Software-as-a-service (SaaS) applications provide organizations with convenience and constant feature refreshes without the need to install and deploy software on-premises. But SaaS also carries an army of security concerns that could open an enterprise's data to attack.
SaaS is often-cited challenge is the risk of shadow IT services and content being run external side without the domain knowledge of an enterprise's IT department. Many IT users think that simply encrypting their data protects them from cloud and SaaS risks. But encryption typically only protects users if the SaaS provider itself gets compromised.
Attackers often go after individual users or corporate accounts with phishing campaigns and other attack techniques in order to steal user access credentials. So in this case it doesn't matter if the data is encrypted or not, because the attacker will still get access to the data!
SaaS users are in RISK
In SaaS, the attack surface changes from the traditional application deployment landscape towards the individuals who holds the data access. So individual users of SaaS apps also classically do not have appropriate security controls in place to fully minimize risk.
ex: "If we are sharing a Google Doc with a user, Google asks the user to authenticate to Google Apps anyway, so we can design an attack that looks like a legitimate document and have a real document at the end of the attack chain, but the login sequence is faked!
Users are not essentially aware of the attack, because at the end of the click they get the document!
In social masquerading, for example, attackers could create a fake LinkedIn profile for the CEO of a company and then send requests to employees of that company. The requests could require users to already be logged into the social media site, which allows the attacker to theoretically steal the user's access.
Session high jacking, which doesn't always need to be linked to phishing exploits, is another route to SaaS exploitation. There is a common scenario nowadays where attackers can able to do tokens session hijacking, where they trick the user into authenticating into service they want and then forking the session and take control over it. Once the token is with the attacker, then he is like real user inside the session.
For SaaS attacks, prevention is better than cure. So we need to educate all the stakeholders about the risk!