Software-as-a-service (SaaS) – or applications hosted in the cloud – are now part of the IT mainstream. According to industry analysts, Gartner, a third of businesses worldwide are moving applications from locally hosted servers to SaaS environments. Gartner’s SaaS user survey has tracked a steady increase in uptake over the last three years, with as many as 95% of firms saying they plan to maintain or increase their investment in the technology.
This makes securing SaaS environments, and the security of SaaS providers themselves, all the more critical. In moving to the cloud, businesses are making a number of trade-offs. What they are gaining is clear: flexibility; access to technologies they might not be able to support in-house; and, in many cases, reducing costs.
A move to the cloud, however, inevitably means some loss of control, and control over security is no exception. That reduction in control is at its most acute with SaaS, where the business is buying an application directly from the cloud.
“SaaS is purchased as an off-the-shelf product, often by a project manager, and not run past anyone on the security or legal team”, warns Peter Wood, a member of ISACA’s security advisory group. “These services can be organized with just a credit card.”
SaaS very rarely offers the levels of customization available in either infrastructure (IaaS) or platform-as-a-service (PaaS) offerings, let alone on in-house systems or dedicated data centers. The economic model for SaaS is largely built around offering customers a ‘one-size-fits-all’ product at a fixed cost.
“It’s true that with SaaS you lose a degree of control”, says Paul van Kessel, global risk and IT assurance leader at Ernst & Young.
Consumer Clouds
There is a further critical dimension to security when it comes to applications running in the cloud.
Many, though of course not all, cloud services were initially designed for consumers, or for mass-market adoption by small business.
Much of Google’s consumer-facing cloud applications offering falls into this category. Other cloud services, such as Amazon’s infrastructure-as-a-service offering, AWS, are aimed primarily at development teams or sophisticated IT users who understand the security compromises that go with a ‘multi-tenant’ user model and can design systems around them.
Business SaaS offerings fall between the two. The applications are aimed as much at end users as IT departments, and non-IT buyers purchasing services with a credit card do not always take security into account. Nor are there always the additional security options – or the facility to customize or add to the platform – that IT departments might require.
“Weaknesses have as much to do with the broader ecosystem as the application itself”, says Steve Webb, a vice president at PerspecSys, a cloud data protection vendor. “It is not that this or that app is insecure, but that they all store data in the cloud. The data center is owned by whoever the cloud service provider is.”
Also worth considering is the way that SaaS providers have, in some cases, prioritized speed to market over and above security. Some of the security issues posed by SaaS go deep into the providers’ architectural models, such as their use of virtual machines and shared databases.
The Shining Star of SaaS
Even Salesforce.com, one of the largest and best-known of the pure-play SaaS companies, has been criticized for a flawed security model. Well-known industry figure Larry Ellison, CEO of Oracle – and an investor, in personal capacity, in Salesforce – has singled out the company as having a “weak” security architecture, and one that lacked both resilience and the ability to scale.
Ellison’s criticisms centered on Salesforce’s use of a single database instance to hold all its users’ data. With no logical or physical separation between data sets, security depends on how well the application separates users’ information, and allows for a weakness, at least in theory.
But then, there is always an element of rivalry at work when vendors criticize each other’s offerings: Ellison recently announced a cloud applications model, where customers can opt for a private instance of the Oracle database. As one of the highest-profile SaaS applications, Salesforce.com can expect to be criticized, as well as to be the target of hackers.
The company has suffered data breaches in the past. The consensus among information security professionals, however, is that Salesforce has significantly improved its security over the last five years. This includes submitting to independent security audits, and allowing customers to use external audits on its systems.
"[SaaS] services can be organized with just a credit card" |
Peter Wood, ISACA, First Base Technologies |
“Salesforce.com had a couple of difficult years; in November 2007 they had a phishing attack, and Larry Ellison said they had a weak security model”, observes Ernst & Young’s van Kessel. “The one thing a SaaS provider can do is at least make sure that clients’ data are not in the same place. And that is noise in the market you can’t have as a cloud service provider, so Salesforce.com has focused on information security from 2010 to 2011. They have invested a lot.”
