June 4, 2024 • 27 mins
Hey there, Leader Today. In today's episode of Security on Tap, we dive deep into the world of Software as a Service (SaaS). Join Randy and Jim as they explore what SaaS is, why it poses significant security risks, and what steps you can take to mitigate those dangers.
We start with an eye-opening statistic: the average company used around 15 SaaS services in 2015-2016, but that number has skyrocketed to 150-200 today. This explosive growth has led to a shift where many non-core business processes are now housed outside the core business, creating a blurred network boundary and increasing vulnerabilities.
Randy breaks down SaaS for beginners, explaining how it works and citing major providers like Workday, Salesforce, and Microsoft 365. They discuss real-world breaches involving giants like Microsoft and Snowflake, highlighting the significant risks posed by SaaS environments.
The episode also delves into the challenges of managing third-party risk and the pressures faced by SaaS providers to grow rapidly, sometimes at the expense of robust security measures. They debate the need for industry standards or government regulations to ensure SaaS providers maintain stringent security protocols.
Finally, Randy and Jim offer practical advice for security practitioners, emphasizing the importance of understanding your company's critical business processes, assessing the risk posed by third-party vendors, and having contingency plans in place.
Whether you're a seasoned security leader or new to the field, this episode provides valuable insights into managing SaaS risks and keeping your organization secure.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Music.
(00:07):
Hey there, Leader Today. Today in Security on Tap, we're going to be talking
about SaaS, what it is, why you should be scared, and what you can do about it.
So, Randy, as we do, we'll frame it up here.
I read an article the other day, and it was talking about the proliferation
of software as a service.
(00:27):
You used the word proliferation, so clearly you read that somewhere.
A plethora. For those of you with three amigos?
A plethora. I do not think you know what that's worth.
A plethora of SaaS, but something in 2015, 2016 timeframe, the article said
that the average company had 15 SaaS services running in their bank or in their enterprise.
(00:50):
And now that number has exploded to 150 to 200.
Yeah. It's because everybody's one now.
Right. And what we're seeing is that organizations where we used to have a process
internal or we develop it internal or we've run it off software on a server
or something like that, contained it,
that has long since gone because most of our non-core business processes are
(01:12):
now housed outside of the core business in a SaaS provider.
Well, and thus where the old network boundary, there was one, now there isn't one.
It's just all one big pool. Cool. So for my mom who listens to this,
software as a service is what SAS stands for, S-A-A-S.
(01:32):
And that's essentially when somebody runs, it's like going to a website and
you just do the business process or whatever you do out there through them.
Now I'm making it, breaking it down a little bit. Doesn't necessarily have to
be a website. It can be an API. It could be something like that.
But essentially it's software that's being run on your behalf.
And it could be a large co-tenant sort of environment, right?
(01:55):
Like a workday or something like that, or it could be something that's dedicated on my deal.
Well, and you've got, you named off a big one, right? From HR,
Workdays One, Salesforce, obviously. Oh yeah. Oh, 365.
Yeah. Biggest software as a service. Now you're looking at a guy who was an
MCSE back in the dark ages and I had my exchange certification, right?
(02:16):
And I remember when they said they were going to take that sucker online,
I was like, well, good thing I got on an email.
Yeah. But you know, that still requires a lot of care and feeding.
Requires it requires more care and feeding you
know they think they're simplifying going to the cloud the problem is is
you're losing control i mean you've you're giving up a lot of your ability to
(02:37):
control where your data is and where it's going in aws and azure and other data
services you know iis and stuff yeah they they tell you you know that you can
secure that put it in your own private cloud, et cetera,
but you still are losing proper control of that information.
As we all like to say, somebody else's computer.
(02:59):
Right. And, and a SaaS takes that to the, I'll call it the nth degree because
it's just a service that you accessed.
It's like going to the drop in your clothes off the dry cleaner.
You have no idea what happens to your clothes or, I mean, you hear the stories
about the, you know, the small dry cleaner shop and then you look and you see
the owner driving around wearing your clothes and you're like,
(03:19):
I'm I thought we looked about the same size. That's totally uncool, dude.
But there have been some, and we say as our number two, why should we be scared of it?
There have been some pretty serious SaaS issues that have happened in the past.
Actually, just recently, or at the end of last year, Microsoft,
their exchange, not their old 365, but their exchange online system was successfully breached.
(03:43):
They believe, according to some of the articles I read by Chinese threat actors,
because of a certificate that was found in a debug in an engineer's computer that was compromised.
And they were able to successfully infiltrate a couple of, actually a couple,
more than a couple of departments in the United States government,
which was the federal government, which was very bad. Yeah.
(04:04):
Most recently, Hudson Rock has come out, now they've since retracted it,
but saying that Snowflake, a large data analysis, processing,
storage, whatever you want to call, what do they call themselves?
A very dangerous place. Yeah, that's why we did it.
Some of the most major, largest companies in the world use Snowflake for their data analytics, right?
(04:25):
They're pouring that data in there and they're doing lots of analysis on it.
And Hudson Rock had said that they had talked to a threat actor saying that
they had compromised Snowflake.
And not only that, but that Snowflake compromise was part and parcel to the
recent Ticketmaster breach that
happened just a couple weeks ago that had actually occurred through it.
And that the reason a whole bunch of stuff gets tied together,
(04:46):
the threat actor saying that basically they compromised a guy's ServiceNow account.
And since ServiceNow didn't need MFA for that account, they were able to get
a session token and use it to get it to wherever they need to inside of Snowflake.
Snowflake can exfiltrate lots of data, and they tried to extort them for $20 million.
But all that said, it has been since walk back by Hudson Rod,
(05:06):
and Snowflake has issued their own press releasing.
That's not what happened. Yeah. It isn't dangerous, but it makes us acutely
aware that we're putting a lot of stuff in other places that we don't have direct control of them,
especially some of those fabric in the back end.
Right. Well, they make it incredibly easy for your business to sign up for it.
(05:29):
Like, just give us your credit card.
