Make Sure to Cover Your SaaS

by Will Redfield on 12/2/2008

Software as a Service (SaaS) on-demand applications are single-instance multi-tenant applications which are centrally and professionally managed and delivered as a service over the internet. SaaS customers use the same application engine which is partitioned into separate customer access accounts.  These accounts may be set-up differently but the core application engine is the same platform that every other customer has access to.  Generally SaaS applications are enterprise applications that add value to business optimization such as enterprise business application categories including CRM, ERP, MRP and PLM; All of these manage sensitive data ranging from intellectual property, financials, and customer contacts.

The SaaS on-demand model offers minimized implementation risk and provides tremendous cost savings via easy application deployment and seamless maintenance updates.  Because of these benefits SaaS vendors are experiencing tremendous customer growth rates unlike other traditional client/server software licensing models.  According to Gartner: SaaS spending will reach $6.4 billion in 2008 resulting in a 27% increase over 2007 and SaaS sales are projected to reach $14.8 billion by 2012.  When investing in SaaS deployments, one trusts an outsourced vendor to effectively and securely provide an application, store one’s data, and maintain a high level of access availability to the application service.

When reading various SaaS security and privacy statements it occurred to me that SaaS vendors’ primary objection hurdle is to convince prospective customers that their off-premise SaaS offering is equally or more secure compared to managing and hosting your own on-premise homegrown or packaged client/server software.  In a recent SaaS article published by ComputerWorld, one SaaS customer remarked: “As for security, he says, "they secure the data of some of the largest financial institutions in the world. If ‘they’ can secure their data, I'm not worried about my data."  Perhaps one should worry.

SaaS vendors often claim to have “Fort Knox” style security by stating that their security is as strong and secure as the banking sector’s “financial-grade” security infrastructure. This may not be a very safe comparison when, according to Forbes.com: “During the past year, banks have lost more of their customers' personal data than ever before.”  The Identity Theft Resource Center (ITRC) reported banking data leak incidents have climbed from 7% of the 446 total breaches in 2007 to over 11% of the 650 data breaches expected by the end of 2008. Crime follows success; therefore SaaS is not in the clear from external or internal threats to breaching sensitive data managed within on-demand applications services.  Further one could argue that SaaS is a more easily defined target for social engineering, phishing, pharming, and other fraudulent access attempts.  SaaS customers and vendors beware; cybercrime is on the rise.
While SaaS vendors may be good at providing effective security technical/logical controls (such as: encrypted data transfer protection via 128 bit Secure Socket Layer (SSL), secure server environments, unique user name & password, and managed access controls), in my experience SaaS does not protect against:

• Employees sharing their passwords with other employees or competitors who now have off-premise access to the system of record.
• Installation of web browser malware such as keylogging software and the subsequent capture of sensitive keystrokes like SaaS passwords.
• Authenticated users accessing sensitive data from non-company-governed devices in which sensitive data can be copied and then exported..
• Capturing screen shots of sensitive data to export.
• Permission creep occurs when employees transfer positions or leave employers. SaaS administrators often forget to remove access since SaaS access is separated from active directory access management controls.
• Phishing, the process of attempting to acquire sensitive information like SaaS usernames and passwords by masquerading as a trustworthy entity via e-mail or web sites.
• My favorite: Employees forgetting to log-off after they got up to hold the door open for someone that forgot their badge at 9:10am. (SaaS vendors often expire sessions after 60 minutes but fraudsters can do a lot of damage in an hour).

What can you do to start covering your SaaS?

1) Include SaaS security policies to address the above threats in your enterprise security policy program.

2) Ensure SaaS specific security awareness training is provided to data owners using SaaS and data custodians administering SaaS.

3) Demand stronger security from SaaS vendors and your internal security operations:
Some questions to ask them are:

• Do you provide strong multi-factor authentication?
• How do you securely verify user identities for enrollment and password re-sets?
• What internet appliance devices are users permitted to access SaaS applications from?
• How does your organization prevent data loss from SaaS users or administrators?
• How do you prevent phishing, pharming and Trojan attacks?
• What security information and event alerting and reporting capabilities can you provide me on-demand?

Let me know what they say and how SaaS has affected your security program.