The massive Distributed Denial of Service (DDoS) attack on Oct. 21 has some nervous cloud computing customers worried about the changing threat landscape and asking questions of their enterprise software-as-a-service (SaaS) providers.
The wide-ranging attack involved multiple DDoS attacks and targeted systems operated by Domain Name System provider Dyn. It affected major Internet platforms, services, and websites, including Twitter, Amazon, Reddit, AirBnB, Comcast, Spotify, and CNN. It was a new breed of attack, where, instead of using a traditional bot-net, hackers used a bot-net of connected devices, such as smart refrigerators, smart thermostats, printers, baby monitors, and other types of devices. This type of attack is harder to defend against, because the number of Internet addresses is larger than ever.
In the wake of what some have called the biggest DDoS attack ever, SaaS providers to businesses have been quick to reassure customers that they are dedicating adequate resources and a variety of countermeasures to protect against such attacks, or mitigate them.
A Growing Risk
For some perspective on how software companies are responding to the threats, Microsoft said last year that it spends more than a $1 billion a year on security research and development, which the company calls a “holistic” approach to security. A Microsoft executive recently quipped that his company is “the biggest security company you’ve never heard of.”
In a blog post, Bret Arsenault, Microsoft’s chief information security officer, summed up the ever-growing security landscape in a connected world:
“In our mobile-first, cloud-first world, employees work on corporate applications and access sensitive data from on-premises and cloud-based systems using every type of device from laptops to BYO devices to IoT sensors. While there is an immense opportunity for enterprises and individuals to derive personal and professional value from today’s connected technologies, there is a corresponding growth in risk as people increase their exposure to cyber security threats.”
Intacct, which was not affected by the recent DDoS attack, is one of many enterprise SaaS providers that are addressing security issues with a variety of methods and recommended best practices, which the company detailed at its Advantage user conference in October. Intacct’s security measures include the following: global content delivery networks with redundant providers; two-factor authentication; increased password complexity; corporate single sign-on; reporting for user permissions; IP address whitelisting; Palo Alto Networks firewalls for enhanced protection and monitoring; and expanded automation for security testing.
Wide Range of Capabilities
A conversation with another enterprise cloud provider, Kenandy, revealed the type of steps that these companies are taking. Kenandy, which also was not affected by the recent DDoS attack, has a wide range of capabilities targeted at ensuring the security of its cloud applications, said Rod Butters, chief technology officer of Kenandy.
First, as a Salesforce AppExchange partner, Kenandy takes advantage of a number of security measures that are part of the Salesforce platform, including two-factor authentication, increased password complexity, IP address whitelisting, and redundant network providers. The Salesforce platform also offers support for corporate single sign-on via SAML and other standards.
“Kenandy additionally subjects our software to a range of automated security scans in addition to developer code review to identify any potential vulnerabilities,” Butters said.
An example of the type of vulnerability that Kenandy scans for is cross-site scripting (XSS), which sometimes can be found in web applications. The company conducts these scans on each release of its software and completes an annual security review of its software with Salesforce, which is one of the requirements for AppExchange partners. (Salesforce has an extensive amount of information on designing, developing, testing, and deploying secure applications on the Salesforce App Cloud.)
Lastly, Kenandy “takes seriously the controls and safeguards of our operating environment,” Butters said. To ensure that the company has the proper policies and procedures in place, Kenandy has completed a SOC 2 Type II audit conducted by a consulting firm that provides tax, risk management, transaction, and private client services.
Due Diligence is Always a Good Idea
Most other enterprise SaaS providers have deployed security capabilities similar to those taken by Intacct and Kenandy. In many cases, the level of security offered by SaaS providers goes far beyond what most internal IT organizations can provide, as illustrated by high profile security breaches at Target, Sony Pictures, and others. In fact, concerning the threat of DDoS attacks specifically, cloud providers can deploy network countermeasures that are generally beyond the reach of most individual organizations for their own internal systems.
SaaS buyers, therefore, should exercise due diligence in checking out the security capabilities of prospective providers, and at the same time, ensure that their own IT organizations are doing their part in best security practices. Here are just a few:
Keep all applications up-to-date. Apply available patches for operating systems and applications such as browsers, plugins, and desktop apps. Centralize maintenance of desktop instances, and do not leave this vital step up to individual employees. Desktop virtualization can ease the burden.
Keep your systems properly configured and disable unnecessary services. Properly configured systems and servers add additional layers of defense.
Enforce strong passwords. The use of strong passwords can slow or defeat various attack methods. Also discourage the reuse of passwords, and encourage the use of password managers.
Use two-factor authentication. This is an important extra layer of security that requires not only a password and username but also a security code sent to a mobile device in the employee’s possession, for example. Single sign-on systems that include access to SaaS applications can ease the burden by allowing a user to sign on once and have access to all systems that the user is authorized for.
Conduct periodic assessments of software security processes. Tools offered by OWASP (Open Web Application Security Project), including its Software Assurance Maturity Model, can help with these assessments.
- Finally, all organizations should bring in a third party to audit the organization’s security measures—both technical and procedural. External audits will do an assessment of the company’s network, website, and any connected devices in the company. They can help organizations decide what security measures are needed to take to protect the organization. For organizations that accept credit cards, a Payment Card Industry (PCI) audit is an example, and the audit findings will not only mitigate risk of credit card data loss but often uncover weaknesses in the organization’s systems in general.
Think of these steps as the basics, because ensuring security requires a constantly evolving set of best practices. A management commitment to security, along with security policies that are routinely audited and enforced, is the best approach in the brave new world of evolving threats.