Cloud Security Today: Did You Know You Have a SaaS Problem?
Recently, AppOmni CEO Brendan O’Connor sat down with Matthew Chiodi for the Cloud Security Today Podcast. O’Connor and Chiodi discuss how the ever-increasing investment in enterprise SaaS is creating unchecked security controls and processes that can cause major issues for the business. They also cover how SaaS is evolving and what organizations should be doing to accommodate the increasing complexity of SaaS platforms. Listen to the entire podcast here or read below.
Podcast Transcript:
Introduction:
Speaker 1:
This is the Cloud Security Today podcast where leaders learn how to get cloud security done, and now your host, Matt Chiodi.
Matt Chiodi:
People, process, and technology. Ah, man. Those first two are so hard. The people in the process side. Well, on today’s podcast, we go deep into the topic of SaaS security. That’s right. So think about the Salesforces, Dropbox, Office 365, that’s what we dig in today. So get ready, grab a notepad, and get ready to take notes and enjoy this discussion with Brendan O’Connor the CEO of AppOmni.
Matt Chiodi:
Thanks for joining us today. Super excited to have you on our next edition of Cloud Security Today. If there’s one topic that I get asked probably the most about it is SaaS security. How do I secure SaaS applications? How do I make sure that I have visibility? What controls? Over and over, these are the questions I get. So today I’m really excited because on the podcast we have Brendan O’Connor, who’s the CEO of AppOmni joining us today. Brendan, thanks for coming on today.
Brendan O’Connor:
Glad to be here. Thanks for having me.
Matt Chiodi:
Awesome. So I’ll tell you, first of all, let’s just start off at the beginning. Tell us what problem does AppOmni help address? What do you guys do?
Brendan O’Connor:
Thanks for the question. I don’t like to make these things so much of a sales pitch. I’ll keep it pretty short. So SaaS security management and SaaS obligations is one of the biggest blind spots in the enterprise today, if not the biggest. SaaS may have started as a simple web app 10 years ago, but today major SaaS platforms have evolved almost into their own operating systems. We’re looking at a situation where, especially with remote work and what we’ve seen over the past year, companies have significantly expanded their SaaS investment and footprint, and the SaaS applications themselves have really grown in complexity. But most companies haven’t updated their security controls to support SaaS or invested in new technology to manage this problem. That’s where AppOmni comes in.
Matt Chiodi:
Awesome. That’s pretty cool. So before we dive a little bit more into the technical side of it, the how-to side, one of the other common questions that I get either from people who are early on in their career or maybe they are further along in their career and they’re looking to make a pivot into cybersecurity is, how do I get into cybersecurity? Tell us just a little bit around what does your journey look like?
Brendan O’Connor:
I would sum up my journey as: bite off more than you can chew and grow a bigger mouth. That’s worked for me for 20 years. So I started 20 years ago in embedded systems. I wasn’t even really in security at the time. Security wasn’t a job or a function that you could apply for. I started doing IT engineering right out of college, first job out of college, at a communications company, and they made embedded systems. This is around the time of ethernet and LAN being everywhere, and so we had security cameras.
Brendan O’Connor:
We had door and badge access control systems, HVAC systems like the air conditioner, nurse call systems in hospitals, all of these little electronic devices that were plugged in and wired into the building. Today, we’d call them IOT devices. 20 years ago it was embedded systems or facility-based electronics. So that’s how I got started. And I got started in IT because I found a vulnerability that the door access control system we had had a six character uppercase alpha password that I was able to brute force. And it was the same password for every controller that controlled all of the doors on the LAN.
Brendan O’Connor: So I was able to, from my computer, get into the system and tell all the doors to open, the exterior doors to open at the same time from my computer. And the CIO, when he saw me do that, grabbed me by the shoulder and walked me over to the dev and engineering team and had me sit down with them and was like, “Work with these guys to fix it.” So that’s how I got into security is playing a prank, but I was curious on how those systems worked.
Brendan O’Connor:
So that was my start, and then I moved into banking. I was in banking when online banking started to become a thing and spent the early part of Web 1.0 building and securing enterprise banking platforms. Then in 2007, I joined a small company called Salesforce at the beginning of the cloud journey. I was there for about 10 years, and it became a very large company. But I found myself doing cloud and SaaS full-time as a security professional starting in 2007. So I’ve been in it for a while.
Matt Chiodi:
So I noticed one thing you said there was, what led you down the path into security, it sounds like it was really curiosity. Right? So I’m just curious, from your perspective, how much does curiosity play into just growth overall in a career for you? How does that change? So today you’re a CEO. Right? So most people look at that, and they’re like, “Wow. You’re at the peak.” Right? But how much of a role does even curiosity play today in your role as a CEO at a cybersecurity startup?
