SaaS risks come into focus

Sometimes, security risks are hiding in plain sight

My company is pretty much all in with software as a service (SaaS). At this point, in fact, only three major applications live on our corporate network: our source code repository, bug tracking system and departmental fileshares. And most of our users don’t need those applications to get their jobs done, instead relying on another 90 or so applications, all of which live on the internet and thus are available from anywhere in the world. (There are a few exceptions, for applications that are configured to restrict access by IP address.)

We won’t be backing off from SaaS, of course. Employees love the convenience that SaaS provides, and IT has seen SaaS migration reduce operational overhead, speed up deployments, streamline integration and minimize single points of failure. Nonetheless, there are drawbacks, especially from my security point of view.

The crux of the problem is that many of our employees work remotely and do not come into any of our offices, and with SaaS applications at their disposal, they don’t need to establish a VPN connection to our network in order to do their jobs. They only need an internet connection. Left untethered to the network for long stretches of time, their PCs aren’t backed up. That’s an invitation to trouble.

This came home to me last week when I was, in fact, at home, working remotely for a couple of days to prepare a presentation for top executives on threats to the business. I included some slides about ransomware, and specifically CryptoLocker, which is currently the most widely disseminated variant. CryptoLocker encrypts files on a victim’s hard drive and demands a ransom in exchange for the decryption key. There are many countermeasures to prevent falling victim to ransomware, such as effective patch management, robust endpoint protection (antivirus) and user awareness training. But one of the most effective controls is doing regular backups of PCs.

When you have a complete backup for a PC that gets hit by CryptoLocker, you can simply re-baseline the PC and restore files from the backup. With that thought in mind as I sat in my home office (a.k.a. the kitchen table), I decided to open my Symantec Backup Exec agent to check the status of my local files. What I found was that my files were in a “pending network” status — not being backed up. The reason was simple: I hadn’t been in the office, using the corporate network, and I hadn’t connected via VPN. That’s unusual for me, but not at all for a big chunk of our workforce.

I’m not claiming that this was a particularly insightful revelation. Sometimes, though, things that should be obvious only reveal themselves to us when we’re able to focus on a particular topic that normally gets brushed aside from our thoughts in the course of day-to-day crisis management. But having finally seen this truth, I couldn’t ignore it. I had arrived at my revelation by thinking about ransomware, but it’s not the only reason that a lack of backups could mean trouble. A lost or stolen laptop or a crashed hard drive are among the other potential threats. (We use Google Docs for file collaboration, but that’s not a substitute for backups.)

And PCs that don’t talk to the network on a regular basis have other problems besides a lack of backups. New domain policies don’t get pushed to those PCs, and we use group policy to enforce configuration policies, as well as Microsoft’s System Center Configuration Management (SCCM) to manage operating system and some third-party application patching. If the PC never connects to the network, SCCM is unable to properly inventory the system or provide metrics regarding compliance. And you just can’t rely on end users to properly patch applications such as Java, Flash and other risky Adobe applications. They forget, are lazy or don’t see such patching as a high priority.

What’s more, we can’t conduct periodic security scans of PCs that don’t connect to the network. I have a weekly Tenable Nessus job configured to scan the DHCP address range of PCs assigned to our corporate network. If a PC is not on the network, I have no visibility. Worse, PCs that don’t get scanned for long periods of time and become infected or compromised are a major threat when they finally connect to the network. That’s a good way to propagate malware on the network or give a bad actor access to the corporate network or even a conduit to our production network, where our intellectual property resides.

I was back in the office the next day, and my PC was backed up and scanned soon enough. But I know that many remote workers have no need to do the same anytime soon. I talked to the head of IT, who fully agrees with my concerns. We plan to deploy a robust endpoint-protection solution that doesn’t rely on being connected to the corporate network. We’re also looking at either architecting our current environment or choosing a cloud-based solution to manage PCs and security policies regardless of where the PC is located and will evaluate what it will take to remove administrative privileges while still affording users the ability to work wherever they happen to be.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

By Mathias Thurman

Computerworld (US)
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?