SaaS risks come into focus

Sometimes, security risks are hiding in plain sight

My company is pretty much all in with software as a service (SaaS). At this point, in fact, only three major applications live on our corporate network: our source code repository, bug tracking system and departmental fileshares. And most of our users don’t need those applications to get their jobs done, instead relying on another 90 or so applications, all of which live on the internet and thus are available from anywhere in the world. (There are a few exceptions, for applications that are configured to restrict access by IP address.)

We won’t be backing off from SaaS, of course. Employees love the convenience that SaaS provides, and IT has seen SaaS migration reduce operational overhead, speed up deployments, streamline integration and minimize single points of failure. Nonetheless, there are drawbacks, especially from my security point of view.

The crux of the problem is that many of our employees work remotely and do not come into any of our offices, and with SaaS applications at their disposal, they don’t need to establish a VPN connection to our network in order to do their jobs. They only need an internet connection. Left untethered to the network for long stretches of time, their PCs aren’t backed up. That’s an invitation to trouble.

This came home to me last week when I was, in fact, at home, working remotely for a couple of days to prepare a presentation for top executives on threats to the business. I included some slides about ransomware, and specifically CryptoLocker, which is currently the most widely disseminated variant. CryptoLocker encrypts files on a victim’s hard drive and demands a ransom in exchange for the decryption key. There are many countermeasures to prevent falling victim to ransomware, such as effective patch management, robust endpoint protection (antivirus) and user awareness training. But one of the most effective controls is doing regular backups of PCs.

When you have a complete backup for a PC that gets hit by CryptoLocker, you can simply re-baseline the PC and restore files from the backup. With that thought in mind as I sat in my home office (a.k.a. the kitchen table), I decided to open my Symantec Backup Exec agent to check the status of my local files. What I found was that my files were in a “pending network” status — not being backed up. The reason was simple: I hadn’t been in the office, using the corporate network, and I hadn’t connected via VPN. That’s unusual for me, but not at all for a big chunk of our workforce.

I’m not claiming that this was a particularly insightful revelation. Sometimes, though, things that should be obvious only reveal themselves to us when we’re able to focus on a particular topic that normally gets brushed aside from our thoughts in the course of day-to-day crisis management. But having finally seen this truth, I couldn’t ignore it. I had arrived at my revelation by thinking about ransomware, but it’s not the only reason that a lack of backups could mean trouble. A lost or stolen laptop or a crashed hard drive are among the other potential threats. (We use Google Docs for file collaboration, but that’s not a substitute for backups.)

And PCs that don’t talk to the network on a regular basis have other problems besides a lack of backups. New domain policies don’t get pushed to those PCs, and we use group policy to enforce configuration policies, as well as Microsoft’s System Center Configuration Management (SCCM) to manage operating system and some third-party application patching. If the PC never connects to the network, SCCM is unable to properly inventory the system or provide metrics regarding compliance. And you just can’t rely on end users to properly patch applications such as Java, Flash and other risky Adobe applications. They forget, are lazy or don’t see such patching as a high priority.

What’s more, we can’t conduct periodic security scans of PCs that don’t connect to the network. I have a weekly Tenable Nessus job configured to scan the DHCP address range of PCs assigned to our corporate network. If a PC is not on the network, I have no visibility. Worse, PCs that don’t get scanned for long periods of time and become infected or compromised are a major threat when they finally connect to the network. That’s a good way to propagate malware on the network or give a bad actor access to the corporate network or even a conduit to our production network, where our intellectual property resides.

I was back in the office the next day, and my PC was backed up and scanned soon enough. But I know that many remote workers have no need to do the same anytime soon. I talked to the head of IT, who fully agrees with my concerns. We plan to deploy a robust endpoint-protection solution that doesn’t rely on being connected to the corporate network. We’re also looking at either architecting our current environment or choosing a cloud-based solution to manage PCs and security policies regardless of where the PC is located and will evaluate what it will take to remove administrative privileges while still affording users the ability to work wherever they happen to be.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

By Mathias Thurman

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?