Solutions missing: Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, said that he generally agreed with the Chase description of the cybersecurity challenges today.”One of the key points in the letter is that the modern SaaS model concentrates sensitive data behind a handful of cloud front doors. JP Morgan itself has logged multiple third-party incidents in the past few years and now sees that concentration as a systemic risk,” Jean-Louis said. “Patrick is right that token-based OAuth hooks and plug and play APIs have eroded the old outside versus inside perimeter. And attackers have noticed. His call for a secure by default SaaS model and continuous proof of controls is honestly long overdue.”That said, Jean-Louis noted, “I think where the letter overcorrects is in suggesting that traditional defenses like network segmentation, protocol termination, and tiering are no longer viable. If anything, they’re no longer sufficient, but once an integration token is abused, those legacy defenses can still slow lateral movement inside both enterprise networks and hyperscale cloud environments. The future is identity- and context-aware segmentation, not segmentation’s demise.”He added, “Secure by default needs to be translated into short-lived, bound tokens, granular, just-in-time scopes, immutable audit logs, and a published SBOM with signed updates. Until suppliers can deliver that, buyers should make risk-aware decisions about these ‘trust me’ integrations. Putting that in practice means treating every SaaS onboarding as a material risk vendor review.”In addition, Jean-Louis said the letter suffered from having “no concrete yardstick. What is missing is ‘What guidance are you offering to fix those issues?’” “That’s where you are blindsided. What the letter is missing are recommended approaches or solutions,” Jean-Louis said. “How are you going to do that? Disconnect from your cloud solution? Your Crowdstrike and all? This is too vague. Rejecting integration doesn’t really say anything. I don’t see any alternative [specified].” He suspected that Chase legal and other officials were involved in making significant edits to the letter, and thus, “the essence of the letter is lost trying to protect themselves.”
SaaS not the problem: Analyst: However, ABI’s Cooke disagreed with Opet’s pointing to SaaS as the problem.”SaaS is not a driver of commercial consolidation to a small set of providers. Quite the opposite, because smaller providers have the opportunity to deploy with reduced upfront investment and flexibly scaling infrastructure,” Cooke said. “In an environment heavily dependent on a small set of vendors, the single point of failure stands regardless of deployment model.”She added, “whether SaaS drives the current state of permeability of networks is debatable, particularly in the context of a rise of AI, which would require capacity for data exfiltration to vendor processing regardless of the deployment model, including the historically separated high value data Opet identifies. This is a balance of risk. Many would argue that the increased sophistication in Threat Detection and Incident Response (TDIR), which stems from connecting to a vendor’s interconnected threat hunting engine, is worth the risk of connectivity.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3973958/chase-ciso-condemns-the-security-of-the-industrys-saas-offerings.html
