As recently reported by AppOmni, a SaaS security provider, 70% of the ServiceNow instances that AppOmni tested showed a configuration error in the ServiceNow SaaS platform that left sensitive data (including personally identifiable information) accessible to unauthorized users on the Internet.
These types of errors are not limited to the ServiceNow platform. As AppOmni explained in its press release, similar types of misconfigurations are common across many SaaS platforms "due to the complexity that inevitably comes with high levels of SaaS functionality, flexibility, and extensibility."
This latest finding highlights the need for both SaaS providers and their users to increase the level of scrutiny given to the security of all SaaS applications. Security is not simply the SaaS provider's responsibility; robust end-to-end security requires diligence and cooperation from both parties. As highlighted in the AppOmni report, the ServiceNow misconfigurations are not the result of a software flaw or a bug providing access to unauthorized users. Rather, the configurations were either erroneously created by users or approved by users and provided access to sensitive data that surely no user intended or had expected. Had end users undertaken a configuration assessment, for example, it is reasonable to expect that the percentage of recently discovered misconfigurations would be lower.
While the use of SaaS and other cloud-based services was prevalent well before COVID-19, businesses' increased reliance on cloud-based services during and post-pandemic has increased the complexity of needed security protocols and the potential severity of security breaches. Accordingly, companies must factor the necessary time to properly configure their SaaS applications (and test and periodically retest those configurations) into their project plans to develop an adequate security plan and reduce exposure. And—considering that most companies using SaaS resources use more than one—it is obvious that the time and resources needed by a company to ensure a fighting chance against a data breach can grow exponentially. Nonetheless, it is simply a necessary step for SaaS users at this point.