The widely accepted Software-Aas-A-Service (Saas) Delivery Model Contains Significant Flaws and is “Quietly enabling cyber attackers”, introducing widesPred vulnerabilites that could undersmine the Global Economic System, Acconomic System, Acconomic System Leading Financial Services Chief Information Security Officer (CISO).
In An open letter to third-party suppliersJPMORGAN Chase Ciso Patrick OPET This Week Criticized Software Companies for Making Saas The Default, and often the only, format in which software can nov be delivered, trapping customers inte Service Providers and Concentrating Risk Into These Organizations.
He said that while this model can be efficient and innovative, it is now clear that it is “magnifies the impact of any weakness… Creating Single Points of Failure With Potent Consequences ”.
“At jpmorganchase, we've seen the warning signs first-hand. Over the past three years, our third-party providers experienced a number of incidence with these incidents. Supply Chain Required us to act swiftly and decisively, including islating islating certain compromised provides and dedicating Substantiial Resources to Threat Mitigation, “Wrote Opet.
Although he did not point the finger at the suppliers involved in any of the many widespread supply chain incidences that have occurred in the past in the past few years, opet lamengted that the Probolem seeded to be Getting Worse Rather than better, with software suppliers failing Systems without approves consent or transparency, and inviting downstream fourth-party suppliers into their systems.
Automation and Artificial Intelligence (AI) Are Further Compounding these problems, he added, and all of these weaqnesses are well-known to adversaries, borne out by Changes in tactics among chinese threat actorsWho increasesly Favor Targeting Organizations with Deep Access Into their Customer Bases.
Three-step plan
In his missive, OPET Set Out Three Core Steps Saas Providers Should Be Taking To Address these issues before they become insurmountable.
He called on the industry to prioritise cyber during the design phase, building in or enabling security features by default; Modernise Security Architectures to Optimise Saas Integration in Such a Way That Mitigates Risk; And collaborate better to halt threat actor Abuse of Connected Systems.
Mark Townsend, Co-Founder and Chief Technology Officer at AcceletrexA Startup Specialising in Tech Marketing and Referrals, Said OPET's Letter Spoke to Wider Frustrations Among Customers that It Suppliers is not doing enough to ensure the seconds Services.
“The rush to stay ahead of the competition has been to several issues over the year.
“When buying saas, you're buying a system deployed by a vendor that you are trusting your data to. Many will provide provide an annual pen test Report and Demonstrate Alignment with Soc2 and other standards, but as the author points out, a lot happy with the apps, and the infrastructure that enables them, Over the Course of a year.
“The Security of these Systems is Fairly opaque and requires a bit more transparency between the vendor and the consumer as to how the data is secred.”
Townsend Added: “You can't be too prescriptive without giving
Reversec's Donato Capitella and Nick Jones, Principal Consultant and Head of Research Respectly, Said OPET rightly highlighted critical challenges faced by the Industry in Regard to the Adoption of Saas, Notably Concentration of Risk in a less big provides and reduced visibility making proactive incidence detection and response much harder for customers.
“At a practical level, there are two very common areas where saas applications fail to provide adequate security. The first is gating Single sign-on functionality behind addition or the” Interpresses ” Plans, Forcing Users to Make a Trade-of Between Adequate Identity Security and Cost, “They Told Computer Weekly in Emailed Comments.
“The second is comprehensive, high-rights audit logging, which is often also gated behind expensive plans or add-ons, if available at all. TheSE Limitations Hinder An Organization ' Prevent, Detect and Respond to Attacks Against their Saas Estate. “
Capitella and Jones Added: “We Hope That Saas vendors see this open letter as a call to arms and work towards providing a hardenned, secure-bY-deefault experience to their consures.”