Brendan O’Connor:
It’s always important. I found it gives me a couple things. Number one is a pull is always more powerful than a push. Someone forcing you to do something is not as effective as when there’s something inside you that’s pulling you towards it. When you are intrinsically motivated, I feel like you find the best in yourself. You bring your best thinking and your best energy to a problem, and I love solving hard problems. I love solving puzzles, and enterprise security at scale is a hard problem. It’s a puzzle, and there is not a one-size-fits-all solution.
Brendan O’Connor:
So you can’t just take a single approach and say this applies to every industry, every company of every size, every technology platform. So that’s one of the things, that curiosity, that desire to understand the problem and come up with a solution is definitely one of the things that’s kept me motivated, and whether it’s as a CSO application security engineer or pentester, or as the CEO today, I love talking to customers about what their challenges are and how we can work together to fix them. So I think it’s kind of the same job. It’s scoped a little bit differently, but I’m still solving hard security problems alongside my customers.
Matt Chiodi:
That’s great. I love hearing that. I love asking people about just how they got to where they are, because I oftentimes I think back to much earlier on in my career, I just thought, “Is there just one thing I need to do to make this jump?” And of course, looking back on it now after over 20-plus years now, I’ve realized that it’s this small series of steps and decisions that you make along the way. Right?
Matt Chiodi:
And that curiosity, always just being willing to learn and read has just been such a huge part of it for me. So I’ll ask you one other thing before we jump in back to the SaaS piece is, what do you read? What are one or two things maybe that you read on a consistent basis? Do you love reading books? Are you a Kindle person, a eReader? What does that look like? How do you learn best?
Brendan O’Connor:
I have a Kindle. It’s near full. I’ve been a Kindle user for a long time. There’s something about the paperback or a hardcover book. I still appreciate a book, but the truth is, it’s just way more convenient to carry a Kindle. So I’ve got shelves full of books in my house, as well as a few different versions of Kindle that we’ve used over the years. I try to stay up on industry news. I read a lot of Slack channels. I read a lot of industry publications. I learned to be fluent in business, and read The Wall Street Journal and other business news.
Brendan O’Connor:
It’s important to understand things beyond the security aspect. Understand what types of other things are happening that are impacting customers beyond just the security lens. The security lens is very important, but also understand what’s happening in the market and what other things may be impacting that business and those customers. I’m a junkie for books, whether it’s new fiction or if it’s the classics. I have a special place in my heart for the classics. I was an ancient history major, and I love the classics. One of my favorite books is Marcus Aurelius’s Meditations.
Matt Chiodi:
Ah, okay. I have not read that myself, but it’s on my to-read list, full disclosure.
Brendan O’Connor:
Awesome. Yeah. So I try to always read. I try to always learn. I always try and listen. I try to always maintain humility that there’s some very smart people that probably know a lot about a particular domain that I don’t. Getting access to those people and listening to them – being able to ask them questions, is just fantastic.
Matt Chiodi:
I love that.
Brendan O’Connor:
So always learning, always listening.
Matt Chiodi:
I love that. So with that frame, skipping back to how all this learning applies to SaaS security, typically when I’m working with clients globally, literally hundreds of them, one of the most common questions that I’ve got, I’d say over the last two years, has to do with CASB, so cloud access security brokers. And for most of the questions, the way they come to me, people almost always see SaaS security being…you talk about SaaS security, and then you talk about a cloud access security broker.
Matt Chiodi:
So my question for you is, does a CASB solve all SaaS security issues, and then where does it fall short? Again, I know you’re trying not to make it a sales pitch and that’s totally fine, but what does a solution like an AppOmni bring to the table that a CASB is missing? I’d love to hear your thoughts on that.
Brendan O’Connor:
I’m not a big fan of CASB. Having led security teams at leading cloud providers Salesforce and ServiceNow, I feel like I have a pretty unique perspective on the problem, both from the cloud provider, as well as being a cloud customer. If you have a CASB and you’re getting value from your CASB, that’s great.
If it’s a security control that’s helping you in your program, that’s fantastic, but it certainly doesn’t solve all of the problems. I don’t think it solves even the highest impact problems.
Brendan O’Connor:
My view of CASB is it solves common problems like shadow IT, network-based DLP. It is fundamentally a network-based architecture that’s an extension of the perimeter. And at a time when everyone’s talking about zero trust and that the perimeter is dissolving, why is it when we think about SaaS applications, our solution is, well, let’s build a slightly higher, bigger perimeter? It’s not effective. It’s not working.
