Risk in extranet-accessible and cloud-hosted applications
As mentioned earlier, organizations are increasingly moving applications from on-premises to cloud / software as a service (SaaS). As this happens, the set of possible attackers grows:
- On-premises: only those users physically attached to the corporate network or signed into the VPN can access application login pages, and so can attack application login credentials.
- SaaS: any user with an Internet-attached computer can attack application login credentials.
Because the set of possible attackers is so much larger, the risk of compromised user logins is much higher. If users have weak passwords, eventual compromise is almost certain.