Mimecast’s SaaS Platform Security Compromised
Cybersecurity and cyber-attacks continue to dominate IT security and data privacy agendas. Last week, Mimecast, a well-known Software as a Service email archiving company, was successfully attacked by a cyber-hacker compromising approximately 10% of the company’s customers. Mimecast provides email security services used by their customers for establishing a secure connection to Mimecast servers. These connections include the inbound and outbound email to and from the Mimecast platform traffic, giving the hacker access to the email flow from Microsoft 365 to Mimecast’s SaaS platform. Additionally, this hack opens up the possibility of gaining access to Mimecast client Microsoft 365 Exchange web services to steal data.
So far, Mimecast has not been able to identify what, if any, client data was viewed or taken. However, based on the various privacy laws such as GDPR and CCPA, this amounts to a breach triggering both Mimecast and the affected clients to begin sending out breach notifications if warranted immediately.
This unfortunate breach highlights the main security issues associated with third-party SaaS providers like Mimecast, namely shared or common network infrastructure and resources and, in some cases, common shared secrets such as network security certificates.
Validating your vendor’s security model
This latest cloud breach has many CISO’s asking how they can take their cloud platform security into their own hands.
Here are some questions we recommend you ask any vendor you’re working with or planning to work with to move or manage data in the cloud:
- Is the vendor deploying and configuring their software per your Security Development Lifecycle (SDL) standards? This includes hyper-secure standards such as FISMA 5, FedRAMP HIGH and DCIS Standard.
- Has the vendor adopted a Zero Trust architecture as it relates to the development and deployment of their products?
- Has the vendor’s Security Development Lifecycle been audited and can they share that with you?
- Has the vendor demonstrated how they can help you build your own secure data enclave?
- What security paradigm (i.e., Role-Based Access Control (RBAC)) are they offering to control access to the products and the data managed by the product?
- To what level are entitlements managed?
- Are your data, metadata and secrets stored in an environment that is fully isolated from all other customers and internal DevOps groups?
- Can you directly monitor/are you able to receive alerts for not just the application but the security environment of the application, including entire source system and enclave monitoring?
Taking security into your own hands – the power of PaaS
A proven method to up your cloud security posture is to utilize a PaaS-based cloud platform. In a PaaS environment, the customer deploys the solution in their own dedicated deployment infrastructure. There are no shared network resources and no shared secrets between other customers. In reality, PaaS is a ready-to-use cloud platform in which the customer provides their own software and additional enhanced security, instead of a SaaS “shared - one size fits all” security capability. The third-party provides a ready-made, dedicated cloud tenant and specialized software to address a specific software need.
CISOs are now starting to demand Zero Trust cloud architectures before they move their sensitive data to the cloud. With a PaaS model, customer information is stored in the customer’s cloud tenancy (versus the SaaS model which uses a shared tenancy), giving customers the ability to audit their infrastructure and data. Most SaaS solutions are considered a black box: while customers can audit at any time, they usually have no input into the security processes such as encryption key generation, they can’t tell when the SaaS vendor has accessed their data, and their data can be decrypted and turned over to the government using secrecy warrants (which direct the SaaS provider to not inform the customer that their data has been copied).
Another important security aspect is the question of how system updates are installed when the cloud platform architecture is updated. In the case of a SaaS solution, the SaaS vendor controls when an update is done and uses common deployment pipelines to update all customers. As a SaaS customer, you have zero input or control on change management and specific security configurations. In a PaaS model, updates are directly controlled by the customer. Key to security during the update process is that, in addition to owning dedicated security certificates and dedicated network layers, you also utilize continuous integration continuous deployment (CI/CD) pipelines that are specific to you.
These are just some of the measure that enable you to create an isolated/secure enclave. A PaaS solution with a Zero Trust security model ensures the customer controls everything – and there is complete transparency.
With a PaaS cloud platform, you rely on the cloud provider’s security, such as Microsoft’s Azure Cloud or Amazon’s AWS. Both cloud providers offer the highest levels of infrastructure security; however, with a PaaS tenancy, the customer can also add additional data security capabilities such as encryption before the data is moved into the cloud as well as on-premises storage of the encryption keys.
The Archive360 PaaS Zero Trust security platform
Archive360 offers a Zero Trust PaaS-based intelligent information management and archiving platform installed in the customer's own Azure or AWS tenancy providing complete control and ownership of their data. With Archive2Azure and the customer’s Azure or AWS tenancy, the customer can implement additional levels of security including fully private, isolated enclaves. Unlike the SaaS shared cloud model, the Archive2Azure cloud Platform is able to support and be a part of Zero Trust security architecture, i.e., a private/secure enclave, to ensure there are no shared resources, shared encryption keys, or common security certificates.
To reiterate, Zero Trust security is impossible in SaaS clouds.
Additionally, Archive360 offers the Cloud Security Gateway which offers encryption of all data before movement to the cloud, on-premises encryption key storage, access controls, and homomorphic and field-level encryption for total data security in transit, at rest, and WHILE IN USE.
To stop the reliance on questionable third-party SaaS security practices, take security matters into your own hands with Archive2Azure from Archive360. For more information, please contact us.