Brendan O’Connor:
If you have a CASB agent on your endpoint and you’re going through the secure edge or the proxy or the tunnel or whatever you want to call it from a network perspective, you’re routing that traffic where the CASB can see it and inspect and interact with it, you’re probably a low-risk user and that you’re an authorized employee on company equipment. That CASB does not apply to the public internet. If you’re an attacker, you’re going to go directly at that cloud provider, you’re going to look for misconfiguration, and you’re going to interrogate their APIs. You’re going to look at what portals or end points or sites have been exposed from those SaaS platforms and what’s out there because the CASB isn’t in front of my network. It’s in front of the customer’s network.
Brendan O’Connor:
The attacker’s not going to opt into going through the CASB. They’re going to go directly to the cloud. So your lowest risk population, your internal users where you control their endpoint and you control their traffic, you have robust security controls. The rest of the world, the rest of the internet: what controls do you have on what they can see and do with your data?
Well, the controls need to be around the Cloud tenant. The controls need to be around the data in those APIs and those applications that are running inside that Cloud environment. Trying to address it at the network, is really only addressing it for your part of the equation. It’s like if I build a secure highway or secure tunnel between my driveway and the mall, well, great, I’ve secured all traffic that begins at my driveway. That doesn’t prevent my neighbor from just driving to the mall. And in fact, it doesn’t prevent me from going to other stores in the mall once I get there. You’re not wrapping the control around the Cloud providers network and they won’t let you. You can’t pick up your own security controls and install them into their data centers. So it’s a control that is in your perimeter that you control and operate, and you’re trying to force your users to go through it. And oftentimes you can do that. But what you can’t do is force attackers, third parties or Cloud native applications to go through it. That’s where the gap is. So it does some things very well, shadow IT and network-based DLP. People get a lot of value from that. But if you’re trying to prevent an attacker from downloading your data from a publicly exposed API or a misconfiguration, the CASB is not going to see it. Can I tell you a quick story?
Matt Chiodi:
Sure. I love stories.
Brendan O’Connor:
We did a bake off with a CASB provider where the CASB provider was interested in our technology. This is a CASB provider on the Gartner MQ, too. This is not some startup. This is a big company. I’m not going to mention the name. They wanted us to run our product through their technology. So we looked at one of their SaaS tenants and we connected live with them on the Zoom, across the internet, and we were not passing traffic through their CASB, which they had in front of this Cloud applications, this Cloud tenant. We found hundreds of thousands of documents and sensitive data records that were accidentally exposed via API, live, during our live risk assessment. So they’re watching us access this data from the public internet, from outside the CASB, not on their internal network, and their CASB is reporting that there is no activity. It’s not seeing it because we’re intentionally bypassing it. We’re going directly to the Cloud provider. We found production credentials, and third-party apps we could access externally. It’s the controls around the data in the tenant. It’s not a network problem. It’s an application problem and it’s a data problem.
Matt Chiodi:
I love that. I love that story. That’s powerful. So thinking about that, from a people and process perspective, if we go back to your experience when you were at Salesforce… And I don’t want to skip over that, right? I think, for people who don’t know you, you ran security for Salesforce, which… I had to do the research on this. So back in 2017, when you left, Salesforce had revenues of around 10 and a half billion. Okay, so today they’re somewhere North of 17 billion. Behemoth, right?
What should organizations be focused on from a, “How to manage SaaS, security at scale, perspective?” Not what to do, but how do they actually do it? Are there frameworks out there that organizations can be following as they look at trying to secure their X number of SaaS tenants that they have out there? How do you view that? How would you recommend people approach that or think about it?
Brendan O’Conner:
There are definitely frameworks. I want to give a little bit of credit to ServiceNow. I was at Salesforce for 10 years, but when I left Salesforce to join ServiceNow as CTO, I had the great experience of working with an amazing company and amazing team there too. So I think I have the unique experience of having led security teams at the top two SaaS providers, Salesforce and ServiceNow. And I got to see both the internal, what we were doing as a Cloud provider, but also I was a Cloud customer. These were both Cloud-first companies. So not only did they use their own Cloud products, but they used other SaaS products. So I really had the challenge of securing SaaS at scale, enterprise wide, at a time where most companies were still taking their first steps into the Cloud. So part of it is just the nature of the companies I worked for in my role. I got to this problem very, very early on.
Brendan O’Connor:
They’re both fantastic companies, and I think that the Cloud is inherently a better security model. There’s certain things that they do and SaaS providers do in the shared responsibility model that’s very much better than what their customers could do themselves. They harden their perimeters, they patch, they have great vulnerability management and OS hardening, and infrastructure hardening programs. They do this stuff at scale and they hire some of the best security talent in the world to manage and secure these production environments. There’s a ton that you get for free by going with SaaS. A lot of common things that you would have to worry about in your own environment or infrastructure environments, you get just solved for you by the SaaS provider, because they abstract so much that way.
