When SaaS works and when it hurts, putting your business at Risk to save a buck - Part II

Introduction and Recap?

This article is written for No-Agenda.Tech. That means you get the honest assessment with no agenda regarding products being sold, no agenda to technology being evangelized, and no agenda regarding companies being pushed.??

In Part II of this article, we will continue to examine SaaS types and their potential impact through the eyes of Tony’s Auto Parts (TAP). Whether you are a manager or the CEO of a company, you have decisions to make about what software you use, where your data resides, and what your company is willing to pay for such services. To recap, Software as a Service (SaaS) is a software distribution model in which a provider hosts applications and makes them available to end-users over the internet. The availability comes in several common forms but there is a spectrum of distribution models from a provider that provides a complete system, including all data storage to a provider that gets reports from agents providing services based on the results of analysis. In Part I, we covered Full-Service SaaS solutions and the risks to your business as well as the concept of Data Fragmentation and how it can impact your business. In Part II, we’ll move from full-service solutions to agent-based solutions and consider their impact and benefits to your business.?

Agents of SaaS?

An Agent-based SaaS solution is an offering where an agent is installed in your environment to perform some type of function. The agent typically communicates with the service offering system to phone home and download new information or upload information based on findings within your environment. The agent-based solution is super common and I’m betting everyone uses it today. One example is the Windows Update system. An agent runs in the Windows Operating System, it reaches out to a service provider for updates. When updates are found, it downloads them and based on your settings it installs them. Essentially, the agent is phoning home for the more information. Once the connection to home is established, the agent downloads updates and takes appropriate action.??

What could possibly go wrong with an agent that phones home and downloads data into your system? Let me count the ways… Phoning home is by far, the preferred method of connection. That is, the service agent initiates a connection from within your network to a known location. However, as the network owner, you have little to no control over what is being downloaded. The service provider dictates what is provided and how secure the package is being downloaded.??

Let’s jump back to Tony’s Auto Parts store system for another example. Tony has signed up with a company to provide custom targeted ads for his customers via the TAP website and email system. To get the service to operate, the vendor wants Tony to install an agent that tracks sales by customer ID. The agent phones home with this data and retrieves ads to be injected into the website and emails for targeted ads. Unbeknownst to TAP and the targeted ad company, the targeted ad company got hacked. Every ad that is sent back to its users contains a snippet of code (the virus) that helps it spread and infect other systems. The code is embedded in the pictures returned when the agent phones home. Unless caught at the point of entry, the phone home agent will be infecting TAP and all of their customers.??

As a side note, a deep packet inspection firewall is a common method for preventing this type of attack from spreading. Luckily, TAP installed one of these firewalls recently. It did a great job and prevented the packets from coming through to infect TAP. The blocked packets broke the targeted ad systems within TAP. Now, Tony and his team are scrambling to respond. They have to stop the targeted ad system until it is fixed and figure out how-to put-up ads in the web and email systems.??

The phone home agent is the most common architecture for an agent-based solution because it does not require specific traffic allowance rules inside the firewall. The inverse of a phone home type agent is also possible. That is, the connection is directly exposed to the internet. The service provider makes a connection to this exposed connection to provide some value. Unless your firewall is specifying the destination IP Address, Port, and protocol, DO NOT USE a service constructed in this manner. There is no business reason to accept this level of risk. Locking down the firewall with source and destination information ensures the connection originates from the desired location. The right questions and the right design can make this type of architecture safe and usable in your business. If a vendor requires firewall changes, require the vendor to use a B2B VPN connection or find another vendor.??

Function as a Service (FaaS)?

In Part I, we defined a Full-Service SaaS containing all the information needed to perform the service. Full-Service SaaS solutions usually provide a web page for an interface. As the data used in the service is moved from the provider to the customer, we see agents being deployed to assist in the connection. The smallest version of instance of SaaS is just providing a function. While this is still SaaS, it is typically delivered via an Application Programming Interface (API) rather than a web page interface. The vendor likely provides a web page for reporting, but the business logic uses the API to exercise the service offering.??

Let’s take a look at some examples of a function as a service type SaaS may play a part in your daily life. One FaaS type solution that I can almost guarantee everyone has seen is an Open Authorization solution or Oauth for short. You might know this as Login with Google, Microsoft, Amazon, Facebook, or some other service when you are not logging into these particular sites at all. In this case, you are using FaaS. The website you are logging into is using an API to validate the authorization from these providers to provide access to their website.??

