Attachments Don’t Have to be Scary!
By: Kathleen Moriarty
For organizations with limited resources, Software as a Service (SaaS) applications offer a powerful way to enhance security when properly designed and configured. While attachments often trigger alarm bells, the reality of secure SaaS platforms is can change this to alarm to a sense that is surprisingly reassuring.
A Professor’s Perspective: Document Security in the Cloud
As an adjunct professor, I regularly review student documents uploaded from various platforms. As I was grading papers this weekend, it got me thinking about the general view of accessing attachments. These documents might originate from home computers, work systems, or cloud-based document management applications. Students submit their work in various formats, sometimes defaulting to the application's native format or converting it for compatibility. Whatever they submit, I need to review!
Despite the potential risks associated with unknown file origins and student system security, I have an obligation to grade student submissions. This doesn’t have to be scary if critical protections are in place by the SaaS application provider and are present in the university’s instance of the platform that I am using. There are several security controls within a cloud native SaaS platform that can be leveraged. Careful review and protections from policy to implementation can make this seamless as well as drive down overall costs.
Platform Security: The course management platform should scan uploaded attachments for malware. The infrastructure is built according to industry best practices, with security designed to address threats in a zero trust architecture model, preventing attacks from spreading (lateral movement).
Browser Isolation: Even if the platform doesn't scan attachments, the document should be viewed within a web browser, which uses containerization to isolate each tab. This prevents malicious code from spreading beyond that single tab. On the user end, there are options to select a secure operating system to further reduce the chance that any code that escapes the browser container will not impact my system. For instance, no ransomware attack has been found to originate from a Chromebook, therefore using a client system that reduces your risk is a good step to take today.
SaaS Sandboxing: The SaaS application itself may sandbox the document, providing an additional layer of protection. The SaaS application may be managed across several containers, utilizing the ability to integrate micro-services at the application layer and micro segmentation at the network (in the routing overlay protocol). The points of isolation created with these controls have the ability to limit lateral movement of an attack while enabling early detection mechanisms. The application design, CI/CD pipeline controls, and security of the infrastructure have a significant impact on the overall security of the application to the user base in terms of what is provided versus what each customer needs to bolt-on for security.
Viewing attachments is for many an essential business function. Other examples when reviewing attachments is required in a job function include performing reviews as part of a standards working group, conference program committee member, or as a board member. Each of these roles and the supporting groups typically rely upon a hosted platform to share and manage documents, with the user expected to view the documents. The Internet Engineering Task Force (IETF), as an example of a standards working group, simplifies the process by using text formatted (or other format types including pdf) documents that are typically viewed through a web browser once published or through Github when in the process of being developed. The IETF generates the alternate document versions from a base XML submission to assure the security of shared documents from their platform. On program committees or boards, a content platform is used to manage access control to restricted content and can also provide a safe viewing platform for shared documents. In several of these cases, we are viewing content that has been provided by people unknown to us.
Handling Incompatible Files
Occasionally, in the course content platform, a student's document won't display correctly. In these instances, I first request a resubmission in a compatible format. If that fails, I resort to using a cloud-hosted document management platform for the review. This platform sandboxes the file, isolating its execution within a container and typically scans the file for malicious content unless there is a size constraint that is reached. And, of course, I access this platform through a secure web browser, maintaining the isolation provided.
When exchanging documents, we have many choices today with varying levels of protection built-into the solution. The intrinsic controls of an application, whether it be am email or document management system can have a significant impact on the security of your organization’s data.
SecurityBiaS works with SaaS application providers to review policies as well as control implementations, finding options to build-in security at scale as part of the platform and application. This reduces the burden on the entire customer base and simplifies security and costs using our patent pending process. It is possible to reduce the concerns on the minds of the end customer, meeting their needs to deliver products that meet their business functions without having to also manage security and IT with multiple add-on toolsets.
The Importance of a Secure Operating System
Finally, a secure operating system is crucial for minimizing the risk of harm from any downloaded files on the customer end. This is the responsibility of the user, me in the case of grading papers on a personal system, and the organization when corporate uses cases are considered. The organization should be making good decisions on behalf of their user base to ease and simplify security. You’re missing out on opportunities to keep your environment secure if you are not requiring your SaaS provider to deliver products with security built-in as a requirement. The SaaS provided capabilities should be backed with integrated security controls in your user environment such as well configured browsers that containerize browser tabs, prevent the use of mobile code (e.g. Flash, ActiveX), and take advantage of features such as Google SafeBrowsing (available on all major browsers) to block malicious content.
Don’t Miss Out: Re-evaluate Application Security!
It’s time to rethink our approach to application security. Proactive security measures, combined with the built-in security controls of well-designed SaaS platforms, can significantly reduce the risk of successful attacks and lessen the security burden on organizations.
SecurityBiaS works directly with SaaS vendors to streamline and integrate security, empowering businesses with limited resources to make informed decisions that align with their specific needs.