Click here. And you can start using it. And before you know it,
you've got terabytes of information in a place like Snowflake.
Well, and inherently, not inherently, at its face, there's nothing wrong with that.
Except that they are just like any other company.
(05:49):
They suffer from the same foibles that we suffer from. Private companies or other companies do.
Even though that's their core business, core business processes sometimes aren't
maintained well, or there's a miss, or there's a mistake, or there's a flaw.
Yeah. Well, it's like you're sharing drinking water, right, with your neighbors.
Everybody's drinking out of the same well.
(06:10):
And if, you know, the old adage. And I think all my lip sores have healed,
but it's going to be fine.
If you've got a bottle of sewage and you put a drop of water on it,
you just got a little bit more sewage, right? If you take a bottle of pristine
drinking water and you put a drop of sewage in it, it's all still sewage, right?
It's one of those things where you are connecting yourself in unhealthy ways
(06:35):
to a company that maybe is wholly unhealthy.
What's so neat about what you're saying there is, and this is why we're talking
about why this is scary, it is a concentration of assets that makes them significantly
attractive to threat actors.
Because both fraudsters and nation state actors at the same time,
you know, looking at that, you think about Snowflake, they, I mean, Capital One,
(06:59):
Heinz, you know, some of the large MasterCard, Visa, I think some of the largest
companies in the world are all in one place.
You want to talk about, you know, the heist of the century, right?
You're thinking, I, if I can just get in there and you only have to get lucky once.
And so you got to be asking yourself, what am I doing? And I know this question
(07:20):
is a little late to ask, but it is really started like with Twilio and Okta
that got hit recently, right?
Other SaaS providers that were sort of behind the scenes doing authentication
and things like that and communications.
You have to ask yourself, is this SaaS worth it?
Should I be taking these non-core but critical business processes away from SaaS providers?
(07:40):
Can I even do that anymore? Well, in some of the span of control or the lack of control.
Of fidelity that you can have on the controls that are put in place. Right.
Cause you're relying on someone else to tell you if they're okay.
Somebody else's computer.
You're not looking yourself. You're actually.
(08:01):
So, so your third party risk is being done by third parties.
If you know, I mean, just let that sink in for a minute. And there's a third
party squared. So it's nine.
It's, it's kind of insane when you think about it. And, and you know, a lot of it comes down to.
Wouldn't it be great though? If, if, You had to put your third-party risk vendor
into your third-party risk tool.
(08:23):
Right. And then they just went in there and set themselves to all high marks.
Right. Like every time. We are outstanding.
Yeah, outstanding. Nothing to see here. Yeah. But the, you know,
third-party risk management, even if you don't have it, your crown jewels should
not be in the hands of a third party. Yeah.
(08:43):
They shouldn't be. Well, and so there's that distinction, right?
As we talked to you, dear security leader, that distinction between core business
process and non-core business process. So here's a question.
Many companies use Workday as employee information crown jewel.
Boy, it carries a lot of risk with it. It sure does.
(09:05):
But if you had to prioritize what your crown jewel is, if you're a data analytics company,
Well, what is your crown jewel, right?
Right. And for, you know, for my, the organizations I've worked in,
losing employee data would not be a catastrophic event.
You know, you'd say, we're terribly sorry. Here's your free credit monitoring.
(09:27):
Right. You know, and I don't think any of these guys are going to quit or a
very, very low percentage will quit in disgust and leave. Right.
They give you pretty low.
Well, and employee risk, I would say it's just an inherent, you take that risk by playing the game.
Yeah. You know, I knew years ago a security fellow who worked where I did,
(09:47):
who refused to give our HR group his social security number and to do,
and also to do a direct deposit. Do I know this guy? Sounds really familiar.
But he refused to do direct deposit because he did not believe in the company's
ability to keep his information safe. I've seen the people.
(10:09):
There's no way that money's ever getting there. But, I mean,
that's one extreme, but the thing is, it's just like your patient information,
you know, when you go to a hospital, your employee information.
Data that's basically available via the white pages, it's out there already.
Well, I mean, the OPM hack from a few years back, right? Right.
I mean, pretty much everybody. And then there was another large one, Equifax, right?
(10:33):
Equifax hack. But it doesn't mean you shouldn't protect it, right?
No. But that's a great example of, okay, a company like Workday or any of the
other ones that are out there, there's several others, but Workday is probably the biggest one.
You just say, okay, you now are going to own our employee data risk.
Well, but they don't. So here's the other side.
For those of you who work in the GRC and the privacy space, you already know this.
(10:55):
They build into their contract, the warranty and the other information.
They ain't taking the full hit for what you lost.
No. So you as a company are going, hey, you're going to secure this?
And go, we're great. Security is a priority, but we're going to limit your liability to this.
And you go, what? But that feels like that's kind of like, it feels bad.
Yeah. Well, you see this too, let's go into the financial world. It's FDIC insured.
(11:16):
Yeah. Well, what does that mean? Up to a certain amount. All my money is secure
if it's in there, right? No, up to $250,000 only.
You get to $251,000, that $1,000, you've lost that.
Quick fun side note. I actually, back in the 2009 timeframe,
when banks were going under, I got a check from the FDIC.
(11:37):
Did you really? Yeah. I had a CD with a bank that was offering a ridiculously
high rate. We now know why. Yeah. Because they were trying to get deposits.
Yeah. And I put it in there and the FDIC had to write me a check. Okay.
Hey, good to know it works, everybody. Yeah, yeah. Well, so there is no group,
though, that's doing that with data.
No. Right? There's, you know, and this gets us to the other side,
(11:59):
which is the recourse, right?
You can mitigate risk or you can put, or you can get a recourse,
which means if it happens, then I can be made whole, right?
And that gets to your cyber insurance and other similar entities like that or
liabilities, warranties.
Well, you get to your side, you talk about cyber insurance, but also your contracts,
you know, what your contracts say is what matters most.
(12:22):
People can share that up front, right? They say, oh yeah, you know,
your data is going to be safe with us.