Brendan O’Connor:
But one of the challenges that I saw was upfront security teams would look at a SaaS provider like any other vendor. So they would do a traditional vendor risk assessment. They would say, “Do you have a SOC 2? Do you encrypt our data? Talk to us about your data handling processes. Do you background check your employees that have access to data?” Typical stuff that you would ask any vendor. That’s not a bad thing to do, but that’s a terrible place to end the process. The real risk is once users are using the application and it is configured with custom code, connected into your business processes, and you have loaded all your data into it. A car is that it’s safest when it’s parked on the dealer lot. We have to drive the car to actually start putting risk into the equation. No one would ever secure their endpoints by saying, “Well, we asked Microsoft if they had a SOC 2 and they background check their employees and they passed vendor risk management. So I guess we don’t need to worry about endpoint security.” It’s a ridiculous statement. No one would own that.
Brendan O’Connor:
But when it comes to SaaS, it’s like, “Well, we asked the Cloud provider do they have a SOC 2? Did they background check their employees? And everything looks good. So I guess we don’t have anything to do.” I have also seen that a big challenge is when it comes to who owns SaaS security, it’s a big game of ‘not it.’ Everyone hopes it’s someone else’s job, but there isn’t one person that’s like, “Yes, I specifically own that.” But if you think about it, these are mission critical applications, sometimes the most important or most used apps in the entire business: Microsoft 365, Slack, GitHub, Salesforce, ServiceNow, Workday, Atlassian. We live in these applications. We’re in Zoom right now. Everyone is using Zoom or Teams or some sort of video conference.
Brendan O’Connor:
SaaS is how we get work done. And the data that’s in these applications is some of our most sensitive. It’s data about our customers, our internal systems and operations, our employees, our payroll; very sensitive data. How is that not security’s job to govern access? How does that not have a very clear defined owner in process? So I think assigning an owner and having them in charge is critical. We need to understand what SaaS applications we’re using, what the important ones are and what is our minimum bar from a security perspective. What controls should be in place? Do we actually apply those controls consistently? What we find is because it is no one’s job and you have good people, with good intentions that make some pretty big mistakes because they’re not security experts. Meanwhile, the security team, they’re not even looking. They may not even have access to some of these major SaaS applications. f they did, they’re not quite sure what they’re looking at because they’re not experts.
Matt Chiodi:
Yeah. That’s a good one. I can just see this now, being in a consulting call with one of my clients and them asking me, “Well, where should governance sit for SaaS applications?” So let’s say I’m a client or I’m a customer of yours and someone asks you that question, right? I see this confusion a lot, especially the larger the company, if we’re talking about a multinational. Like you said, a lot of the SaaS applications, they may be owned by somebody in a business unit. They may not even be visible to IT or to security. So there’s that visibility problem, which we talked about falls under probably the CASB space that can help you discover what are the SaaS apps that are actually in use in my organization. But I guess the question then is where do you think that fits best? Is it within an IT security, a governance type role? Have you seen organizations that do this well, centralize that? What have you seen work well? What do you recommend?
Brendan O’Connor:
When I ran my programs, it was application security to me. It’s AppSec. This is security, it’s code, it’s configured code. API security is AppSec. Looking at role-based access control, you could argue “is the authorization and AppSec problem or more of a traditional InfoSec problem?” But having a clear owner is key. And in my programs, application security owned SaaS applications and the data that’s behind them. But I’ve also seen people have SecOps look at it. I’ve seen it be a distributed function. What has worked best for me and what I’ve seen customers really adopt and scale is that you can’t look at every single change. There’s so much change that’s going on in these applications. These applications update themselves multiple times a year. That comes with your subscription. It’s not a bug, it’s a feature. They’re always adding more. So the levers, knobs and switches are increasing in number and complexity even if you do nothing, you’re not doing anything. You have got whole IT teams that have dozens of admins that live inside these applications that manage and configure them, write code on them, and integrate them with business processes and automation. These apps are great to integrate with. They can run almost any conceivable business process. Like I said, they’re becoming closer to operating systems in the Cloud than a simple web app.
Brendan O’Connor:
You can’t watch what every individual is doing. You have to put guard rails in place. “What are the things that always need to be in place? What are the things that users should never, ever be doing?” And then you programmatically put those in place. Whether it’s checking config, whether it’s scanning config before you commit it to production, or it’s just giving guidance and a checklist to the admins. Has security even weighed in and said, “These are the specific things that we expect you to do. Our policy wants two factor authentication everywhere. We need to have this encryption at rest feature on. These native security buttons or levers, knobs, and switches that the Cloud provider comes out of the box with, these must stay on.” We see in almost 50% of cases in certain applications, people have disabled cross-site scripting protection, disabled XSS in prod. It’s on by default with most SaaS applications, or the SaaS apps that we’ve seen.
