{"id":3003,"date":"2025-04-29T23:58:58","date_gmt":"2025-04-29T23:58:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3003"},"modified":"2025-04-29T23:58:58","modified_gmt":"2025-04-29T23:58:58","slug":"chase-ciso-condemns-the-security-of-the-industrys-saas-offerings","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3003","title":{"rendered":"Chase CISO condemns the security of the industry\u2019s SaaS offerings"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The JPMorganChase chief information security officer (CISO) publicly criticized software as a service (SaaS) cybersecurity efforts today, and issued a call to suppliers to respond to the challenge of inadequately protected offerings. But analysts found his memo so short of details that they were perplexed about what he was asking for.<\/p>\n

Chase CISO Patrick Opet spent much of his letter, which the company published on April 25, arguing that SaaS elements have made the enterprise environment far less secure.<\/p>\n

\u201cTraditional measures like network segmentation<\/a>, tiering, and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model,\u201d Opet wrote. \u201cThe modern SaaS delivery model is quietly enabling cyber attackers and, as its adoption grows, is creating a substantial vulnerability that is weakening the global economic system.\u201d<\/p>\n

Opet added, \u201cSaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure. While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences.\u201d<\/p>\n

Although analysts and security specialists generally agreed with Opet\u2019s arguments, the lack of particulars made it unclear what specifically he proposed enterprises do about it, other than requesting that vendors prioritize cybersecurity more.<\/p>\n

More of a call for discussion<\/h2>\n

Georgia Cooke, digital security analyst at ABI Research, questioned what precisely enterprises could do differently. \u201cThis is more of a call to discussion than a call to action,\u201d Cooke said.<\/p>\n

Cooke argued that Opet questioned the security of SaaS products, but then defended his purchases, and the purchases of other enterprise CISOs, noting he \u201cabsolves the purchases by framing (CISOs) as having had no choice. It\u2019s very broad and in some sense unrealistic.\u201d<\/p>\n

Opet\u2019s letter<\/a> said this problem is not new, but it is dangerous.<\/p>\n

\u201cIn the traditional model, security practices enforced strict segmentation between a firm\u2019s trusted internal resources and untrusted external interactions using protocol termination, tiered access, and logical isolation. External interaction layers like APIs and websites were intentionally separated from a company\u2019s core backend systems, applications, and data that powered them,\u201d he wrote. \u201cModern integration patterns, however, dismantle these essential boundaries, relying heavily on modern identity protocols (for example, OAuth<\/a>) to create direct, often unchecked interactions between third-party services and firms\u2019 sensitive internal resources.\u201d<\/p>\n

For example, he pointed out that an AI-driven calendar optimization service that integrates directly into corporate email systems through read only roles and authentication tokens could improve productivity, yet, if it were compromised, the \u201cdirect integration would grant attackers unprecedented access to confidential data and critical internal communications.\u201d<\/p>\n

At the end of his letter, the CISO made what sounded like a proposal for change, but without details, it was unclear how anything would happen.<\/p>\n

\u201cThe most effective way to begin change is to reject these integration models without better solutions,\u201d Opet said. \u201cI hope you\u2019ll join me in recognizing this challenge and responding decisively, collaboratively, and immediately.\u201d<\/p>\n

A Chase employee, who asked to not be identified by name, tried to put that last line into context.<\/p>\n

\u201cThere is no threat of boycott, [but] simply a commentary on integration models that don\u2019t adequately address risks, and our decisions not to support them,\u201d the Chase official said. \u201cTo achieve this, we\u2019d like to build on the working groups in the IAM space, collaboratively with hyperscalers, financial institutions, and software companies that can enable the change and see solutions that provide continuous validation and transparency of supplier controls.\u201d<\/p>\n