But like you just mentioned, they write in their contracts that are only up to a certain amount.
Well, you think about it because from their perspective, from Workday's perspective,
keep using them as an example, they've got, call it a thousand clients.
I'm making up a number. They've got a thousand clients and each one of them
(12:43):
wants in their contract the full value of the data lost or whatever it is.
And to them, that's a number that they can never pay.
So they're going to say, no, but we'll give you twice the value of the contract.
Well, that's $200,000 or something like that.
I'm not going to be able to afford it. That's going to do nothing for me.
Well, it's in the reputational risk that you have when the risk,
when it happens, like that's worth
(13:04):
probably far more than the individual contract was worth to begin with.
Right. Well, let's talk about that a little bit. How much fun is it as a CISO
or a business when your data gets hacked as part of, you know,
Okta or Twilio or anybody else, you get to go, well, it wasn't us.
Right. We trusted those guys. They're awful.
Yeah. Right. And they're going to send you your free credit report monitoring
(13:26):
and don't blame us. And I actually think, you know, Rainey's a little bit of
a different take, but I actually think that's.
A positive in this. I know that sounds weird, right? But that you can just point
and blame somebody else.
And in a couple of the incidents that I've worked through the past in my career,
where it involved a service provider.
I mean, the organization I worked for jumped at the chance to say it was Randy Fields Co.
(13:49):
Who screwed this up and we're so sorry that they're terrible.
And we're getting rid of them and we're going to do the right thing for you.
Well, and if there's multiple big companies that run into that,
like let's say AWS, U.S., you know, for whatever reason, goes down,
right, in the western half of the United States.
Well, everybody then understands what that was part of, right?
While there will still be litigation, it'll come out with the ambulance chasers
(14:12):
and whatnot, for the most part, the populace, right, the user opinion,
the share price won't see a detrimental hit to it.
I badly want to go, yeah, for the ambulance chaser sound. Yeah.
You know, there is something I've been thinking of is what can we do about it
from a security perspective, right?
Because we are at the mercy of how good the security is in somebody else's computer
(14:39):
when we're talking about a SaaS like that.
And there are things like CSPM or infrastructure entitlement,
cloud infrastructure and title management, things like that.
But I want to take a little bit bigger insofar as that.
Some of these SaaS providers are almost becoming critical infrastructure. Microsoft, surely.
They have been for a while. Yeah, Microsoft, AWS, even just from their public
(15:01):
cloud infrastructure, I think is.
But Microsoft's O365, if that ever went down for more than a day,
I mean, business would grind to a halt. Yeah.
Yes. And is there a government entity that should be treating it like NERC SIP?
For me like yeah in order to get into this data
(15:21):
center you got to get by the dogs and the guns and the everything else yeah
you know the only way we ever switch hard drives after the platters have
been sandblasted and things like that whatever it is but is there and without
that is there a body that we can create that will certify somebody at a certain
level as a critical security provider or a critical secure sass provider right
(15:44):
so well as much as i i'm not
a huge fan of government regulation and oversight, right?
Because I believe some can be too much, you know, it can get overbearing pretty quickly.
But there is something here where if not from an industry perspective,
not, you know, at least from a larger body that says, this is how you do cloud
(16:06):
service management. This is how you do it. Yeah.
This is your certification benchmark, right? We've adopted some of that over time.
And some of it has been And, you know, just grassroots off the side of the desk
of some prominent people or companies to get behind something like that and
institute an organization that'll do that.
(16:27):
And then people follow it. And then people follow it. Yeah. Right.
But they have to opt in to follow it, you know?
Yeah. But those that opt in and those that don't, those that don't stick out.
And I mean, I know working in a company as things progressed around ISO and
SOC 2 and things like that. More and more. Great examples too.
Those are great examples. Leaning in and going, do you have a sock two type two?
(16:47):
Well, no, I don't. Well, you should get one. We would expect one by the next
contract signing this first out.
Well, the companies have to, like you said, lean into that and make it part of the deal.
Yeah. As part of this deal, you need to be able to give us this.
You know, the hard part, and I see this a lot, especially with these technology,
(17:10):
I won't call them startups, but these private equity backed technology companies,
there is such demand on the growth at all costs, right?
You got to grow at all costs. And then your margin was, you know,
1% last year, it needs to be 6% this year. Yeah. The year after that needs to be 8%, right?
And there are two ways to grow. One is, you know, you're growing,
right? You're expanding.
(17:31):
The other is you're cutting costs to keep that gap larger, right?
And that pressure, I think, hurts a lot of the security efforts in these core,
core is wrong, but in these SaaS providers that are running our non-core business processes, right?
That's why you see somebody, and I don't want to say names, but some of these
companies getting hit because there's so much pressure for them to grow, to grow their revenue,
(17:59):
but they can't keep up with the big boy requirements on security behind it.
It's just too hard. It costs too much. I mean, the, the, what's the word,
the entropy or the inertia or whatever, give me some fancy physics word of layering
all those controls as you grow as a sauce, sauce provider.
Yeah. Did you want barbecue or?
(18:20):
There, there is a combined weight that suddenly.
That's the word. That's a better word. That suddenly, you know,
something will collapse under its own weight.
There's so much regulation. There's so much added load that you can't move faster.
Well, and not that I get what you're saying and I agree with you.
What I'm saying is that these PEBAT high demand,
(18:41):
high growth SAS providers are supposed to show all this return are challenged
to provide the level of security that is required on something that is essentially
a critical infrastructure without a true requirement behind it, right?
Now, NYDFS and some of the other regulations, SEC's recent moves against SolarWinds,
(19:02):
these are all sort of leaning in the right direction for the government saying, you got to be a big boy.
The banks understand this. If you're going to play in this space that impacts
a large percentage of the country's companies, you got to protect what you do Better.
Now, okay, enough of that, right? Yeah.
What can we do as security practitioners to protect ourselves as limited as we can from our SaaS?
(19:30):
Well. Our SaaS exposure. Wait, bring a Tide pen.
