August 27, 2021
SaaS vs. On-premises Solutions
Ransomware has spread from primary attacks on IT-controlled systems to the software of major technology companies that deliver solutions to organisations. It is important to note that most of these types of “trojan horse” attacks, where a software vendor’s product is corrupted to corrupt their customer’s systems, are based on on-premises (on-prem) software. On-prem software is typically downloaded, configured, and deployed throughout an IT organisation, many times requiring deep access to systems and applications.
However, SaaS (Software as a Service) cloud-based solutions provide all of the benefits of on-prem solutions but none of the administrative IT overhead. The SaaS provider is responsible for maintaining the product and keep all systems up-to-date and available. In addition, SaaS solutions require minimal (e.g., agents) if any software is installed on the primary end-user system. It can be argued that SaaS-based solutions are “safer” from ransomware and similar attacks because most SaaS-based solutions run in highly secure and isolated cloud environments.
For example, Datto RMM and BCDR, SaaS-based applications, run in the secure, immutable Datto Cloud, overseen by an expert team of security experts headed by a CISO (Chief Information Security Officer). All admin access for Datto solutions is via MFA (multi-factor authentication) while also supporting external SSO (via OpenID Connect), significantly reducing privilege abuse.
Datto Cloud Portal multi-factor-login screen
According to the Verizon 2021 Data Breach Investigations Report, privilege abuse was the most common form of privilege misuse. Multi-factor authentication certainly makes it hard for a login ID to be stolen or misused, but what about internal actors? There are two types of data loss situations associated with privilege abuse, accidental and intentional. Either way, this makes protecting data complex when the attack is from within (or via a trusted partner).
The only way to be safe from internal attacks is to prepare for them. Role-based security is critical in limiting organisations’ exposure by limiting users’ access to systems and data. This is supplemented by user audit logging to see every action a user has performed, which in itself is often a deterrent because internal actors will realise they most likely will be caught.
Datto BCDR User Activity Log showing access against a specific device
That said, if an internal actor intends to commit an act of deleting or changing data, many SaaS applications include the assignment of specific permissions to features (within role-based security). And for even tighter control, security workflows can be set up that require authorisation to perform a specific action. Last but not least, some applications provide the ability to “undo” any malicious action, such as the deletion of data. For example, Datto’s BCDR solutions utilize Cloud Deletion Defense™ to “undo” deletion of backups stored in the Datto Cloud.
Most SaaS, cloud-based solutions are multi-tenant in architecture, meaning they support multiple customers via a single instance of software and supporting infrastructure. SaaS-based applications utilise multi-tenancy to provide scalability and, in the case of solutions for MSPs, allowing them to manage multiple clients from a single interface. Some argue that single tenancy is “safer” because computing is done in a solely dedicated environment. However, it can be countered that the exposure to malicious software is greatly reduced with SaaS-based applications. As previously mentioned, most of the more notable attacks have occurred with on-premise solutions.
Choosing the best fit
While the on-prem deployment of software in a typical data center can be made secure with the right security solutions and processes in place, but the benefits of SaaS cloud-based solutions provide assurances that the software is always up-to-date and safe with industry-leading security practices. This becomes even more important for MSPs since they are responsible for managing the IT systems of many end clients. Maintaining individual implementations of on-prem software can be an administrative nightmare, notwithstanding the need to ensure the security of their end-clients systems.