Charging users more money for essential security is a pernicious practice by vendors selling software to small and medium businesses. Unfortunately, this common practice weakens security for everyone by locking what should be essential features behind a paywall. Consumer Reports (CR) is advocating that companies provide a baseline set of security essentials to all users, even if they are not paying. That’s because if users aren’t paying for them today, we all pay for it after the next big hack.
At LABScon 2024 last September, Zatik Security CEO Kymberlee Price gave a talk titled “Let Them Eat Cake: ‘Secure by Upgrade’ Software is a National Security Threat.” In the talk, Price introduced the Zatik SaaS Safety Bar, a set of security features that the cybersecurity firm argues should be available for all users, even if those users are using the free or lowest cost tier of a software as a service (SaaS) product.
“Charging extra for that means that you’re using safety as a ransom for profit. A company shouldn’t allow their customers to be unsafe. You can’t sell a dangerous car that doesn’t meet a safety standard and you shouldn’t be able to do that with software either,” said Price in a video call.
CR agrees with Price because the cybersecurity of small and medium-sized businesses (SMBs) such as a local doctor’s office or municipal water company has a direct effect on consumers and their data privacy. Additionally, many people use free or inexpensive tiers of SaaS products for everything from streaming music to organizing personal projects and events, so the security of these tools applies to individual consumers as well. Therefore, we are coming out in favor of the Zatik SaaS Safety Bar.
When a company is targeted by ransomware, it affects all of the people using those services. Jeff Tully, an anesthesiologist and co-director of the UCSD Center for Healthcare Cybersecurity, is quick to point out that many hospitals–particularly rural, critical access, or safety net hospitals–are incredibly resource constrained and unable to invest in cybersecurity tools.
“I think that the false sense of security that could be engendered by using a lower or free tier of a secure-by-upgrade product could be potentially dangerous if it doesn’t actually reduce (or even increases) the risk of subsequent attack,” he said.
It could, for example, lead to complacency towards other risk reduction efforts like employee training or network segmentation.
“I think it would almost potentially be borderline unethical for a vendor to present a tool as a security solution for a lower-resourced hospital without strongly acknowledging that its full feature set, and thus maximum-security posture, requires significant additional investment,” he said.
In other cases, the harms from cybersecurity attacks are borne by the public at large and not the customer of the product. For example, a product could be co-opted to send out spam or denial-of-service attacks with limited impact on the functionality of the product. In these cases, the customer has limited incentive to pay for additional security protections that don’t impact their business. Market pressure is insufficient to address these negative externalities — instead, cybersecurity must be treated as a public good, and companies should simply be required to offer reasonable security safeguards for the services they offer.
Indeed, this is already reflected in existing law. Over the past nineteen years, the Federal Trade Commission (FTC) has interpreted Section 5 of the FTC Act to mandate that companies use reasonable safeguards to protect their services from external attacks that could access consumers’ personal information. Twenty states have passed comprehensive privacy laws that include similar mandates to companies to use reasonable security practices. In 2018, California passed the nation’s first dedicated cybersecurity law to require manufacturers of connected products to include security features. Business-to-business companies should not offer versions of software or products that don’t meet these laws’ reasonable security mandates.
We have filed comments with Cybersecurity and Infrastructure Security Agency (CISA) in support of their recently released ”Product Security Bad Practices” guidance to reiterate these concerns.
The Zatik SaaS Safety Bar asks SaaS providers to do nine things:
-
- Include support for multi-factor authentication (MFA).
- Include an admin mechanism to require all users to have MFA enabled.
- Require support for social sign-on (SSO) integration via protocols such as SAML, with the ability for administrators to remove users and groups.
- Provide basic role-based access control to split administrative functions from those normal users have.
- Provide an audit trail within the application so administrators can identify actions taken by users, that should be retained for 365 days. If someone sends an invoice or modifies an item, there would be receipts. Some SaaS providers may not want to support data storage for an entire year for a free or lower tier account because the SaaS provider would have to fund the underlying cloud costs. We believe this could be addressed by allowing administrators to export the audit logs for free to S3 buckets, via syslogs, to AWS/GCP, and that the export must be ongoing so it could be loaded into an SIEM system. However Zatik Security CTO Zack Glick says he thinks exporting as a text file would meet the minimum bar.
- Provide a mechanism for forced logout, allowing admins to force users to log out of networks or to revoke their access, in case their account has been compromised, but without deleting the user altogether.
- Allow administrators to set password complexity policies (such as password length) to resist brute force attacks.
- Provide encryption in transit (TLS).
- Allow administrators to destroy data or have a data destruction policy.
The Zatik SaaS Safety Bar is just a starting point. In some circumstances, more requirements might be necessary to ensure adequate security.
Take hospitals, for example. Even if products meet this bar, Tully says, it may not be beneficial if the software products have technically complex workflows required to configure and deploy these products.
In a healthcare environment, for example, many healthcare delivery organizations do not have dedicated cybersecurity teams separate from their main IT workforce. “If a lot of specialized knowledge is required to safely and effectively integrate new devices, software, or platforms to the existing stack, which may be held together with the digital equivalent of duct tape and gum, then such products may not help, and in some situations might even hurt.”
That said, meeting these minimum requirements will demonstrably improve security for the millions of small businesses and organizations that consumers trust to provide for their daily needs. Software companies have a responsibility to ensure that their products can be used safely by their customers as well as ensure that their products don’t become the weak link that ends up breaking in the face of a cyberattack.