That old Tide commercial where the state. Blah, blah, blah. Blah,
blah, blah. Every time he talks. Yeah. I've got a bad job of it. Yeah.
Thank you. Yeah. I felt it.
That's the last time. Sorry. Are we done? Are we done? All right.
(19:52):
One more. All right. Okay.
No, but the business, all business is based on risk.
So as the business steps forward to look at that, as a security practitioner,
right, we want to be able to enable the business, but as a good advisor,
you don't do business with immature companies.
(20:12):
You aren't able to show the stability, the internal infrastructure,
the internal, what do you call it, grit and or gumption to be able to maintain their stuff.
Yeah. Some of those companies aren't worth their salt. Yeah, it's true.
And unfortunately, companies cut corners, you know, Snowflake being an example,
(20:33):
a few years ago, there was an executive that wanted to use Snowflake because they're cheaper.
And it's like, but just because they're cheaper doesn't mean it's a good decision.
Yeah. You know, and, but you can be faced with, with cost cutting.
It's like, Jim, you can either save 20% or, you know, you can choose to do something else.
(20:53):
Yeah, you can do some risky work, you know, and there are things you could do
to limit your exposure there.
Like, yeah, you can send data over there, but let's anonymize it.
Let's tokenize it. Let's do whatever, if it's possible.
Right. But oftentimes your core business process won't let you do that. No. No.
The speed of business always dictates our level of security.
(21:15):
You know, I think what we're going to see, and I've already seen this in some
tools that are out there, and we do a little bit of this, right?
But is measuring the risk your vendors represent by the amount of data they
have and the access they get, right, to your core business process or whatever.
But also leaning in to saying, do I feel that they have the strength necessary to protect this?
(21:40):
Today, a lot of compliance, third-party risk is just a checkbox.
Randy, here's your checklist.
And I've worked an incident in the past where a vendor checked yes to everything.
And when they got breached, it turned out they had a third of the things they checked, right?
But you know, getting that second party or third party in verification of their
(22:02):
controls or pushing a little bit harder or even getting into your,
into your contract and this would never happen, but there are penalties.
If you do not hold your security and true, I would love to see something like that.
Right. Yeah. Because now you're not only at the laws, you can got PCI or whatever,
but now you have a contractual obligation with your, with your client to hold
(22:23):
your security to a certain level.
Today all that language is just reasonable yeah
reasonable level of security reasonable reason reasonable and there's
a there's enough gray area there to decide what that is well
but that's the thing there's enough gray area there to allow that
to work itself out in litigation yeah you know true where you can you know you
can winnow down your your financial responsibility i don't think that there
(22:47):
is a silver bullet for it but if we continue to overweigh risk and regulation
and compliance and laws,
at some point, it's too tough to do business. Yeah, you're right.
I mean, you said it, the overbearing weight, right? Yeah.
Suddenly you can't drag the load you're supposed to drag anymore.
That being said, banks are able to do it.
(23:09):
They have the most regulated thing probably in the United States outside of
the governmental entity. Well, sure.
Well, and working for, you know, we both spend time in financial services,
so we know what that looks like internally too, when it comes to spending money,
which is you don't. But it's, yeah, but it slows things down. It sure does.
But the thing is it slows things down, but then the decisions that are made.
(23:32):
Are, are, are good decisions.
Yeah. They're mature risk-based decisions and they're, you know,
they're not risk-averse, but they're risk-aware, very risk-aware.
Well, and one of the things we've talked about, I think several times is,
is what's the risk appetite of your organization?
You know, if you don't have one, You do. It's in your third party.
Because if they're not doing third party risk, you do have third party risk
(23:56):
and your risk management is the
lowest common denominator of whatever your worst third party vendor is.
I know we're getting close here to time. Don't freak out.
Everybody's using SaaS providers. Yeah. I mean, like I said,
most of our non-core business processes are now managed by somebody else.
Seek to find a way to articulate the risk that you're carrying and then sort
(24:21):
of build what you think your controls are off to the side is, right?
So I know that our 10 business processes, whether it's finance or HR or whatever
it is, we're doing these things here.
Here's the risk in those, and here's where I feel we would land.
Might be a good place for you to start to be able to have a conversation with
your executives or your sponsors to find extra controls like a CSPM or something
(24:47):
like that and sort of try and bring that under control.
Well, and that's something, as you come into your role, you draft out,
let's say, the top 10 critical business processes.
Yeah. Here's what they are, sir or ma'am. Which you should have as part of your
BIA, but if you don't have one, get on one. Sir or ma'am, here's what they are.
Do you feel we're missing anything? And which one would you rank as highest?
(25:07):
Yeah. And tackle that one. Yeah, and it'll also help you understand what it's
like when that critical business process stops.
Yeah. You know, when Microsoft, I think it wasn't too long ago,
Teams went down for a few hours. Yeah.
Worldwide. Right. And there are a lot of organizations that use Teams as a way
to do production communication.
(25:28):
Sure. And then that came to a screeching halt. So what would I do if this didn't exist?
Yeah. Well, and then it's like, well, we use Slack too, you know?
So there's enough, you know, people say, well, why do you use two of them?
And so, well, in case one of them goes down.
But see, that's the other thing we really didn't touch on is, is what's your backup?
What is your backup plan if your critical vendor goes down?
(25:51):
Do you have a second vendor in the wings that can pick up on them?
And even if it's just a 90-10 split.
Right. Right? You're only spending $40,000, but you're sending over there because
you might one day need to send all to them and save the business for an extra 40 grand a year.
We're seeing that more and more, the contracts that get involved in where I work now.
(26:12):
Whereas we might not be the primary supplier. We're a secondary supplier.
And we get a certain amount of data, but in the event of a issue,
that can throttle up pretty quickly.
And we have already pre-negotiated pricing with what some of that's going to
be. Your emergency pricing is three times the normal. That's right.
(26:32):
I remember years ago, a security vendor, and it was a really hot security control,
which was good at sandboxing malware as it came in through email or something
like that or other vectors.
