Software-as-a-Service (Saas) Solutions: A Double-edged Sword

Software-as-a-Service (Saas) Solutions: A Double-edged Sword

17 Jul, 2024
Updated: 22 Jul, 2024

The recent colossal CrowdStrike outage has exposed the risks business operations face with their IT infrastructure. The global IT failure caused chaos, grounding flights and locking users out of banking apps and healthcare services. 

Data breaches when using cloud services are not uncommon, yet companies are still opting for SaaS solutions, and many of these requesting companies work with delicate customer data.  Since 2023, 45% of businesses using SaaS options have dealt with data breaches, and this number is only on the climb.

So this begs the question - why are companies still putting their trust in an option prone to failure? Below, we discuss the risks businesses take when using SaaS solutions.  

Software-as-a-service (Saas) Solutions: A Double-edged Sword

Software-as-a-Service (SaaS) solutions supposedly do have benefits, such as cost efficiency, scalability, accessibility, automatic updates, reduced deployment time, and the like. However, these benefits come at a cost: a data breach can not only damage a company's reputation but can also incur a hefty fine. Only fines in the hundreds of millions are reported in the public media.

The Facts Are The Facts 

Top companies have been affected by data breaches due to their choice of solution. These attacks are not surprising as the red flags were there: a SaaS solution was used to manage delicate data.

  • The private data of 15 million Trello users was leaked this January.

  • A cyber attack on the Microsoft Exchange email services affected over 50,000 companies in 2021, with a repeat in 2023 and 2024. 

  • In August 2023, both Microsoft 365 and Google Workspace suffered an attack by EvilPoxy. 

  • AT&T lost phone records from nearly all customers entrusted to the cloud data giant Snowflake. 

Why Are SaaS Solutions So Prone to Data Breaches? 

SaaS solutions are advertised as cost-effective options. Everything a team could need is cleverly packaged in one solution, thus reducing on-premises data centre costs. This is an attractive option for many companies, although one key fact has been excluded.  The element that makes these options better priced is that this software is shared with thousands of other companies, which results in a lower price but also results in storing all company data along other (unknown) users. 

With the increased use of SaaS options, a massive amount of data is stored centrally and exposed to the internet, making it an interesting target for attackers.  A recent study by Wing Security found that the average employee uses 29 SaaS apps, which, due to their internet-facing characteristics and continuous operation, open the door to a range of attacks, such as malicious packages, malware, and spyware. This further illustrates that SaaS solutions have numerous weaknesses. Examples of these areas include: 

Centralised Data Storage

SaaS solutions often store large amounts of data from multiple clients in centralised databases. This makes them very attractive targets for cybercriminals who can access a wealth of information in a single breach.

Increased Attack Surface 

By design, SaaS applications are constantly accessible over the Internet, exposing them to attacks and increasing the risk of exploitation through various attack vectors. Additionally, human error, such as misconfigurations, weak passwords, and phishing attacks, can compromise SaaS accounts, with employees potentially unintentionally exposing data through insecure practices.

Increased Platform Complexity

Every piece of software has the concept of user roles where some more privileged users are allowed to see and change data that other user roles aren’t. In addition, SaaS solutions need to implement such data access checks on a user’s role granularity, and it needs to prevent companies using the same SaaS solution from accessing each other’s data.

This significantly increases the complexity of the software. It becomes challenging to ensure all data access checks are correct. In addition, it makes the software prone to misconfiguration.

Security Is Not the Primary Business Focus for SaaS

As with every business, companies that offer SaaS solutions have many conflicting requirements that they must prioritise. It should not be surprising that some decisions are not in the best interest of their customers. The media reported an extreme case of such behaviour by Microsoft. Microsoft actively ignored exploited vulnerabilities in order to win over contracts with the US federal government.

Risk Transfer Instead of Risk Elimination

Many customers of SaaS products have the misconception that by choosing SaaS, they have eliminated a multitude of risks: backup, uptime and security. In reality, those risks are transferred to a third party where incidents can still occur. They still need to be managed by the SaaS customer, as UniSuper has correctly anticipated.

Due to internal errors at Google, UniSuper lost its accounts alongside all the data it had with Google. Only because they decided to keep a backup with an external provider could they recover from the data loss. Due to the prominence of the customer, Google was very dedicated to restoring the services vital to UniSuper’s business. 

SaaS Can Be Switched Off at Any Time

There are many reasons why a company might discontinue its SaaS offering, among which are business realignment, acquisition, or insolvency. For example, VMWare cloud service providers had to experience the discontinuation of the service after Broadcom acquired it.

Travel Rule Solutions Must Be On-premises 

Considering the above, a Travel Rule solution needs to be on-premises (on-prem). On-prem solutions are less prone to breaches because they are on-premises, meaning no data is shared with a provider or any other third party without the managing VASP’s consent. As everything is done in-house, no third party has any knowledge of executed transactions except the parties involved.

By opting for an on-prem solution, VASPs can ensure direct, peer-to-peer transfers, eliminating the need for intermediaries and enhancing privacy and security. Lastly, the attack surface is significantly reduced by limiting back office/admin access only on the intranet or VPN.

Banks, mining companies, and VASPs who take data protection seriously opt for an on-prem Travel Rule solution, like 21 Travel Rule. By choosing an on-prem solution, VASPs can decide when data is physically deleted and data protection obligations are fulfilled, can be independent and not rely on the provider's availability and uptime to complete transactions, and can prevent additional risks and points of failure.

Furthermore, those VASPs are responsible for the trade-offs between business requirements and security. They manage the risks more consciously because they are not wrongly perceived as eliminated.

Business continuity is guaranteed even when an on-prem product is discontinued because the VASP is in complete control of its data and in possession of all required software components that are necessary to continue operation.

Learn more about the leading on-prem Travel Rule solution.

Request a Demo
Written by:
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept