Finance & Banking
,
Industry Specific
,
Securing SaaS & Web App Workflows
‘Providers Must Urgently Reprioritize Security,” Writes Patrick Opet
Banking giant JPMorgan Chase called on software as a service providers to improve cybersecurity practices in an open letter accusing them of “quietly enabling cyberattackers.”
See Also: 4 Strategies to Mitigate Ransomware Risk for Financial Institutions
Corporations have little choice but to rely on SaaS, “often the only format in which software is now delivered,” wrote the global financial firm’s Chief Information Security Officer Patrick Opet.
“We stand at a critical juncture. Providers must urgently reprioritize security, placing it equal to or above launching new products,” he wrote.
SaaS is making obsolete traditional enterprise security measures such as network segmentation, tiering and protocol termination due to direct integration with internal resources, Opet wrote. That integration in practice has collapsed authorization into authentication, “effectively creating single-factor explicit trust between systems on the internet and private internal resource.” Companies aren’t always aware of the privileged access that SaaS providers gain, he said.
Compounding the risks are easily stolen authentication tokens and SaaS providers’ own set of third-party dependencies. Poised to grow the attack surface even larger are new technologies such as AI agents and advances in data management and automation, Opet said.
Industry has responded with efforts to build in security, Opet wrote, but said that “‘Secure and resilient by design’ must go beyond slogans” (see: Senior CISA Advisers Announce Exits Amid Federal Downsizing).
“Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers. This fundamental shift demands our collective immediate attention.”
The warnings from Opet come in the wake of increased hacks targeting integrated IT systems. A recent report by Microsoft found that Chinese state-owned group Silk Typhoon was observed using stolen privileged access management API keys and credentials to access victims’ customer environments.
Some technological solutions such as confidential computing and bring your own cloud can reduce the attack surface but industries will need “sophisticated authorization methods, advanced detection capabilities and proactive measures to prevent the abuse of interconnected systems.”
The best way to affect change, Opet wrote, is to “reject these integration models without better solutions.”