And I said, you know, how much off of a discount off your retail do you give?
She said, well, if you've been in a breach, nothing.
But if you're talking now, we can work on that. I'm like, oh, okay.
(26:55):
Yeah. It's always easier to pay beforehand rather than after.
Well, Randy, I think we've run this one out.
Well, dear leader, you need to draft out those top 10, those top 10 business processes.
If you haven't, do it and talk to your exec.
Talk to your exec about which one's most important and do they know?
(27:18):
Because it'll help with a crucial conversation and at least have a good conversation
with somebody that matters for your success as a security practitioner.
Amen. And with that being said, I'm Randy Fields. And I'm Jim Desmond.
And you guys keep leading.
Music.
(00:07):
Hey there, Leader Today. Today in Security on Tap, we're going to be talking
about SaaS, what it is, why you should be scared, and what you can do about it.
So, Randy, as we do, we'll frame it up here.
I read an article the other day, and it was talking about the proliferation
of software as a service.
(00:27):
You used the word proliferation, so clearly you read that somewhere.
A plethora. For those of you with three amigos?
A plethora. I do not think you know what that's worth.
A plethora of SaaS, but something in 2015, 2016 timeframe, the article said
that the average company had 15 SaaS services running in their bank or in their enterprise.
(00:50):
And now that number has exploded to 150 to 200.
Yeah. It's because everybody's one now.
Right. And what we're seeing is that organizations where we used to have a process
internal or we develop it internal or we've run it off software on a server
or something like that, contained it,
that has long since gone because most of our non-core business processes are
(01:12):
now housed outside of the core business in a SaaS provider.
Well, and thus where the old network boundary, there was one, now there isn't one.
It's just all one big pool. Cool. So for my mom who listens to this,
software as a service is what SAS stands for, S-A-A-S.
(01:32):
And that's essentially when somebody runs, it's like going to a website and
you just do the business process or whatever you do out there through them.
Now I'm making it, breaking it down a little bit. Doesn't necessarily have to
be a website. It can be an API. It could be something like that.
But essentially it's software that's being run on your behalf.
And it could be a large co-tenant sort of environment, right?
(01:55):
Like a workday or something like that, or it could be something that's dedicated on my deal.
Well, and you've got, you named off a big one, right? From HR,
Workdays One, Salesforce, obviously. Oh yeah. Oh, 365.
Yeah. Biggest software as a service. Now you're looking at a guy who was an
MCSE back in the dark ages and I had my exchange certification, right?
(02:16):
And I remember when they said they were going to take that sucker online,
I was like, well, good thing I got on an email.
Yeah. But you know, that still requires a lot of care and feeding.
Requires it requires more care and feeding you
know they think they're simplifying going to the cloud the problem is is
you're losing control i mean you've you're giving up a lot of your ability to
(02:37):
control where your data is and where it's going in aws and azure and other data
services you know iis and stuff yeah they they tell you you know that you can
secure that put it in your own private cloud, et cetera,
but you still are losing proper control of that information.
As we all like to say, somebody else's computer.
(02:59):
Right. And, and a SaaS takes that to the, I'll call it the nth degree because
it's just a service that you accessed.
It's like going to the drop in your clothes off the dry cleaner.
You have no idea what happens to your clothes or, I mean, you hear the stories
about the, you know, the small dry cleaner shop and then you look and you see
the owner driving around wearing your clothes and you're like,
(03:19):
I'm I thought we looked about the same size. That's totally uncool, dude.
But there have been some, and we say as our number two, why should we be scared of it?
There have been some pretty serious SaaS issues that have happened in the past.
Actually, just recently, or at the end of last year, Microsoft,
their exchange, not their old 365, but their exchange online system was successfully breached.
(03:43):
They believe, according to some of the articles I read by Chinese threat actors,
because of a certificate that was found in a debug in an engineer's computer that was compromised.
And they were able to successfully infiltrate a couple of, actually a couple,
more than a couple of departments in the United States government,
which was the federal government, which was very bad. Yeah.
(04:04):
Most recently, Hudson Rock has come out, now they've since retracted it,
but saying that Snowflake, a large data analysis, processing,
storage, whatever you want to call, what do they call themselves?
A very dangerous place. Yeah, that's why we did it.
Some of the most major, largest companies in the world use Snowflake for their data analytics, right?
(04:25):
They're pouring that data in there and they're doing lots of analysis on it.
And Hudson Rock had said that they had talked to a threat actor saying that
they had compromised Snowflake.
And not only that, but that Snowflake compromise was part and parcel to the
recent Ticketmaster breach that
happened just a couple weeks ago that had actually occurred through it.
And that the reason a whole bunch of stuff gets tied together,
(04:46):
the threat actor saying that basically they compromised a guy's ServiceNow account.
And since ServiceNow didn't need MFA for that account, they were able to get
a session token and use it to get it to wherever they need to inside of Snowflake.
Snowflake can exfiltrate lots of data, and they tried to extort them for $20 million.
But all that said, it has been since walk back by Hudson Rod,
(05:06):
and Snowflake has issued their own press releasing.
That's not what happened. Yeah. It isn't dangerous, but it makes us acutely
aware that we're putting a lot of stuff in other places that we don't have direct control of them,
especially some of those fabric in the back end.
Right. Well, they make it incredibly easy for your business to sign up for it.
(05:29):
Like, just give us your credit card.
Click here. And you can start using it. And before you know it,
you've got terabytes of information in a place like Snowflake.
Well, and inherently, not inherently, at its face, there's nothing wrong with that.
Except that they are just like any other company.
(05:49):
They suffer from the same foibles that we suffer from. Private companies or other companies do.
Even though that's their core business, core business processes sometimes aren't
maintained well, or there's a miss, or there's a mistake, or there's a flaw.
Yeah. Well, it's like you're sharing drinking water, right, with your neighbors.
Everybody's drinking out of the same well.
(06:10):
And if, you know, the old adage. And I think all my lip sores have healed,
but it's going to be fine.
