The SaaS Security Squeeze

Multiple Software as a Service (SaaS) applications are becoming the delivery method of choice for organizations looking for ways to reduce their IT costs. Some 90 percent of organizations plan to either maintain or increase their SaaS use, according to a recent report by Gartner Research (NYSE: IT). This adoption rate is accelerating even in the current economic downturn.

However, about 62 percent of the enterprises responding to the Gartner study said they worry about the security of data they send to destinations outside their firewalls. In fact, migrating to SaaS apps to save IT costs may actually increase data security risks. Security, integration and compliance challenges quickly scale in complexity and increase risk. As a result, SaaS customers often are forced to extend security mechanisms beyond their firewalls to ensure that they can enforce access policies and meet regulatory compliance requirements.

These security and compliance challenges threaten confidential applications and data that reside outside the firewall and are managed by third-party providers. This situation is driving the need for a new security model.

"What was old is new again when it comes to identity and Web security management now with SaaS. Existing identity management systems weren't built to handle the structure of data delivery and storage outside the enterprise," Darren Platt, CTO of cloud security firm Symplified, told TechNewsWorld.

Lacks Integration

Part of the problem with SaaS app security is the way components are layered, according to Platt. Various Web access management products are not well integrated with the rest of the Web access management system.

For example, in order to support single sign-on of users among various levels of SaaS applications, vendors often create separate products to do different tasks. As a result, authentication and authorization policies and auditability are just a series of bags hanging off the side of the Web access management system.

"Web access management systems need to apply to ground and cloud applications. They don't give you what you need," Platt said.

The Shaky Shared Cloud

Another aspect of these SaaS-induced security risks lies in the way some SaaS vendors store data. In part, the industry is seeing a convergence of markets, which in turn poses security threats.

"Security threats result from the structure of stored data for separate customers on a hosted or shared environment," Joel McFarland, product line manager for the Cisco (Nasdaq: CSCO) Security Group, told TechNewsWorld.

For instance, one customer can make a configuration change that affects other customers, whose data is nearby in the cloud storage used by the SaaS provider, he explained. When multiple customers share a common SaaS delivery structure, security suffers.

Think of the process as a building with offices separated by a solid wall. If that wall is not properly constructed, workers in one office can overhear conversations through the wall. A thief can more easily break through that thin wall to get to the contents on the other side.

"A dedicated infrastructure doesn't pose this same type of security threat," McFarland said.

Innovation Needed

First-generation access management systems are great for internal applications, said Platt. However, these same products do not handle external applications very well.

To fix this security issue, the next generation of products will have to treat access management the same regardless of where the data resides. Meanwhile, Web 1.0 vendors are stuck with the products they created, he noted.

"I don't see them evolving this new capability. We will see other start-ups dedicated to this new space," predicted Platt.

Different Views

What constitutes secured data for the SaaS customer may be completely different from what a SaaS vendor considers secure. Therein lies a root cause of the security concerns for customers.

"A big plus for SaaS security is that the [application] developer may be able to invest more in security than other developers. So the potential is there for users to have a better security blanket," Brian Chess, chief scientist and cofounder of Fortify Software, told TechNewsWorld.

Before coming to Fortify, Chess was director of software development for SaaS vendor NetSuite.

Don't Assume Trust

SaaS vendors can cut corners by adopting different security standards on account access and other security policies, Chess said. When the sales force policies are not the same between vendor and SaaS app customers, those trying to get data by phishing can have a much easier time, he explained.

"When it comes to SaaS security, it is 'buyer beware.' There is no set standard to ensure that you can trust it," Chess said.

With that rule in mind, companies using SaaS apps need to talk to the app vendor to make sure that the security policies are in agreement, he suggested.

Separate Spaces

SaaS comes with several distinct security risks, Chess noted. One is that user information is more exposed. Anybody with an Internet connection and a password can access the data.

The second security risk is that the SaaS provider has an incentive to run a money-making business. That means providers tend to share resources within a SaaS platform, including servers.

The potential exists for an application vendor to not build in sufficient separation of data to prevent other app users from accessing it, he explained. It is this temptation to over-optimize that gets both SaaS developers and Web site operators into security trouble, according to Chess.

Relearning Relevancy

Product developers in pre-SaaS days faced challenges in making more secure software. Today's challenges are very similar.

"It is the normal evolution of companies being aware of data security issues," Bob Egner, U.S. president of Egress Software Technologies, told TechNewsWorld.

The problem with security when it comes to shared data in a central delivery is that there is no mechanism to keep the data safe, he said.

What makes security in the cloud different from traditional data storage? Losing control of sensitive information when it is available outside of a company's computers, Egner noted.