptop or a crashed hard drive are among the other potential threats. (We use Google Docs for file collaboration, but that’s not a substitute for backups.)

And PCs that don’t talk to the network on a regular basis have other problems besides a lack of backups. New domain policies don’t get pushed to those PCs, and we use group policy to enforce configuration policies, as well as Microsoft’s System Center Configuration Management (SCCM) to manage operating system and some third-party application patching. If the PC never connects to the network, SCCM is unable to properly inventory the system or provide metrics regarding compliance. And you just can’t rely on end users to properly patch applications such as Java, Flash and other risky Adobe applications. They forget, are lazy or don’t see such patching as a high priority.

What’s more, we can’t conduct periodic security scans of PCs that don’t connect to the network. I have a weekly Tenable Nessus job configured to scan the DHCP address range of PCs assigned to our corporate network. If a PC is not on the network, I have no visibility. Worse, PCs that don’t get scanned for long periods of time and become infected or compromised are a major threat when they finally connect to the network. That’s a good way to propagate malware on the network or give a bad actor access to the corporate network or even a conduit to our production network, where our intellectual property resides.

I was back in the office the next day, and my PC was backed up and scanned soon enough. But I know that many remote workers have no need to do the same anytime soon. I talked to the head of IT, who fully agrees with my concerns. We plan to deploy a robust endpoint-protection solution that doesn’t rely on being connected to the corporate network. We’re also looking at either architecting our current environment or choosing a cloud-based solution to manage PCs and security policies regardless of where the PC is located and will evaluate what it will take to remove administrative privileges while still affording users the ability to work wherever they happen to be.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Click here for more security articles.