SaaS adoption is on the rise, but so is data loss
The mass adoption of cloud-based applications is no longer exclusive to private enterprises. Education, health care and government agencies are rapidly adopting software-as-a-service solutions to cut costs and improve productivity and efficiency. More than 70 percent of state government CIOs are “cloud first,” and both state and local government organizations are continuing to embrace SaaS offerings such as G Suite or Office 365.
Unlike on-premise tools, SaaS applications help IT teams adapt to rapid changes in agency needs and constituent-focused requirements. For example, being able to instantly scale up or down as needs change makes post-election budget shifts easier to accommodate, as it allows IT teams to add or shed subscriptions rather than being stuck with more (or less) on-premise capacity than is needed. SaaS offerings also reduce on-premise management of application storage, updates, patches and maintenance, which frees IT teams to do more, even if their budgets restrict adding staff.
SaaS does not protect against threats
Despite all the benefits cloud-based applications provide, SaaS offerings are not immune to phishing attacks, ransomware, end-user error or malicious insider threats. As such, the use of SaaS — if not properly approached — can lead to dire consequences if employees don’t understand the limitations of data protection in the cloud, especially given the increasing amount of mission-critical data stored there.
In fact, end-user error (e.g. misconfiguration of retention policies, improper data loads that overwrite good data with bad at compute speed or accidental deletions) is often the biggest risk organizations face, as the expanded responsibilities introduced by SaaS architectures can lead to widespread confusion and mistakes. Case in point: a study from the Ponemon Institute found that 64 percent of all data loss is caused by human error. In my company’s interviews with G Suite and Office 365 admins, one government agency admin said that simple setup errors led to the loss of more than 200 tenants in Office 365.
Best practices for maintaining SaaS security
To reap the benefits of SaaS applications while also mitigating associated cyber risks and data loss, government organizations should consider the following four best practices:
1. Recognize that admins and end users pose the most risk. While many assume SaaS vendors are the most significant source of risk to SaaS-based data, they’re not. More often, an agency’s admins and end users pose the most risk, and remaining ignorant of this fact can make an already precarious situation all the more dangerous. In addition to human error, admins and end users can introduce programmatic errors (i.e. sync or integration errors), which can overwrite good data with bad or delete good data altogether. Agencies should train admins and end users to be “phishing proof” regarding SaaS data, audit SaaS configurations regularly and consider limiting access to admin rights as necessary.
2. Conduct due diligence on all third-party vendors. Even though internal users usually pose the most risk, it’s still important to ensure SaaS vendors have multiple layers of security in place. Agencies should confirm that they’re SOC 2 Type II compliant and request a SOC 2 report, which describes the controls that a SaaS provider has in place to deliver on security, availability, data integrity, confidentiality and the privacy of personal data. IT managers should also conduct customer reference calls and read vendor reviews to go beyond service uptime and accuracy stats.
3. Become familiar with government ransomware attacks. Agency admins may already be familiar with the risks posed by disgruntled employees; however, they’re rarely as familiar with the recent rise in ransomware attacks on government. For example, admins in agencies using collaboration apps such as G Suite and Office 365 must be keep abreast of malware schemes such as the “folder grenade” phenomenon, in which ransomware encryption spreads at compute speed through every shared folder or document whenever a document or email is shared.
4. Automate all data backup and restoration processes. Automating SaaS data backup and restoration drastically reduces the number of manual steps needed to protect data, and it also reduces the ways end-user error and inconsistent execution can add audit and governance risk. Agencies should look for single-source backup tools that provide automated, secure and reliable SaaS data protection for the apps they most rely on, as this will simplify admin responsibilities and reduce operational overhead.
Automated backup and internal education are key
Regardless of the service delivery model or type of SaaS applications implemented within a government organization, IT teams are responsible for ensuring that data management aligns with regulatory requirements, organizational governance and defined control. IT teams must also ensure business continuity in a way that facilitates a fast return to operational readiness. Agency IT teams should leverage automated backup and restoration technology to guarantee the security and accessibility of cloud data, and prioritize internal user education and protocols. In doing so, they can safely benefit from the unmatched agility of SaaS-based offerings and rest assured that data is protected.
Brian Rutledge is principal security engineer at Spanning Cloud Apps.