The official explained that the Chase CISO\u2019s team is \u201clooking for the software industry to recognize the criticality of these risks today and collectively work together on a number of fronts [including] establishing and scaling standards, architectural patterns, and solutions to richer authorization decisions, providing transparency in the suppliers\u2019 use of privileged access, especially when it results in access to our systems or data, and using technologies that de-risk the supplier in custody of our data, for example, [by offering] confidential compute, or bring your own cloud.\u201d<\/p>\n

Solutions missing<\/h2>\n

Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, said that he generally agreed with the Chase description of the cybersecurity challenges today.<\/p>\n

\u201cOne of the key points in the letter is that the modern SaaS model concentrates sensitive data behind a handful of cloud front doors. JP Morgan itself has logged multiple third-party incidents in the past few years and now sees that concentration as a systemic risk,\u201d Jean-Louis said. \u201cPatrick is right that token-based OAuth hooks and plug and play APIs have eroded the old outside versus inside perimeter. And attackers have noticed. His call for a secure by default SaaS model and continuous proof of controls is honestly long overdue.\u201d<\/p>\n

That said, Jean-Louis noted, \u201cI think where the letter overcorrects is in suggesting that traditional defenses like network segmentation, protocol termination, and tiering are no longer viable. If anything, they\u2019re no longer sufficient, but once an integration token is abused, those legacy defenses can still slow lateral movement inside both enterprise networks and hyperscale cloud environments. The future is identity- and context-aware segmentation, not segmentation\u2019s demise.\u201d<\/p>\n

He added, \u201cSecure by default<\/a> needs to be translated into short-lived, bound tokens, granular, just-in-time scopes, immutable audit logs, and a published SBOM<\/a> with signed updates. Until suppliers can deliver that, buyers should make risk-aware decisions about these \u2018trust me\u2019 integrations. Putting that in practice means treating every SaaS onboarding as a material risk vendor review.\u201d<\/p>\n

In addition,\u00a0Jean-Louis said the letter suffered from having \u201cno concrete yardstick. What is missing is \u2018What guidance are you offering to fix those issues?\u2019\u201d\u00a0<\/p>\n

\u201cThat\u2019s where you are blindsided. What the letter is missing are recommended approaches or solutions,\u201d Jean-Louis said. \u201cHow are you going to do that? Disconnect from your cloud solution? Your Crowdstrike and all? This is too vague. Rejecting integration doesn\u2019t really say anything. I don\u2019t see any alternative [specified].\u201d\u00a0<\/p>\n

He suspected that Chase legal and other officials were involved in making significant edits to the letter, and thus, \u201cthe essence of the letter is lost trying to protect themselves.\u201d<\/p>\n

SaaS not the problem: Analyst<\/h2>\n

However, ABI\u2019s Cooke disagreed with Opet\u2019s pointing to SaaS as the problem.<\/p>\n

\u201cSaaS is not a driver of commercial consolidation to a small set of providers. Quite the opposite, because smaller providers have the opportunity to deploy with reduced upfront investment and flexibly scaling infrastructure,\u201d Cooke said. \u201cIn an environment heavily dependent on a small set of vendors, the single point of failure stands regardless of deployment model.\u201d<\/p>\n

She added, \u201cwhether SaaS drives the current state of permeability of networks is debatable, particularly in the context of a rise of AI, which would require capacity for data exfiltration to vendor processing regardless of the deployment model, including the historically separated high value data Opet identifies. This is a balance of risk. Many would argue that the increased sophistication in Threat Detection and Incident Response (TDIR), which stems from connecting to a vendor\u2019s interconnected threat hunting engine, is worth the risk of connectivity.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The JPMorganChase chief information security officer (CISO) publicly criticized software as a service (SaaS) cybersecurity efforts today, and issued a call to suppliers to respond to the challenge of inadequately protected offerings. But analysts found his memo so short of details that they were perplexed about what he was asking for. Chase CISO Patrick Opet […]<\/p>\n","protected":false},"author":0,"featured_media":2988,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3003","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3003"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3003"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3003\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2988"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}