If you've got a bottle of sewage and you put a drop of water on it,
you just got a little bit more sewage, right? If you take a bottle of pristine
drinking water and you put a drop of sewage in it, it's all still sewage, right?
It's one of those things where you are connecting yourself in unhealthy ways
(06:35):
to a company that maybe is wholly unhealthy.
What's so neat about what you're saying there is, and this is why we're talking
about why this is scary, it is a concentration of assets that makes them significantly
attractive to threat actors.
Because both fraudsters and nation state actors at the same time,
you know, looking at that, you think about Snowflake, they, I mean, Capital One,
(06:59):
Heinz, you know, some of the large MasterCard, Visa, I think some of the largest
companies in the world are all in one place.
You want to talk about, you know, the heist of the century, right?
You're thinking, I, if I can just get in there and you only have to get lucky once.
And so you got to be asking yourself, what am I doing? And I know this question
(07:20):
is a little late to ask, but it is really started like with Twilio and Okta
that got hit recently, right?
Other SaaS providers that were sort of behind the scenes doing authentication
and things like that and communications.
You have to ask yourself, is this SaaS worth it?
Should I be taking these non-core but critical business processes away from SaaS providers?
(07:40):
Can I even do that anymore? Well, in some of the span of control or the lack of control.
Of fidelity that you can have on the controls that are put in place. Right.
Cause you're relying on someone else to tell you if they're okay.
Somebody else's computer.
You're not looking yourself. You're actually.
(08:01):
So, so your third party risk is being done by third parties.
If you know, I mean, just let that sink in for a minute. And there's a third
party squared. So it's nine.
It's, it's kind of insane when you think about it. And, and you know, a lot of it comes down to.
Wouldn't it be great though? If, if, You had to put your third-party risk vendor
into your third-party risk tool.
(08:23):
Right. And then they just went in there and set themselves to all high marks.
Right. Like every time. We are outstanding.
Yeah, outstanding. Nothing to see here. Yeah. But the, you know,
third-party risk management, even if you don't have it, your crown jewels should
not be in the hands of a third party. Yeah.
(08:43):
They shouldn't be. Well, and so there's that distinction, right?
As we talked to you, dear security leader, that distinction between core business
process and non-core business process. So here's a question.
Many companies use Workday as employee information crown jewel.
Boy, it carries a lot of risk with it. It sure does.
(09:05):
But if you had to prioritize what your crown jewel is, if you're a data analytics company,
Well, what is your crown jewel, right?
Right. And for, you know, for my, the organizations I've worked in,
losing employee data would not be a catastrophic event.
You know, you'd say, we're terribly sorry. Here's your free credit monitoring.
(09:27):
Right. You know, and I don't think any of these guys are going to quit or a
very, very low percentage will quit in disgust and leave. Right.
They give you pretty low.
Well, and employee risk, I would say it's just an inherent, you take that risk by playing the game.
Yeah. You know, I knew years ago a security fellow who worked where I did,
(09:47):
who refused to give our HR group his social security number and to do,
and also to do a direct deposit. Do I know this guy? Sounds really familiar.
But he refused to do direct deposit because he did not believe in the company's
ability to keep his information safe. I've seen the people.
(10:09):
There's no way that money's ever getting there. But, I mean,
that's one extreme, but the thing is, it's just like your patient information,
you know, when you go to a hospital, your employee information.
Data that's basically available via the white pages, it's out there already.
Well, I mean, the OPM hack from a few years back, right? Right.
I mean, pretty much everybody. And then there was another large one, Equifax, right?
(10:33):
Equifax hack. But it doesn't mean you shouldn't protect it, right?
No. But that's a great example of, okay, a company like Workday or any of the
other ones that are out there, there's several others, but Workday is probably the biggest one.
You just say, okay, you now are going to own our employee data risk.
Well, but they don't. So here's the other side.
For those of you who work in the GRC and the privacy space, you already know this.
(10:55):
They build into their contract, the warranty and the other information.
They ain't taking the full hit for what you lost.
No. So you as a company are going, hey, you're going to secure this?
And go, we're great. Security is a priority, but we're going to limit your liability to this.
And you go, what? But that feels like that's kind of like, it feels bad.
Yeah. Well, you see this too, let's go into the financial world. It's FDIC insured.
(11:16):
Yeah. Well, what does that mean? Up to a certain amount. All my money is secure
if it's in there, right? No, up to $250,000 only.
You get to $251,000, that $1,000, you've lost that.
Quick fun side note. I actually, back in the 2009 timeframe,
when banks were going under, I got a check from the FDIC.
(11:37):
Did you really? Yeah. I had a CD with a bank that was offering a ridiculously
high rate. We now know why. Yeah. Because they were trying to get deposits.
Yeah. And I put it in there and the FDIC had to write me a check. Okay.
Hey, good to know it works, everybody. Yeah, yeah. Well, so there is no group,
though, that's doing that with data.
No. Right? There's, you know, and this gets us to the other side,
(11:59):
which is the recourse, right?
You can mitigate risk or you can put, or you can get a recourse,
which means if it happens, then I can be made whole, right?
And that gets to your cyber insurance and other similar entities like that or
liabilities, warranties.
Well, you get to your side, you talk about cyber insurance, but also your contracts,
you know, what your contracts say is what matters most.
(12:22):
People can share that up front, right? They say, oh yeah, you know,
your data is going to be safe with us.
But like you just mentioned, they write in their contracts that are only up to a certain amount.
Well, you think about it because from their perspective, from Workday's perspective,
keep using them as an example, they've got, call it a thousand clients.
I'm making up a number. They've got a thousand clients and each one of them
(12:43):
wants in their contract the full value of the data lost or whatever it is.
And to them, that's a number that they can never pay.
So they're going to say, no, but we'll give you twice the value of the contract.
Well, that's $200,000 or something like that.
I'm not going to be able to afford it. That's going to do nothing for me.
Well, it's in the reputational risk that you have when the risk,
when it happens, like that's worth
(13:04):
probably far more than the individual contract was worth to begin with.
