“The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and—as its adoption grows—is creating a substantial vulnerability that is weakening the global economic system.”
These are the words of JPMorgan Chase CISO Patrick Opet in an open letter to third-party suppliers that has gone viral, at least in the cybersecurity world, and sparked a broader conversation about building trust in cyberspace. If you’ve been following my blog, you know I often write about trust in the digital age from a practitioner’s perspective—so this open letter really struck a chord with me.
In the letter, Opet criticizes the state of the software supply chain, with SaaS as the “default” delivery model, by emphasizing three points:
1. Software providers must prioritize security over rushing features. Comprehensive security should be built in or enabled by default.
2. The security architecture supporting SaaS integration—particularly as it relates to authentication (to verify identities) and authorization (to grant permissions)—must be modernized.
3. We need greater industry collaboration to prevent the abuse of interconnected systems.
Opet calls for greater accountability and transparency from third-party vendors and “secure and resilient by design” models that go “beyond slogans.” In doing so, he captures the frustration many SaaS customers feel today—that some aspect of third-party trust is broken.
The trust gap in cyberspace
The SaaS model—underpinned by a relatively small group of cloud service providers (CSPs)—is essential to modern innovation. It allows us to focus on our companies’ missions rather than on supporting infrastructure. Now, anyone with an idea can launch a startup with a laptop, an internet connection and an AWS account. While the SaaS model enables unprecedented speed, scale and convenience, it also requires sensitive data to flow beyond an organization’s “perimeter,” and inherent trust in the third parties interacting with that data. A concentration of this trust can create single, significant points of failure. Opet writes, “Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers.”
In too many cases, this ripple effect can be traced back to service-to-service integration patterns that use non-human identity protocols, such as OAuth tokens and API keys, to connect third-party services to organizations’ sensitive internal resources. These non-human identities frequently possess powerful access yet lack the standard protections afforded to human identities, such as multi-factor authentication (MFA), rotation, and monitoring. If compromised, attackers can use these identities (often for lengthy periods without being noticed) to access confidential data and systems.
Over the last year, the world has witnessed some major “black swan” events, including the far-reaching Snowflake customer breaches and the global CrowdStrike outage, which show the inherent dangers of today’s highly interdependent digital ecosystems. These incidents—and now Opet’s call for change—have brought the software supply chain conversation to the forefront. They are driving regulatory change and pushing federal agencies to tighten their governance. Most importantly, they are shifting the narrative to encompass both security and resilience to bridge the trust gap.
SaaS is here to stay, so we need a practical path forward
In his call to action, Opet describes ways organizations can take back some control of their data, such as customer self-hosting and Bring Your Own Cloud (BYOC). While these are viable solutions for some enterprises with significant resources, most will continue to rely heavily on cloud-based SaaS services to innovate with speed, scale, and efficiency. Consider that the global SaaS market is expected to grow to $1.23 trillion by 2032.
CISOs and security leaders seeking to improve the security posture of their organizations, while contributing to the health of the broader software supply chain ecosystem, can focus on these three practical steps today:
1. Partner with extreme care, scrutinizing and selecting vendors that can demonstrate their ability to uphold service availability requirements, secure environments, and protect data. Get comfortable asking vendors hard questions—such as how they’re using AI to improve product security, if they offer privacy-related opt-out options, what identity security mechanisms are employees required to use to access customer data, how are machine identities (including AI and automation) managed and secured, and what incident response protocols are in place—and reevaluating them regularly.
In turn, SaaS vendors must hold themselves to the highest security and resiliency standards, paradoxically embracing Zero Trust to build and maintain trust. Further, they must give customers “the benefit of secure by default configurations, transparency to risks and management of the controls they need to operate safely within a SaaS delivery model,” to echo Opet’s words.
2. Strengthen internal operational resilience, assuming that you or a SaaS or third-party vendor will be breached at some point. In other words, prepare continuously for your worst day: evaluate disaster recovery and business continuity plans, run and stress-test playbooks, and bring backups online to see if you’re prepared to function with limited digital capacity in the event of an attack or outage.
Methodologies such as the Solution Hygiene Framework can help guide these efforts by incorporating internal learnings, evolving regulations and phased system updates, along with vendor validation best practices.
3. Reduce the attack surface as much as possible. Despite all their due diligence and efforts, organizations cannot fully enforce the security of every third party they depend on. So, it’s up to you to employ an independent capability to maximize risk reduction—and minimize the blast radius—for when all else fails.
The ideal state for this is a zero standing privileges (ZSP) model for identity security. ZSP completely deletes all permissions associated with any user when not in use but can dynamically provision just-in-time (JIT) permissions for users based on circumstance and real-time risk.
For example, when an authorized employee logs into Salesforce, they are automatically granted the appropriate permissions on the spot. When their task is complete, those permissions are deleted so they can’t be reused without proper authentication. So even if an attacker gains access (directly or indirectly through a third party), they have no entitlements to read, edit or download, nor access to any resource or service. Additionally, a ZSP system removes the possibility of lateral movement and enforces rules against risky embedded credentials.
To do this successfully, organizations need a modernized way to gain visibility and orchestrate ZSP at scale across cloud and SaaS applications. This is where modern identity governance and administration (IGA) becomes critical.
Modern IGA is essential for scaling secure access
Unlike traditional IGA systems designed in the pre-cloud era, modern IGA capabilities employ AI-based automation to simplify identity management—from quickly onboarding new applications to eliminating manual processes across teams (e.g., application owners, compliance managers, identity teams, and auditors) to streamlining role provisioning and maintenance.
Working in tandem with identity and access management (IAM) and privileged access management (PAM) systems, modern IGA helps to ensure consistent identity policies, access controls, and least privileged access across the board. This is critical for Zero Trust and for securing all those machine identities, which now outnumber human identities by more than 80 to one.
IGA automation also improves oversight and eliminates human latency while helping organizations comply with a variety of government and industry regulations. This, in turn, can save your people from burnout.
A powerful call that must be answered
Opet’s open letter comes at a critical juncture. It challenges everyone in our industry to come together to fix what is broken and move toward an anti-fragile digital ecosystem. While presenting some potential “build” options, it also emphasizes the need for modern, practical solutions that allow organizations to quickly reduce risk and continuously strengthen resilience—all while leveraging the full potential of cloud-based services.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.
