XaaS Security

Executive Summary

Many businesses use some form of XaaS, or Anything as a Service, to reduce overhead while expanding business operations. Because businesses are only responsible for the product they provide, data compliance remains the enterprise’s responsibility. Customers should follow vendors’ Complementary User Entity Controls, or CUECs, and provide additional security measures in the event that a service vulnerability is exploited. Potential mitigations include having security leaders review market-relevant threat intelligence reports, vendor System and Organization Controls, implementing security measures that protect data in  the event that a vendor’s system is breached. Safeguards like this are how tenants can protect their data while utilizing XaaS.

Background

Many enterprises employ Anything as a Service, or XaaS, providers to simplify day-to-day operations [5]. This can range from a high level service stack such as SaaS, or Software as a Service, or hardware only, such as IaaS, or Infrastructure as a Service. Customers often incorrectly assume that data security is the sole responsibility of the vendor [2] . XaaS providers employ a Shared Responsibility Model for security. This means that there is always partial responsibility for both the vendor and the tenant, regardless of the level of workload offloading the service provides. AWS explains these roles as the provider being responsible for “Security of the Cloud,” while the tenant’s responsibility is “Security in the Cloud” [1]. Service providers are only responsible for ensuring the product itself, not the data that customers place within it. Businesses remain liable for the data workload that is shared with their vendor services.  

Two considerations increase an organization’s attack surface. XaaS providers outline requirements that tenants must follow in order for their applications to run properly in their published System and Organization Controls, or SOC, reports [3]. These conditions are known as Complementary User Entity Controls, or CEUCs. Customers may introduce preventable risks if they do not follow vendor guidelines. Additionally, these third parties are limited in the assistance they can provide customers for compliance and incident response. For example, NIS2 is a policy in the European Union that mandates increased requirements for data security and resilience for businesses located or that serve users based in the EU [6]. Enterprises subject to NIS2 are not allowed to use a service provider’s backup to fulfill policy requirements; the organization must create their own backups. Enterprises may offload data storage to the cloud, but they can’t offload compliance responsibilities.

The task of tracking and securing data for each product can become daunting . The average business utilizes a large array of third-party services, often having many users within the enterprise who interface with these products. If tenants don’t enact security controls, threat actors can exploit this [4]. For example, many businesses employ SaaS if they require business software but don’t have the resources for a development team. Although they can refocus energy away from creating software, they still must understand how the third-party is holding their information and any additional actions they must take to secure their workload data.

A common authentication vector that threat actors exploit is Non-Human-Identities, such as access tokens and APIs [7]. One access token commonly used to authenticate users is the OAuth token. These tokens are widely used for their ability to allow users to authenticate once across several platforms [8].  Stolen OAuth tokens can be used to gain unauthorized access to user information. Since many system defaults permit a token to have general, unrestricted access to an entire database, one token can be used to view and modify other user accounts. Restricting the information that can be accessed by one token, would be necessary to mitigate such a situation. 

Impact

XaaS security impacts most business environments. Most enterprises use over a hundred XaaS vendors. Reputable vendors, such as Git and Dropbox have been breached in the past. Neglecting security can negatively impact an enterprise’s ability to uphold compliance requirements, putting company assets at risk.

Mitigation

In order to mitigate risks associated with using third-party services, enterprises must become and remain informed. Businesses should attain risk assessments to decide if a service is a good fit. Enterprises should ensure that data security leaders understand vendor CEUCs. If tenant users aren’t implementing CEUCs, the vendor software may not work properly. This may potentially affect security. 

Data security leaders should set boundaries for what an authenticated user can accomplish. Access tokens should be cleared and reissued frequently and users accounts should be given the least amount of privilege as possible. Information that is no longer needed should also be immediately removed from databases. These measures limit what an attacker has access to if a XaaS product is breached. 

Security leaders should review threat intelligence publications to remain informed on the most recent attack trends relevant to their market. This type of literature aggregates information like attack types, trends and associated risks into a digestible format. Threat actors are quick to develop and employ methods to compromise data and assets. Although enterprises may not be able to prevent all attacks, they can do their due diligence to minimize their attack surface and avoid known exploits. 

Relevance

Customers must become and remain aware that third party applications have security vulnerabilities. It is critical that users include these services in the risk management strategies and incident response plans to be prepared. As long as businesses ensure they have appropriate security measures in place, they can enjoy the benefits that XaaS can offer.

References

[1] Amazon. (n.d.). Shared Responsibility Model. AWS Cloud Security.  https://aws.amazon.com/compliance/shared-responsibility-model/

[2] Fernandez, A. (2024, June 25). Unlocking SaaS Data Security With Shared Responsibility In The Cloud. HYCU. https://www.hycu.com/blog/unlocking-saas-data-security-with-shared-responsibility-in-the-cloud

[3] Hill, L. (2023, May 23). Importance of Complementary User Entity Controls for Vendor Relationships. VenMinder. https://www.venminder.com/blog/importance-complementary-user-entity-controls-vendor-relationships

[4] Lubetzky, G. (2024, September 16). How Does Threat Intelligence Apply to SaaS Security? And Why You Should Care. The Hacker News. https://thehackernews.com/expert-insights/2024/09/how-does-threat-intelligence-apply-to.html

[5] Microsoft. (2024, September 28). Shared responsibility in the cloud. Microsoft Learn. https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

[6] NIS2 Directive (n.d.). What is NIS2 Directive? NIS2 Directive. https://nis2directive.eu/what-is-nis2/

[7] Silva, M. (2024, January 25). Part 2: How Attackers Exploit OAuth: A Deep Dive. Astrix. https://astrix.security/learn/blog/part-2-how-attackers-exploit-oauth-a-deep-dive/

[8] Zhong, G. and S. Wang.  (2024, September 3). “New OAuth Phishing Threat: Exploiting Vulnerabilities in SaaS Integration Platforms.” Obsidian Security. https://www.obsidiansecurity.com/blog/oauth-phishing-threat-exploiting-saas-integration-platforms/