ThreatVector is an ongoing series where we break down recent security incidents in the news to understand how they happened, how they spread and what the ramifications are for companies as they evolve their defenses.
LastPass recently updated details on it’s latest security incident, in which cloud storage was accessed that stored unencrypted customer details as well as certain unencrypted data like website URLs that was stored adjacent to the encrypted fields: username, password, secure notes, etc.
Chained breaches
The attack vector here is chained to the previous security incident in August 2022, in which a development environment was breached and contained enough technical detail to retarget LastPass production, this time successfully.
Earlier this week in December 2022, Okta’s GitHub accounts were accessed by unauthorized parties. This LastPass incident proves why Okta should be worried about the attacks to come derived from the inside knowledge.
The time for E2E secured SaaS is here
It’s never been more clear that all customer or user data needs to be encrypted and protected while it is being handled. LastPass has a great stance for your actual passwords, which they have no business reading.
Of course, other SaaS services exist to use your data — that’s what you pay them for! How is this accomplished if data is secured end to end? We believe that secure enclaves will be the differentiating factor for B2B SaaS providers that want to operate on encrypted data.
Every business is different, but a sliding scale for E2E security might look like:
1. Start with your most sensitive data
Secure your most prized data — credentials for partner integrations — by ingesting it directly into an enclave, and then only decrypting and using those credentials in a secure enclave. As a provider, you never see the plaintext credential, ever.
2. Customer data is handled by secured microservices
Encrypting most or all of your customer data with per-customer encryption keys and derived data keys. Isolating the handling of this data into secured microservices (running in enclaves) and having a verifiable audit trail about their usage. This stops the attack we saw from LastPass. Even an insider or a cloud admin can steal data.
3. Full E2E security with Bring-Your-Own-Key
Privacy-sensitive customers frequently request the ability to bring their own encryption key for their data. The combination of secure enclaves + their key + access locked to the enclave(s) allows for a full data plane where the SaaS provider can operate on data but never have it disclosed to attackers or insiders. In a B2B world, an enterprise can effectively control their security and collaborate using any SaaS, without having to fully give up control.
EdgeBit for E2E security
Wherever you fall on this spectrum, you can secure your SaaS and protect your customers data without extensive refactoring of your data model. EdgeBit makes it simple to utilize confidential computing to operate on encrypted data.
We would love to have an architectural discussion to understand your software and security goals.