Brendan O’Connor:
Why does it get disabled? There’s an article on Stack Overflow that recommends turning it off as a troubleshooting step for admins. So you have an IT admin that doesn’t know what XSS stands for and is just trying to solve a problem, while you’ve got a security team that knows exactly what XSS is and what it does and why it’s important. They don’t even know that’s a button they should be looking for. It’s a disconnect. You need to be able to understand what are those baseline level of controls and ensure that they’re always in place. To me, that’s baselining, that’s guard rails. It’s not rocket science, it’s a process.
Matt Chiodi:
I love that. Securing IaaS and PasS platforms has always been a pain. Prisma Cloud by Palo Alto Networks is the industry’s most comprehensive cloud native security platform with the industry’s broadest security and compliance coverage throughout the development life cycle and across hybrid and multi-cloud environments. The Prisma Cloud platform offers an integrated approach that enables security operations and DevOps teams to collaborate effectively and accelerate secure cloud native application development. To find out more, go to paloaltonetworks.com/prisma.
Matt Chiodi:
One of the things that I’ve seen on the infrastructure and PaaS side of the house from a cloud perspective, is just the proliferation of infrastructure as code. Terraform has been growing like crazy. It’s kinda multi-cloud. Obviously AWS, I think, was one of the first ones to do it with cloud formation templates. Is there anything like that in the SaaS world? Do you see that? Is that something that’s still years out? Is that even possible to do something like that? And I know it won’t be called infrastructure.
Brendan O’Connor:
So first of all, I love Terraform, love HashiCorp; it is a fantastic product, but we definitely see the exact same challenge that this is configures code. Doing this manually is not the way to do it. This is a job for automation. This is a terrible job for a human to do this manually and it’s repetitive. Put it into code and we’ve built our product to do along that philosophy with SaaS is put the guardrails in place, make it programmatic, don’t have a user inspecting every change or just staring at glass trying to understand what users are doing.
Brendan O’Connor:
Have a system that puts those guard rails in place where people can define their intention, this is what I want to occur, and let the machine, let the code actually build that technical configuration. Because trying to manage these complex systems manually is like trying to manage your windows fleet with Regedit. Like you could do it that way, but that’s a terrible job. There’s nothing really that any endpoint management solution can do that you couldn’t manually script through Regedit and connect to individual computers and do it. But like who would do that?
Brendan O’Connor:
There’s a whole market around endpoint management for specifically that reason. It’s error prone, it’s manual, it’s time consuming and it doesn’t scale. SaaS is the same way. Infrastructure service is the same way. These are old problems that are just coming up in a new flavor. Sometimes we can lift and shift the old technology and make it work in the cloud. Sometimes we got to rethink the same value prop, but for a different architecture. My argument would be that SaaS is fundamentally a different architecture than hosting things on premise.
Brendan O’Connor:
So you need to rethink what is the value that you get from your security tools and how can you get that value today in an automated fashion in these new systems that supports that new architecture?
Matt Chiodi:
I love that. That’s a great point. So one of the things that I’ve blogged about in the past is the difference between effectiveness and efficiency. So I know most of our listeners that are using probably dozens of SaaS offerings and they are struggling with measuring cloud security in general. I always get asked about, metrics, things like that. I guess from your perspective, what are some ways companies can better measure and understand those two areas when it comes to SaaS security, like so effectiveness?
Matt Chiodi:
How effective am I being with my controls? And then efficiency, obviously talking to how well am I actually doing those things? Are there metrics that you typically recommend organizations track when it comes to SaaS security? What should they be looking at? And if you can share maybe, are there similar metrics that you can share that you guys looked at when you were at Salesforce or when you were at ServiceNow?
Brendan O’Connor:
Yeah, that’s a great question. I think that’s kind of a “walk” answer, and I think most people are still learning to crawl when it comes to SaaS. To have metrics that you can track over time, you need to have that base level of telemetry. I think that most organizations today lack that base level of telemetry. What are the total number of security controls available in a given SaaS platform? Of those security controls, are they on or off for us? I don’t think most people can answer that comprehensively. I mean, that’s very, very basic, but you got to think about it.
Brendan O’Connor:
SaaS is not just one environment. You can have dev environments, QA environments, staging environments. You can have multiple deployments for different geographies or different business units. Just because you use Microsoft 365 or Salesforce or GitHub that it’s like one single entity. You have many different repos or channels or environments out there. So what are your environments? What are the most important ones? What are the ones the business spends the most money on? What are the ones that the most users use? What are the ones that have the most sensitive data?
