News

Cambridge Analytica for Corporate SaaS?

1216

This post was originally published here by Nat Kausik.

Cambridge Analytica was able to extract the personal information of zillions of Facebook users via Facebook’s well-provisioned API, in broad daylight. Is similar extraction possible for corporate SaaS apps?

Yes, of course.

For years, Facebook provided a sophisticated API for connected apps to extract information stored in Facebook. No matter Facebook fortified its data-centers and servers with the best and latest security technology. The APIs existed to broaden the app eco-system, so as to make Facebook’s tentacles reach as far as possible. The more apps that connected to Facebook via the ubiquitous “login with Facebook” buttons, the faster Facebook spread across the globe, and the more difficult it became for users to disconnect. Facebook was unable, or more likely unwilling, to police these apps to ensure they were not used for nefarious purposes.

A similar situation exists for corporate SaaS apps. Enterprises have lots of sensitive data stored in these apps. The apps provide APIs for other apps to connect. Indeed some apps have built very rich ecosystems around their “platforms,” i.e. they want customers to connect as many apps as possible so that it is difficult to get out.

Does the SaaS app encrypting your data make you safe? Not! Some apps encrypt your data for free. Others charge for encryption. But in either case, the API obediently decrypts data prior to access by connected apps. And of course, the connected apps may store copies of your data unencrypted, defeating the purpose of encryption in the first place.

In brief, you can be certain that there is a “Cambridge Analytica” for corporate SaaS. And the more apps in the eco-system of the SaaS apps, the more likely there are nefarious, or at least negligent apps, connected to your data. Paying the SaaS vendor to encrypt your data does nothing to protect you.

If your data is valuable, CASB encryption is the way to go. Encrypt your most important data so that you and only you can decrypt it. APIs and connected apps have access to the cipher-text. Sure, your SaaS vendor will tell you this is a bad thing. Bad for whom, you or them?

Photo:HBS Digital Initiative – Harvard Business School

Ransomware Attacks Shake Automotive and Beverage Industries

Ransomware testing being done on developing countries

Understanding and Responding to Distributed Denial-of-Service Attacks

Overcoming security alert fatigue

Cambridge Analytica for Corporate SaaS?

No posts to display

NEW REPORTS

2024 Application Security Report [Fortinet]

2024 Security Service Edge Report [HPE]

2024 VPN Risk Report [HPE]

2024 Insider Threat Report [Securonix]

Block title

EDITOR PICKS

Understanding and Responding to Distributed Denial-of-Service Attacks

Overcoming security alert fatigue

Four ways to make yourself a harder target for cybercriminals

POPULAR POSTS

List of Countries which are most vulnerable to Cyber Attacks

Top 5 Cloud Security related Data Breaches!

Top 5 PCI Compliance Mistakes and How to Avoid Them

RECENT POSTS

Facebook end to end encryption a Boon or a Bane

Ransomware Attacks Shake Automotive and Beverage Industries

Ransomware testing being done on developing countries