The company, van Kessel says, is now one of the best in the market from a security point of view. Salesforce declined to comment for this article.
An Attractive Target
Then there is the question of whether SaaS applications are, by their nature, more vulnerable to security problems than locally hosted systems. Not only do businesses have less control over security, but the concentration of large amounts of valuable data in one place may encourage hackers to target SaaS providers.
There is already evidence that this has happened with other shared services: in the US, for example, hackers have attacked credit card processing companies, rather than retailers, because the processors hold far more data.
There is a secondary concern for businesses, too, when it comes to using SaaS. The nature of a shared service means that if another tenant of the system is hacked – whether for financial gain or, for example, by a hacktivist group – unconnected businesses could suffer outages or data loss.
Again, it is down to the buyer of SaaS to check what measures vendors have in place to separate their customers’ workloads, and the levels of redundancy the SaaS provider itself has in place – in network connectivity, data centers, and even people.
Checks and Balances
The onus is, of course, on directors to ensure that any service they purchase meets security, privacy and compliance requirements. CIOs and CISOs should subject cloud services, and SaaS, to the same scrutiny as any other outsourcing partner or service supplier. If a supplier will not cooperate with security checks, then however attractive its offerings might seem, be prepared to walk away.
The level of security a business needs from a cloud service will inevitably vary from application to application, and department to department.
In areas such as personal identifiable data (PID) or financial transactions, a higher level of security will be needed than systems that handle only anonymized or internal data. In the financial transactions space, more cloud providers are now PCI-DSS compliant, for example, and SaaS providers addressing the US healthcare market will need to comply with HIPAA. Defense, aerospace and electronics companies will need to consider export regulations and pick a provider that meets these.
More SaaS providers are also complying with security standards such as ISO 27001. For businesses that are not dealing with highly sensitive data, using a provider that is ISO 27001 (or SAS70)-compliant may be sufficient. Where it is not, compliance with an externally monitored security standard is a good building block for a more in-depth conversation about security.
Further, in a break with earlier practice, more SaaS providers are now allowing external security audits, which, in turn, allow their applications to be used in more sensitive areas. CISOs should also look at security monitoring, incident response plans, and the access a SaaS provider will give to its customers’ security teams in the event of a breach.
"Cloud providers are much more willing to work with external organizations to improve security" |
Peter Allwood, Deloitte |
“A question for the cloud service provider is certainly how they would co-operate during an investigation, maybe with forensics”, says Peter Allwood, a manager in the security practice at Deloitte. “In our experience, cloud providers are much more willing to work with external organizations to improve security. More cloud providers are allowing external audits.”
It would, nevertheless, be excessive for businesses to insist on government-grade security over all SaaS applications, and there will be cases where the built-in security of Google Docs or Microsoft Office 365 is sufficient. The important point for businesses is to ensure they know the security level of the systems they are buying, and tie those security measures into their own security and data-protection policies.
“Even if you outsource your services to the cloud, you are still responsible for your security”, says Joseph Feiman, a research vice president at Gartner. “You can’t take that away.”
Adding a Security Layer
At the most basic level, businesses can opt to encrypt data before it is sent to a cloud application, or put in place measures to anonymize data processed in the cloud. Organizations can also look at systems that improve authentication of users accessing cloud systems.
Authentication based on user names and passwords alone is widely viewed as inadequate for a number of SaaS environments, and the need to issue employees with multiple login credentials creates both inconvenience and potential security weaknesses through staff storing passwords locally and visibly.
Businesses should, Deloitte’s Allwood suggests, consider using services that can provide a single-sign-on service combined with strong authentication, to reduce some of the risks.
But some businesses may also find that SaaS applications are, in fact, more secure than their in-house or outsourced IT platforms. Today’s SaaS provider depends on its reputation for success, and a hack or security failure can quickly damage that reputation. Moreover, SaaS companies can afford to invest in leading-edge security equipment, and attract skilled staff.
“A lot of companies think the SaaS provider is better than they are at security. That isn’t good enough, but that is the situation”, says Gartner’s Feiman. The task of the CISO is to ensure this assumption really is the case.