Brendan O’Connor:
Because these systems are on the public internet. If it’s not housing critical data, you should triage that towards the bottom of the list. If it’s data about your customers, financials, employees or all of your internal documents, that should be at the top of your list. So understand what are the systems, who owns it, and what is the current state of your security controls. Most people aren’t there today. That’s got to be step one, understanding that. From there, you need to measure and understand, okay, of the security controls that we have applied, are they being applied consistently and comprehensively across all our environments?
Brendan O’Connor:
No. It doesn’t make any sense to put a 10 foot tall fence around two sides of your yard. You haven’t prevented anyone from coming in if it’s only partial coverage. It’s probably more secure to have a two foot tall fence around all four sides. At least then you can keep, I don’t know, rabbits and small dogs out of your yard rather than a huge fence that only covers one or two sides of the yard. So do you have the right baseline level of controls, things like two factor authentication, proper logging, encryption at rest, the basics of security. Are they being applied consistently?
Brendan O’Connor:
Can you be excellent at doing the ordinary when it comes to security management and configuration? From there, then it’s a process. How is this scalable? How can we stop finding problems in production and start preventing them from getting into production at the first place? Sometimes we need tow trucks, because sometimes we crash our car; but crashing your car is a failure condition. We shouldn’t invest in better, faster, quicker tow trucks. We should be investing in guardrails that keep cars from driving off the cliff in the first place so we don’t need the tow truck.
Brendan O’Connor:
Netflix has been a proponent of this for over a decade. They call it the paved road. If you give people a nice, easy paved road for them to follow, most people will follow it because they just want to get their job done. Good people with good intentions make mistakes. When you don’t give them guidance, they can make some pretty big security mistakes. And when it comes to the cloud, you can shoot yourself in the foot with a cannon. You can have a huge blast radius and cause a lot of damage with some very basic mistakes. So viewing every manual setting doesn’t scale, viewing every single change individually doesn’t scale.
Brendan O’Connor:
That would completely shut the business down. So how do you put guardrails in place to make sure that any changes to security relevant settings, new connections, exposing APIs externally, third-party apps, things that have really high security impact – So that you’re able to know when they occur or be able to scan or approve or catch those things in tasked or dev before it gets promoted into production?
Matt Chiodi:
Where do you think the market is? When I say market, I really mean kind of the industry in terms of cybersecurity, do you see customers in general? Are they asking the right question around this? Because as I mentioned before, I rarely ever get questions around the actual configuration of the SaaS platform. It’s always again, CASB, right? CASB solves all my problems. Again, they’re just focusing on, I think, basically the access portion of it, one part of the access portion. So where do you think the industry is rather in terms of just the maturity?
Matt Chiodi:
Are you starting to hear that question more and more? One of the things that caught the world’s attention back in December was what happened with the SolarWinds hack. So has that changed? Have you found that people are starting to ask more questions even about the SaaS platform itself? I mean, I agree with you. I remember when I ran cloud security at Cognizant, I put together something specific around how we were vetting SaaS vendors. And we did look for SOC 2’s and ISO 27000, all those things, but that doesn’t address the configuration, like you said, of the SaaS platform itself.
Matt Chiodi:
So I guess just question just generally speaking, has SolarWinds, which continues to just unfold, the output of that, has that changed? Has that caused people to ask questions around even SaaS security?
Brendan O’Connor:
It has. We’ve had several customers, I mean, since the holidays approached us, post-breach where they didn’t think they had an issue. They were told they had an issue and suddenly they’re scrambling. As a longtime security professional, I’ve been in that case. No one likes to be on the post-breach response team. I mean, it’s a special kind of pressure and pain. My heart goes out to anyone who’s experiencing that where you’ve got to make the best of a bad situation and figure out what happened. So I hate to see that happen, but I love to be part of the solution and helping customers when that happens.
Brendan O’Connor:
The truth is it’s happening and sometimes we hear about it. A lot of times that we don’t where they keep it pretty quiet. That aside, on what our reporting is and should be on how often these breaches are occurring, customers are waking up to it. They know that with remote work, they can’t rely on the perimeter. A lot of the thinking around SaaS was an on-premise thinking applied to a cloud problem. Because to your point, you thought about connectivity in isolation. Well, we’re just going to put a wall or a proxy in front of the SaaS application, and that makes it kind of internal.
Brendan O’Connor:
We triage and trust our internal applications more than we do our external ones because they’re behind protection. They’re behind those walls of the perimeter, our defense in depth. Well, I’m telling you, SaaS is not now and has never been behind your perimeter. Even if you think it is, the cloud doesn’t work the way that you think it does. You need to look at how this third party connectivity is actually working. When you grant an OAuth token, even if you have an identity provider with strong authentication, zero trust, they call it two or three factors, certificates, temporary one-time password, username, and password.
Brendan O’Connor:
We have the strongest identity provider in the world. Well guess what? That’s the authentication that gets you a wristband to get into Disneyland. Once you’re in Disneyland, you just show the wristband on all the rides. They don’t all check your ID. Or maybe for an over 21 audience, it’s like getting beer at a bar. You get checked at the door and then you have the stamp or the wristband and that’s what gets you around. Every individual resource within that location doesn’t re-ask for your full credentials.
Brendan O’Connor:
Well, once you get a session ID and you’re connected to a SaaS application, let’s say I want to integrate something. I want to integrate a third-party app to sync my sales leads, or something to help me collect logs and de-dupe duplicates that I have in my log stream. Benign good use case. Well, once I granted OAuth token to that third-party provider, it doesn’t talk to my IDP. It doesn’t go inside my network. I have a valid session. I’ve got the wristband and I make a copy of that wristband and I hand it to a third party that is somewhere else on the internet, running in Azure, AWS, GCP, their own data center, not on my network, not connected to my systems. When that app connects to my cloud application, guess what? It shows the wristband. It doesn’t connect into my network and re-zero trust authenticate to my identity provider. My IDP doesn’t even see the activity. All the activity is happening inside the cloud provider. We do an assessment where we will do a quick scan and show you how many third-party applications have live API integrations into your environment.
Brendan O’Connor:
On average, the security team is aware of less than half of them. Think about it: Less than half of the apps that today are connected to your production environments and have some level of privilege to your data – the security team doesn’t even know what they are. They could be making copies of your data. They could be syncing your data. You could be violating industry regulations or compliance requirements without even knowing it, because one individual user who had good intentions, was not trying to attack you, connected an unsanctioned application that copied your customer list. Security is looking at the network and guess what? There’s no network activity on your network. It’s not coming from your network. So staring at the ground is not going to tell you what’s happening up in the cloud. You need to actually look at the cloud system. We also find typically third-party applications are vastly over-provisioned.
Brendan O’Connor:
There isn’t an environment I’ve looked at that I haven’t seen at least one or two apps, oftentimes more, but at least one or two, that have the equivalent of domain admin. You’ve given a third party vendor domain admin over your production environment. The fact that it’s an API and not a UI, doesn’t actually impact what it’s able to do. The fact that its programmatic access and persistent access, they don’t get a browser like a user, but what we saw with SolarWinds is if that company gets compromised, they already have these bridges into all of these customer’s environments. The attacker doesn’t need to establish access. They can just walk across the bridges that already exist. It doesn’t look like an anomaly, unless you’re looking really, really closely. There isn’t an authentication event. Your identity provider isn’t part of this equation. They’re already authorized. They already have the wristband.
Matt Chiodi:
What we’ve been talking about there with the OAuth token, is that something that is a misconfiguration that you see usually on behalf of the customer? Is there a setting they can change so that doesn’t happen? How do you defend against that type of scenario? That’s the real question.
Brendan O’Connor:
Most cloud providers do have some pretty strict controls that you can put in place, where you can have third-party tools that automate that workflow. AppOmni being one of them, but not the only. But there are tools that will help you do that or you can do it manually with the cloud provider. Then also part of it is how OAuth works. So think about your phone. When you’re using an app on your phone, you might have to authenticate with your full credentials or using your identity provider at work once, but after that, that app has a token. Usually, you can use local auth like your fingerprint or your face ID, and that authentication, it doesn’t re-prompt you for your username and password, or you don’t need to reconnect your phone to the VPN. Well, think about IoT devices, how they work.
Brendan O’Connor:
They’re coming from carrier networks and they’re talking directly to the cloud. They’re not VPNing into your network and egressing through your CASB or talking to your IDP. They get this token. OAuth is like a longer live session ID, is being used for that purpose. I think that most security teams haven’t really dug in because OAuth can be complicated and it doesn’t have one flow. There’s actually a few different flows, and the cloud providers don’t always make it easy for you to see what all of those tokens that have been granted are. Who granted the token? When did they give it? How often has it been used? When was it last used? Sometimes that data is there, but it’s not in one place. You have to do some digging to go around and fetch it. But I think it all comes back to that failed premise of it’s not accessible. People think they have a wall around the cloud and that these types of things aren’t possible, or they’re much more difficult than they truly are. So they don’t think it’s a big problem.
Matt Chiodi:
I love that. So if there was… I love this conversation just because I think it’s so practical, and I think, again, it’s an area that many organizations are just starting to wake up to in light of what happened with SolarWinds, and even as they think about how do we reevaluate how we do vendor risk management? I mean, this is a huge part of it because that type of connectivity right into this place where you have this massive amount of sensitive data, that would have never happened in an on-premise world without IT or security being completely involved, right? Now, all of a sudden you have all this data that’s so sensitive, that’s living in these SaaS apps. This isn’t a new problem, right?
