2020: The Year of SaaS

2021 is here! This is likely the most anticipated year change in a while. As we step into the new year, let’s take a quick look at 2020, the year of SaaS.

The Beginning: COVID-19 Accelerates SaaS Adoption

The challenges and changes that affected our lives and work in 2020 are still fresh — including the move from physical spaces to online ones. Amid global lockdowns, SaaS (software as a service) played a large role in enabling business, education, and life in general to continue. It is not an exaggeration to say that SaaS was the hero that saved the day for organizations around the world. In fact, in addition to our business running entirely on SaaS, I was forced to attend important, closed-door federal government briefings over SaaS-based video chat, something that never would have happened before 2020.

llama on a zoom call
A llama on a video call. Source: Anna Sweet/Sweet Farm

In speaking with teams this year, I’ve been struck by the phrase “the journey will end in SaaS.” In other words, organizations now see most if not all business functions moving to the cloud. Companies that were planning to move to SaaS in the future have pushed up their plans, while companies that were already invested in SaaS have doubled down. Similarly, security tools that needed to be deployed on-premises are taking a backseat to tools that can be deployed and managed in the cloud.

At many companies, policies prohibited the use of personal devices or non-corporate networks; employees working from home had to connect via VPN. In 2020, as physical offices suddenly closed their doors, these restrictions became a huge burden overnight. IT and security teams needed to provide the certificates and hardware for connecting remotely and make sure VPNs didn’t become overloaded. Facing demands from employees to find a more convenient and reliable solution, many companies have revisited their policies and shifted their focus to SaaS applications, which could be accessed easily from any device or network.

App developers also found themselves on the road to SaaS in 2020, racing to extract value from the influx of users on platforms like Salesforce, Workday, G Suite, etc. Third party integrations were a wild west, with many useful applications and a share of dangerous ones. In common setups we’ve seen, the majority of users can install apps, and organizations have ended up exposed to attackers (e.g. an app that poses as a chess game while snooping on Slack conversations).

The Middle: SaaS Realities Hit

2020 was the year the collective voice of SaaS security concerns became loud. Now, governments, courts, medical offices, and schools were joining the chorus of users affected by data leaks and Zoombombing. With so many essential functions of our lives running on SaaS, it became clear that security couldn’t remain a nice-to-have any longer.

FBI warns of Zoombombing. Source: FBI

Yet while everyone felt the need for better security in 2020, the demands themselves weren’t always concrete. Businesses started realizing they needed to do better due-diligence but have been eager to pass the workload off to the providers. Compliance is full of open questions: what should be reported, who should report it, and how should the APIs work? There’s a clear need for education in this area.

Fast-growing SaaS providers prioritized growth and usability over security. To make sure they were the first to market, they took shortcuts on the security roadmap, such as not providing two-factor authentication, not performing full end-to-end encryption, or simply leaving known vulnerabilities unresolved. While some have done much better than others, it’s still up to the organization using these tools to mitigate risk. Afterall, SaaS is not outsourced risk, it is outsourced IT.

The End: SolarWinds Closes the On-Premises Chapter

Just when many of us were licking our wounds and counting the year done, we were hit by the disclosure of a breach related to the network monitoring tool SolarWinds. The SolarWinds supply chain attack impacted government agencies including the U.S. Treasury and the Department of Commerce, as well as over 400 of the Fortune 500 companies among others. While the full impact is not yet known, it feels like the biggest breach of all time.

SolarWinds got hit with a supply chain attack. Source: NASA Goddard Space Flight Center

The attack on FireEye, the U.S. Treasury and others was an attack on core IT infrastructure. The adversaries compromised SolarWinds’ software update delivery channel, then used it to deliver a malware payload in a routine update to customers of the SoarWinds Orion observability tool.

Adversaries then manipulated authentication mechanisms to impersonate legitimate users and reach into SaaS applications like MS 365 for email. While the attack vector was on-premises, the important data was now in SaaS. This was a wake-up call for organizations historically thinking cloud was a way to get on-premises, whereas the importance has shifted and on-premises is a way to get to the cloud. It’s putting another nail in the coffin of running your own software.

SaaS is Not Outsourced Risk, it is Outsourced IT

As mentioned previously, SaaS is not outsourced risk, it is outsourced IT. Organizations still have a responsibility to their employees, to their customers, and to their stakeholders to properly safeguard information and to monitor behavior.

Organizations stating that the “journey will end in SaaS” are now working to determine the best way to secure SaaS. Do they go left of boom, or right? (Hint, you need both.) Teams are working to learn more about the systems in place and coordinating with application owners to get access to telemetry and to implement security controls and monitoring. Operators and engineers are determining potential attack vectors, looking for leaks and oversharing, and trying to get a handle on third-party applications and API tokens.

SaaS has helped us in 2020 and certainly will play a big role, possibly even bigger, in 2021. We love the efficiency, speed, and user experience of SaaS, it’s time to make sure that it’s importance to the business is reflected in the attention it gets from security. Please consider turning on more detection rules in SaaS, capturing your event logs, reducing administrative rights, and educating employees about responsible SaaS usage. And if you need help with any of that, we are here for a chat. May we put 2020 behind us, and good luck in 2021.

Written by Ben Johnson