- July 30, 2020
When’s the last time you checked where and how your archiving vendor is storing your data? Most SaaS-based archiving vendors, including email archiving vendors, have a multi-tenancy architecture and store archived data in public clouds. That means your data is stored on servers in public clouds owned by very large cloud technology platform providers that rent space to tens or even hundreds of other cloud SaaS vendors. Bottom line, your data may be housed in the same cloud system (with the same encryption keys) as several of your competitors.
Relying on public clouds has several major security limitations. First and foremost, that each SaaS solution vendor is forced to adopt/rely on the overall security capabilities provided by the main cloud platform provider, removing any possibility for end-user organizations to customize their security capabilities to fit their specific needs and requirements. In reality, most SaaS security is a “one size fits all” offering.
And, as was made clear during one of the largest breaches of all times, SaaS “security” is now something of an oxymoron.
In July 2019, Capital One Financial Corp. announced that personal information from 106 million Capital One clients had been illegally accessed. Unlike prior data breaches involving external parties hacking an organization’s infrastructure security, this one involved a (former AWS) employee breaching information security safeguards and utilized a hacking technique called Privilege Escalation. Paige Thompson, a former software engineer at Amazon Web Services (AWS) - the cloud platform supplier for the Capital One cloud tenancy - eventually gained access to 30 different company tenancies and data.
There are two types of security threats that can originate from SaaS platforms: intentional and unintentional. The SaaS multi-tenancy architecture opens the possibility that the SaaS provider can perform arbitrary actions on the tenant’s data (data violations), including unauthorized reads, modifications, movements, and deletions. The Capital One breach vividly highlights the topic of security in public cloud-based SaaS suppliers. Specifically, it brings into question the requirement for clients to query not only the infrastructure security, but also the information security measures of their SaaS vendors. Specifically:
On this last point, in a SaaS /multi-tenancy model (like the one which is probably being used by your archiving vendor) some or all resources are shared with other clients.
The Capital One data breach was accomplished using a hacking technique called privilege escalation to initiate an intrusion attack on a system. With privilege escalation, the hacker gains illegal access to the system and engages in activities that capitalize on lax employee security procedures, programming errors, and weaknesses of the system. These activities enable the intruder to achieve a higher level of access to the main platform, its security resources, other tenant instances, and each tenant’s data.
In a vertical privilege escalation attack, the hacker attempts to grant themselves higher-level access privileges. This is typically done by performing kernel-level coding that allow the attacker to run unauthorized code providing higher security access capabilities.
In a horizontal privilege escalation attack, the hacker either utilizes the same level of privileges they already have been granted - either because they are an employee or contractor, or by phishing the employee base to get one of them to turn-over sign-in credentials. They then assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation.
In reality, the end goal is to achieve Administrator and then Root privileges for the entire cloud platform.
Many hackers target and are ultimately satisfied to achieve administrative privileges – this being the highest security privilege. In the Capital One case, the hacker achieved escalated privileges and gained access to 30-plus corporate tenancies by exploiting a configuration vulnerability in the Capital One tenancy. Although the Capital One hack was not, strictly speaking, a SaaS platform attack, it shared many of the same vulnerabilities.
In this case, experts believe that Capital One is, in fact, culpable, not AWS - the cloud system platform provider. Mainly because of a server configuration vulnerability, easily monitored and fixed by Capital One, that was not addressed. Even more, the bank’s biggest mistake was leaving sensitive customer personal data unencrypted.
To muddy the waters, even more, it can be difficult to recognize between normal and malicious activity, such as privilege escalation, within a given SaaS tenancy. In the case of a SaaS solution where the solution provider is responsible for all operations, including security - such as a cloud email archiving solution, the SaaS solution provider must be on alert at all times to recognize potential security issues and intrusion attempts. In the future, Artificial Intelligence will play an important real-time role in monitoring and stopping these kinds of security vulnerabilities. But until then, you are at the mercy of the SaaS platform provider, and the other tenants’ security processes.
The Capital One hack is a sobering example of the vulnerabilities found in SaaS platforms. A mistake or oversight by the platform provider, or another cloud tenant, could cause security issues in other company’s tenancies.
As we discussed earlier, many of the security issues and limitations of SaaS platforms are architectural. If your archiving vendor is providing a SaaS-based solution, consider taking the following actions to improve security and help protect your data.
For a hacker to attempt privilege escalation in the first place, they need to gain access to a less privileged user account. That means that user accounts are your first area of focus. Obvious actions include:
While taking appropriate measures to secure user access may address some of your SaaS vendor’s security limitations, it may not provide the level of protection you want or need. This is especially the case for organizations concerned with the potential liabilities associated with privacy regulations and data-subject rights. Consider bypassing the increasingly antiquated limitations of SaaS solutions and, instead, look at PaaS (platform as a service) cloud offerings.
A PaaS provider offers some of a cloud provider’s application stack such as operating systems, middleware, (i.e., databases and specialty applications like archiving solutions), storage, and other runtimes in a cloud environment. The key is that, unlike a SaaS solution, in a PaaS solution, the end client can add additional levels of security - including encryption, and maintain complete control of their application, data, and security. Also, in a PaaS environment, the application platform is never shared with other customer tenancies (think single, dedicated tenant versus multi-tenant), so the privilege escalation seen in the Capital One case is not possible.
Archive360’s Archive2Azure information management and archiving platform is designed as a PaaS solution installed within the customer’s own Azure tenancy. The key benefit of the Archive2Azure solution is the fact that it works completely within your company’s Azure tenancy, allowing you to retain direct ownership of your data and complete management of the environment – including all security.
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.