Matt Chiodi:
It’s not like SaaS is new and it just came out in the last three years, right? This has been around for many years. So I love that. If you’re someone listening to this podcast and you’re thinking, “Oh my goodness, I had no idea that this risk actually existed,” what would you say would be maybe… What are some things that they could do right away to try to maybe get a handle on this? What would you recommend? What steps should they take?
Brendan O’Connor:
That’s a great question. There was something you said around that would never happen on-premise. That is actually a very important point. Security has been gatekeepers. As the people that own the firewall, the people that own the perimeter, security has often been a role of gatekeepers and you got to ask the gatekeeper, if you want to get in or out of that gate. That allowed security teams to express a certain amount of governance, because they held all the keys. With SaaS, not only do security not hold all the keys anymore, they don’t even know where all the doors are. Someone else has the door. Someone else has the keys. This has been democratized and SaaS applications and these SaaS companies, they’ve been very successful doing it, but they sell directly to the line of business. They sell directly to who their users are. In a lot of cases, they can bypass IT and security, and that’s why security doesn’t have the keys like they used to.
Brendan O’Connor:
To more directly answer your question of what can security teams do now, you got to look at what your major SaaS applications are, what are the App Stores or the functionality they have that allow you to connect and run native code within that runtime, and what are their capabilities to take external code? Code running in another cloud service or somewhere else to connect via web service API? So there’s two different classes of third-party apps. Ones that run natively inside the runtime, others that run somewhere else but connect and sync data or read and write to the cloud. Those are the two major categories. One of those is going to be the API connections, and all of those are going to have usernames and passwords provisioned, API keys and OAuth tokens. There’s going to be some sort of credential that has been issued from the system to that, and you can catch them there.
Brendan O’Connor:
The ones that are getting installed inside your runtime, those are probably in a different area of the application, but you have to look around and see what third-party code or add-on code have we put in? What privilege level does it run? This is where it gets important. To whom have we exposed it? We’ll see cases where there’s an admin-level package, which is totally great software. They’re not harmful in any way, shape or form, and they’re being used for valid business purposes and are installed on that SaaS environment’s runtime. So it’s running locally inside the cloud environment and then gets provisioned to everyone, which includes external users. If you have external users that have pinhole access, or you built a portal or a site, or you’ve tried to grant limited external access, you may have accidentally exposed admin functionality running as root or running assist admin to low privileged or untrusted users.
Brendan O’Connor:
No one intended to do that, but because no one was looking at how the system was configured, who had access to what, what privilege level did these apps run as, and to whom have we provisioned them inside the cloud environment, not on the desktop, you find out that, “Oh, great. I have 3,000 users. They can all copy all of my data and decrypt it,” because they have access to call this admin API. The other thing is these applications are often SaaS themselves, which means they change. Even if you do nothing, the cloud provider is releasing more updates all the time. So an application that maybe did one or two things when you first installed it and approved it in your third-party risk program two years ago, well guess what? That vendor has probably released a whole lot of updates and your IT admins or your business users may have enabled new functionality, or may have just been pushed to them by the vendor.
Brendan O’Connor:
That application can now do 10 things or 20 things, or have new external entry points. SaaS security is not a point in time problem. It is continuous. It’s like you don’t look at the car and just test it when it’s parked on the dealer lot. That’s probably the safest it’ll ever be. The risk is in the driver, when it’s on the road.
Matt Chiodi:
I love that. This has been a great conversation, Brendan. I really appreciate your time and just learning… Even though I’ve been in cloud security for well over a decade, you’ve brought up a lot of items that I probably haven’t even thought about. So I know that I’m going to have a lot of listeners here that probably have a lot of questions. So if they want to follow up with you, if they want to learn a little bit more about AppOmni, how should they connect with you? What should they do?
Brendan O’Connor:
I always love connecting with people. I always love talking security. I am very much a security geek and love talking to other security people. Appomni.com, A-P-P-O-M-N-I. App like application, Omni like all. Appomni.com is the way to reach us. Or you can catch me on LinkedIn or Slack or email me, or can’t wait till you start getting to some security conferences, hopefully the end of this year, early next year when we’re all vaccinated, but always loved talking security with people.
Matt Chiodi:
Great. Well, thanks for coming today, Brendan. Enjoyed the conversation.
Brendan O’Connor:
Thanks so much for having me.
Speaker 2:
Thank you for joining us for today’s episode. To find out more, please visit us at cloudsecuritytoday.com.