Tony is looking at using a Function as a Service API for his stores. The vendor says that they have a really slick Generative AI solution that can dramatically increase Tony’s store sales. All he has to do is provide customer purchase information through an API call. The service will provide suggestions based on customer profiles, demographics, and past purchases that have been provided to the service as a bulk upload. The API call integrates directly into TAP’s point of sale (POS) solution and provides the associate with instant recommendations for add-on items. While Tony is a bit leery of the claims, he needs to use every advantage to keep up with his competition. As you might remember from Part I, TAP has expanded to 20 stores with a distribution center, so this could be a game changer for Tony and TAP.??

What could go wrong???

Tony gives the go ahead. The system is integrated and works well. It meets most of the companies claims, seems to be providing good recommendations, and TAP sales are up. Early one morning just a few days before Christmas, all of the POS systems seem to lock up or freeze. No one can figure out what is going on. All 20 stores are suddenly halted from doing any business at one of the busiest times of the year. Turns out that the vendor used for the recommendations got highjacked by ransomware. The Generative AI solution is not responding with recommendations. One call to a vendor took out all 20 stores and the e-commerce solution in less than 10 seconds. Since there was no easy was to disconnect the vendor’s solution, the situation took days to resolve. The e-commerce site was down the whole time. The stores operated on paper. TAP has a lot of mad customers and a lot of lost business.??

We don’t know how the ransomware got injected into the vendor’s system so we can’t just blame a lack of due diligence on TAP for the issue. The vendor’s security measure could have been lacks or an individual could have fallen prey to it. Did the security analysis include questions about phishing training? The security analysis is a topic for another article. For now, it happened so let’s move on.??

How can it be used safely??

There are key issues with TAP using the vendor’s generative AI system from a business risk perspective. First, the integration occurred in a critical path of a revenue generation stream. This indicates a high-risk use of FaaS. Significantly more due diligence is always required in these situations. Second, the failure took down all stores and the e-commerce solution. The second issue should have been mitigated as a risk reduction for the first issue. Anytime there is a high-risk use integration that can stop revenue generation, have a way to bypass that item or step in the process. If TAP had a configuration switch in their software to turn off the AI recommendations, they could have pushed a new configuration to all stores and the e-commerce site putting them back online in minutes.??

When SaaS goes wrong?

Every company, no matter how secure is fighting to keep the hackers at bay. Companies large and small have the same fight. Most use the same tools to prevent issues. Good companies design for it, train for it, and have plans in place to quickly remediate attacks when they get penetrated. Search for the 10 largest hacks in 2024. The companies will all be well-known name brands. There are too many to count. Watch for a future article on building secure systems coming soon at No-Agenda.tech. A TechCrunch article, The biggest data breaches in 2024: 1 billion stolen records and rising shows ATT, UnitedHealth Group, the UK Hospital System, Ticketmaster, and more have all been breached so don’t think it will not happen. It is just a matter of time before someone makes a mistake or some vulnerability is found. One recent example of a FaaS systems that has had an issue is Pollyfill.io. Pollyfill.io is used to help older browsers perform with modern functionality by making JavaScript calls to the service. The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.??

What you really have to consider?

When one wants to consider using SaaS in any form, there are many aspects that should be investigated and addressed before jumping into the undertaking. While Service Level Agreements (SLA) are a good way to manage availability metrics, they will do little to nothing to protect the business from loss when the service is just not available. Better than an SLA is using a well-designed solution that keeps SaaS out of critical revenue paths and has bypass switches when it is in the critical revenue path.? After considering the criticality of execution, the next thing to consider is where the data is located. Is data being fragmented across SaaS vendors and the organization? Data fragmentation will prevent the calculation and application of higher-order analytical functions. The potential question to ask or get answered is will this SaaS hold data that is critical to our organization. And, if the SaaS vendor goes away or has an outage, what happens in the revenue stream and the data contained in the SaaS.??

Conclusion?

As we have seen through TAP, SaaS can be a powerful tool. Whether using a Full-Service SaaS or an Agent-based solution, SaaS can provide your company with significant benefits. At the same time, one must consider the business risks being incurred while using this SaaS offering. A company should examine the risks and options for each situation. Over reliance on SaaS can put your business or operation in jeopardy.??

Thank you for reading Part II of this article series. In our next article, we will be exploring how to secure your business from the firewall to the desk. The article includes software architecture concepts required for operating securely within your business. Comments are always welcome. Post your comments, questions, problems, and suggestions at No-Agenda.Tech.?