Right. Well, let's talk about that a little bit. How much fun is it as a CISO
or a business when your data gets hacked as part of, you know,
Okta or Twilio or anybody else, you get to go, well, it wasn't us.
Right. We trusted those guys. They're awful.
Yeah. Right. And they're going to send you your free credit report monitoring
(13:26):
and don't blame us. And I actually think, you know, Rainey's a little bit of
a different take, but I actually think that's.
A positive in this. I know that sounds weird, right? But that you can just point
and blame somebody else.
And in a couple of the incidents that I've worked through the past in my career,
where it involved a service provider.
I mean, the organization I worked for jumped at the chance to say it was Randy Fields Co.
(13:49):
Who screwed this up and we're so sorry that they're terrible.
And we're getting rid of them and we're going to do the right thing for you.
Well, and if there's multiple big companies that run into that,
like let's say AWS, U.S., you know, for whatever reason, goes down,
right, in the western half of the United States.
Well, everybody then understands what that was part of, right?
While there will still be litigation, it'll come out with the ambulance chasers
(14:12):
and whatnot, for the most part, the populace, right, the user opinion,
the share price won't see a detrimental hit to it.
I badly want to go, yeah, for the ambulance chaser sound. Yeah.
You know, there is something I've been thinking of is what can we do about it
from a security perspective, right?
Because we are at the mercy of how good the security is in somebody else's computer
(14:39):
when we're talking about a SaaS like that.
And there are things like CSPM or infrastructure entitlement,
cloud infrastructure and title management, things like that.
But I want to take a little bit bigger insofar as that.
Some of these SaaS providers are almost becoming critical infrastructure. Microsoft, surely.
They have been for a while. Yeah, Microsoft, AWS, even just from their public
(15:01):
cloud infrastructure, I think is.
But Microsoft's O365, if that ever went down for more than a day,
I mean, business would grind to a halt. Yeah.
Yes. And is there a government entity that should be treating it like NERC SIP?
For me like yeah in order to get into this data
(15:21):
center you got to get by the dogs and the guns and the everything else yeah
you know the only way we ever switch hard drives after the platters have
been sandblasted and things like that whatever it is but is there and without
that is there a body that we can create that will certify somebody at a certain
level as a critical security provider or a critical secure sass provider right
(15:44):
so well as much as i i'm not
a huge fan of government regulation and oversight, right?
Because I believe some can be too much, you know, it can get overbearing pretty quickly.
But there is something here where if not from an industry perspective,
not, you know, at least from a larger body that says, this is how you do cloud
(16:06):
service management. This is how you do it. Yeah.
This is your certification benchmark, right? We've adopted some of that over time.
And some of it has been And, you know, just grassroots off the side of the desk
of some prominent people or companies to get behind something like that and
institute an organization that'll do that.
(16:27):
And then people follow it. And then people follow it. Yeah. Right.
But they have to opt in to follow it, you know?
Yeah. But those that opt in and those that don't, those that don't stick out.
And I mean, I know working in a company as things progressed around ISO and
SOC 2 and things like that. More and more. Great examples too.
Those are great examples. Leaning in and going, do you have a sock two type two?
(16:47):
Well, no, I don't. Well, you should get one. We would expect one by the next
contract signing this first out.
Well, the companies have to, like you said, lean into that and make it part of the deal.
Yeah. As part of this deal, you need to be able to give us this.
You know, the hard part, and I see this a lot, especially with these technology,
(17:10):
I won't call them startups, but these private equity backed technology companies,
there is such demand on the growth at all costs, right?
You got to grow at all costs. And then your margin was, you know,
1% last year, it needs to be 6% this year. Yeah. The year after that needs to be 8%, right?
And there are two ways to grow. One is, you know, you're growing,
right? You're expanding.
(17:31):
The other is you're cutting costs to keep that gap larger, right?
And that pressure, I think, hurts a lot of the security efforts in these core,
core is wrong, but in these SaaS providers that are running our non-core business processes, right?
That's why you see somebody, and I don't want to say names, but some of these
companies getting hit because there's so much pressure for them to grow, to grow their revenue,
(17:59):
but they can't keep up with the big boy requirements on security behind it.
It's just too hard. It costs too much. I mean, the, the, what's the word,
the entropy or the inertia or whatever, give me some fancy physics word of layering
all those controls as you grow as a sauce, sauce provider.
Yeah. Did you want barbecue or?
(18:20):
There, there is a combined weight that suddenly.
That's the word. That's a better word. That suddenly, you know,
something will collapse under its own weight.
There's so much regulation. There's so much added load that you can't move faster.
Well, and not that I get what you're saying and I agree with you.
What I'm saying is that these PEBAT high demand,
(18:41):
high growth SAS providers are supposed to show all this return are challenged
to provide the level of security that is required on something that is essentially
a critical infrastructure without a true requirement behind it, right?
Now, NYDFS and some of the other regulations, SEC's recent moves against SolarWinds,
(19:02):
these are all sort of leaning in the right direction for the government saying, you got to be a big boy.
The banks understand this. If you're going to play in this space that impacts
a large percentage of the country's companies, you got to protect what you do Better.
Now, okay, enough of that, right? Yeah.
What can we do as security practitioners to protect ourselves as limited as we can from our SaaS?
(19:30):
Well. Our SaaS exposure. Wait, bring a Tide pen.
That old Tide commercial where the state. Blah, blah, blah. Blah,
blah, blah. Every time he talks. Yeah. I've got a bad job of it. Yeah.
Thank you. Yeah. I felt it.
That's the last time. Sorry. Are we done? Are we done? All right.
(19:52):
One more. All right. Okay.
No, but the business, all business is based on risk.
So as the business steps forward to look at that, as a security practitioner,
right, we want to be able to enable the business, but as a good advisor,
you don't do business with immature companies.
(20:12):
You aren't able to show the stability, the internal infrastructure,
the internal, what do you call it, grit and or gumption to be able to maintain their stuff.
Yeah. Some of those companies aren't worth their salt. Yeah, it's true.
