December 3, 2021

Last Updated on January 4, 2024

There’s no shortage of data showing that far more cloud data breaches come from misconfigurations and other “user errors” than from lapsed vendor security. But even when the customer makes the mistake, the finger of blame often ends up pointing at the SaaS provider.

On a recent episode of The Virtual CISO Podcast featuring Mark Richman, Principal Product Manager at iManage, host John Verry speculates that due to this misplaced blame and potential reputational repercussions, SaaS customers could pose a bigger business risk to SaaS vendors than vice versa.

Could that really be true? Or do SaaS vendors need to take even more responsibility for helping clients avoid all those mistakes?

“Our DMS got hacked!”

John paints the picture of a typical disgruntled customer: “A breach happens and people right away blame the cloud service provider. ‘Oh, we shouldn’t do business with iManage anymore. Our DMS got hacked!’ No, it didn’t. Your directory got hacked or somebody was phished in your environment because you weren’t paying attention to your Threat Manager alerts.”

“I think that’s accurate,” Mark replies. “We can take all the preventative measures that we can. But in that shared responsibility world, it takes two to tango. If somebody’s not holding up their end, there’s only so much that we can do.”

Cloud is still more secure


Even with all the negative press about cloud data breaches, SaaS deployments are still arguably more secure overall than most on-premises environments.

“We talked about Zero Trust and assuming that the bad guys are already present,” notes Mark. “We’ve also made extensive investments in more modern technologies like containerization. When we’re utilizing containers instead of legacy hosts, we can ensure that these services don’t have administrative accounts on them. So, there’s no way to SSH into these services or things of that nature.”

“It’s very time-consuming and expensive for an on-prem customer to be able to invest in these kinds of things extensively,” adds Mark. “But this kind of stuff is our bread and butter—it’s what we do every day. So, I feel very strongly and very confident that our customers’ data is the safest in the iManage cloud.”

Leveraging DevSecOps

When a development organization can leverage capabilities like infrastructure as code and continuous integration/continuous deployment (CI/CD) to deploy new builds in a rapid cadence, conventional patching and configuration management becomes obsolete.

“Maintaining that level of security posture in a non DevSecOps world is virtually impossible,” John stresses.

“We’re at the point where we have a geo-distributed cloud with data centers all around the world, and we can literally push a button and stand up and configure a brand-new data center in a matter of hours, with all the services deployed, really anywhere that Azure has a footprint,” Mark relates. “That’s what customers should be looking for in a modern cloud provider today.”

What’s Next?

To get the complete picture of what modern SaaS security can look like, you can hear the whole show with Mark Richman from iManage here: LINK

Wondering what you should be most worried about, security-wise, with your SaaS apps? We suggest this post on the subject: https://pivotpointsecurity.com/blog/security-gotchas-in-saas-production-applications/

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!