Do you trust your SaaS vendor with the keys to your kingdom? The agent running on your systems is only as secure as your cloud vendor’s security posture. It’s a security risk that should keep every organization’s IT and security teams up at night.
Many vendors will cite pen testing, bug bounty programs, and certifications like SOC 2 and ISO 27001 as a testament to their security. But the reality is that breaches still happen.
Think about some of the most high-profile incidents in recent years:
- Kaseya: A software supply chain attack that compromised thousands of endpoints.
- SolarWinds: A sophisticated breach that targeted hundreds of organizations, including government agencies.
- Microsoft: Even a vendor with the most advanced security programs was breached, with U.S. federal government customers impacted.
The common thread? A trusted vendor’s security becomes a single point of failure for every customer. In today’s interconnected world, where traditional security perimeters no longer exist handing over full control of your devices to any SaaS vendor is a risk you can’t ignore.
Moving Beyond the Server-Centric Approach
The transition from on-premises to cloud services brought the trusted server model along with it, but this server-centric approach just doesn’t work in the cloud. Why? Because the attack surface for a cloud company is exponentially wider than that of an on-premises server running inside a secure network perimeter.
The cloud changes everything: SaaS vendors must acknowledge that their infrastructure is exposed to far more potential points of compromise. SaaS vendors are also highly lucrative targets — threat actors kill multiple “birds” (customers) with one stone. The approach to cloud architecture design should not rely on the assumption that cloud servers are inherently secure or trustworthy. Instead, SaaS vendors should assume that every cloud server will be compromised, sooner or later. The industry needs to shift its mindset and design systems with the expectation that such an event is inevitable.
The Hidden Danger: What Happens When a SaaS-Controlled Agent Is Compromised?
Imagine this scenario: the agent running on your systems — designed for remote management, antivirus scans, or security enforcement — is hijacked by threat actors. Statistically speaking, it’s not a question of if this can happen, but when. And when it does, the consequences can be catastrophic.
Here are just two of the worst-case scenarios that could occur:
- Instant Deployment of Malicious Payloads or Ransomware
Once an attacker gains control of the agent, they can deploy ransomware at scale to millions of endpoints, encrypting sensitive data in minutes. Critical business operations come to a halt without warning as every device managed by the compromised agent becomes a victim.
- Hijacking the Vendor’s Cloud Infrastructure for Command and Control (C2)
Threat actors could use the SaaS vendor’s cloud infrastructure as their own command and control (C2) system. With this foothold, they gain the ability to execute scripts, binaries, and malicious actions at will, leveraging the vendor’s trusted status to bypass traditional security measures and potentially target every customer of that vendor.
These scenarios demonstrate how a single compromised SaaS vendor can disrupt entire industries, compromise sensitive data, and undermine trust in SaaS vendors everywhere.
The Fallacy of “Agentless” Solutions
Some vendors promote “agentless” solutions as a safer alternative to agent-based models. But here’s the reality:
- Limited Functionality: True agentless solutions lack access to key system functions needed for effective management, such as real-time monitoring or deep security configurations. To gain this access, you’d need to open internal systems to cloud servers by exposing ports or enabling remote management functions, which creates new vulnerabilities.
- “Agentless” Is Often a Misnomer: Most so-called agentless solutions still rely on an agent somewhere in the environment — just not on every system. This central agent or connector, with “keys to the kingdom,” is controlled from the cloud. If compromised, it’s just as damaging as an agent on every endpoint because it can serve as a gateway to the entire environment.
The reality is that agent-based systems are a necessity for effective management and security of cloud-connected endpoints. The goal isn’t to eliminate agents, but to make them impossible to take over, even if a cloud server is compromised.
It’s Time to Rethink SaaS Security
The proliferation of cloud-based cybersecurity solutions has opened new doors, but it has also expanded the attack surface dramatically. The worst scenario is when security solutions — designed to protect — become the primary tools used by attackers to infiltrate environments. Cool new features and faster releases are secondary if the threat of an agent takeover, no matter how small, exists. It’s not a matter of if it will happen, but when.
What the Future Holds?
Clearly, nothing is more important than achieving a level of security where agents are impossible to take over, even in the event of a cloud server compromise. Can such a solution exist? We believe it’s possible.
Can next-generation SaaS security architecture be built to assume every cloud server will be compromised and implements defenses that make agent takeover impossible — even in the worst-case scenario?
As the SaaS industry continues to evolve, it’s important for vendors to reassess their approach to secure, agent-based management. Rethinking the architecture of SaaS backends can help set a new standard for cloud security, ensuring stronger and more resilient systems for the future.
After co-founding the company, together with Alex Vovk, Mike Walters became President and runs product strategy of Action1. Previously Co-CEO & Co-Founder of Netwrix Corporation, Mike was responsible for go-to-market strategy, sales and evangelism. At Netwrix Mike and Alex built a very successful cybersecurity business, and then they both left Netwrix after transition to a new CEO. Well known for its visibility and user behavior analytics platform, Netwrix has grown into a multi-billion-dollar industry-leading cybersecurity company. Mike lives in Laguna Beach, CA, and he has five kids. He is an avid surfer and philanthropist who cares about environmental protection.