And unfortunately, companies cut corners, you know, Snowflake being an example,
(20:33):
a few years ago, there was an executive that wanted to use Snowflake because they're cheaper.
And it's like, but just because they're cheaper doesn't mean it's a good decision.
Yeah. You know, and, but you can be faced with, with cost cutting.
It's like, Jim, you can either save 20% or, you know, you can choose to do something else.
(20:53):
Yeah, you can do some risky work, you know, and there are things you could do
to limit your exposure there.
Like, yeah, you can send data over there, but let's anonymize it.
Let's tokenize it. Let's do whatever, if it's possible.
Right. But oftentimes your core business process won't let you do that. No. No.
The speed of business always dictates our level of security.
(21:15):
You know, I think what we're going to see, and I've already seen this in some
tools that are out there, and we do a little bit of this, right?
But is measuring the risk your vendors represent by the amount of data they
have and the access they get, right, to your core business process or whatever.
But also leaning in to saying, do I feel that they have the strength necessary to protect this?
(21:40):
Today, a lot of compliance, third-party risk is just a checkbox.
Randy, here's your checklist.
And I've worked an incident in the past where a vendor checked yes to everything.
And when they got breached, it turned out they had a third of the things they checked, right?
But you know, getting that second party or third party in verification of their
(22:02):
controls or pushing a little bit harder or even getting into your,
into your contract and this would never happen, but there are penalties.
If you do not hold your security and true, I would love to see something like that.
Right. Yeah. Because now you're not only at the laws, you can got PCI or whatever,
but now you have a contractual obligation with your, with your client to hold
(22:23):
your security to a certain level.
Today all that language is just reasonable yeah
reasonable level of security reasonable reason reasonable and there's
a there's enough gray area there to decide what that is well
but that's the thing there's enough gray area there to allow that
to work itself out in litigation yeah you know true where you can you know you
can winnow down your your financial responsibility i don't think that there
(22:47):
is a silver bullet for it but if we continue to overweigh risk and regulation
and compliance and laws,
at some point, it's too tough to do business. Yeah, you're right.
I mean, you said it, the overbearing weight, right? Yeah.
Suddenly you can't drag the load you're supposed to drag anymore.
That being said, banks are able to do it.
(23:09):
They have the most regulated thing probably in the United States outside of
the governmental entity. Well, sure.
Well, and working for, you know, we both spend time in financial services,
so we know what that looks like internally too, when it comes to spending money,
which is you don't. But it's, yeah, but it slows things down. It sure does.
But the thing is it slows things down, but then the decisions that are made.
(23:32):
Are, are, are good decisions.
Yeah. They're mature risk-based decisions and they're, you know,
they're not risk-averse, but they're risk-aware, very risk-aware.
Well, and one of the things we've talked about, I think several times is,
is what's the risk appetite of your organization?
You know, if you don't have one, You do. It's in your third party.
Because if they're not doing third party risk, you do have third party risk
(23:56):
and your risk management is the
lowest common denominator of whatever your worst third party vendor is.
I know we're getting close here to time. Don't freak out.
Everybody's using SaaS providers. Yeah. I mean, like I said,
most of our non-core business processes are now managed by somebody else.
Seek to find a way to articulate the risk that you're carrying and then sort
(24:21):
of build what you think your controls are off to the side is, right?
So I know that our 10 business processes, whether it's finance or HR or whatever
it is, we're doing these things here.
Here's the risk in those, and here's where I feel we would land.
Might be a good place for you to start to be able to have a conversation with
your executives or your sponsors to find extra controls like a CSPM or something
(24:47):
like that and sort of try and bring that under control.
Well, and that's something, as you come into your role, you draft out,
let's say, the top 10 critical business processes.
Yeah. Here's what they are, sir or ma'am. Which you should have as part of your
BIA, but if you don't have one, get on one. Sir or ma'am, here's what they are.
Do you feel we're missing anything? And which one would you rank as highest?
(25:07):
Yeah. And tackle that one. Yeah, and it'll also help you understand what it's
like when that critical business process stops.
Yeah. You know, when Microsoft, I think it wasn't too long ago,
Teams went down for a few hours. Yeah.
Worldwide. Right. And there are a lot of organizations that use Teams as a way
to do production communication.
(25:28):
Sure. And then that came to a screeching halt. So what would I do if this didn't exist?
Yeah. Well, and then it's like, well, we use Slack too, you know?
So there's enough, you know, people say, well, why do you use two of them?
And so, well, in case one of them goes down.
But see, that's the other thing we really didn't touch on is, is what's your backup?
What is your backup plan if your critical vendor goes down?
(25:51):
Do you have a second vendor in the wings that can pick up on them?
And even if it's just a 90-10 split.
Right. Right? You're only spending $40,000, but you're sending over there because
you might one day need to send all to them and save the business for an extra 40 grand a year.
We're seeing that more and more, the contracts that get involved in where I work now.
(26:12):
Whereas we might not be the primary supplier. We're a secondary supplier.
And we get a certain amount of data, but in the event of a issue,
that can throttle up pretty quickly.
And we have already pre-negotiated pricing with what some of that's going to
be. Your emergency pricing is three times the normal. That's right.
(26:32):
I remember years ago, a security vendor, and it was a really hot security control,
which was good at sandboxing malware as it came in through email or something
like that or other vectors.
And I said, you know, how much off of a discount off your retail do you give?
She said, well, if you've been in a breach, nothing.
But if you're talking now, we can work on that. I'm like, oh, okay.
(26:55):
Yeah. It's always easier to pay beforehand rather than after.
Well, Randy, I think we've run this one out.
Well, dear leader, you need to draft out those top 10, those top 10 business processes.
If you haven't, do it and talk to your exec.
Talk to your exec about which one's most important and do they know?
(27:18):
Because it'll help with a crucial conversation and at least have a good conversation
with somebody that matters for your success as a security practitioner.
Amen. And with that being said, I'm Randy Fields. And I'm Jim Desmond.
And you guys keep leading.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!