Multiple Software as a Service (SaaS) applications are becoming thedelivery method of choice for organizations looking for ways to reducetheir IT costs. Some 90 percent of organizations plan to eithermaintain or increase their SaaS use, according to a recent report byGartner Research. This adoption rate is accelerating even in thecurrent economic downturn.
However, about 62 percent of the enterprises responding to the Gartner studysaid they worry about the security of data they send to destinations outside their firewalls.In fact, migrating to SaaSapps to save IT costs may actually increase data security risks.Security, integration and compliance challenges quickly scale incomplexity and increase risk. As a result, SaaS customers often areforced to extend security mechanisms beyond their firewalls to ensurethat they can enforce access policies and meet regulatory compliancerequirements.
These security and compliance challenges threaten confidentialapplications and data that reside outside the firewall and are managedby third-party providers. This situation is driving the need for a newsecurity model.
“What was old is new again when it comes to identity and Web securitymanagement now with SaaS. Existing identity management systems weren’tbuilt to handle the structure of data delivery and storage outside theenterprise,” Darren Platt, CTO of cloud security firm Symplified, toldTechNewsWorld.
Part of the problem with SaaS app security is the way components arelayered, according to Platt. Various Web access management productsare not well integrated with the rest of the Web access managementsystem.
For example, in order to support single sign-on of users among variouslevels of SaaS applications, vendors often create separate products to dodifferent tasks. As a result, authentication and authorizationpolicies and auditability are just a series of bags hanging off theside of the Web access management system.
“Web access management systems need to apply to ground and cloudapplications. They don’t give you what you need,” Platt said.
The Shaky Shared Cloud
Another aspect of these SaaS-induced security risks lies in the waysome SaaS vendors store data. In part, the industry is seeing a convergence of markets, which in turn poses security threats.
“Security threats result from the structure of stored data forseparate customers on a hosted or shared environment,” Joel McFarland,product line manager for the Cisco Security Group, told TechNewsWorld.
For instance, one customer can make a configuration change thataffects other customers, whose data is nearby in the cloud storage usedby the SaaS provider, he explained. When multiple customers share acommon SaaS delivery structure, security suffers.
Think of the process as a building with offices separated by a solidwall. If that wall is not properly constructed, workers in one officecan overhear conversations through the wall. A thief can moreeasily break through that thin wall to get to the contents on theother side.
“Adedicated infrastructure doesn’t pose this same type of securitythreat,” McFarland said.
First-generation access management systems are great for internalapplications, said Platt. However, these same products do not handleexternal applications very well.
To fix this security issue, the next generation of products will haveto treat access management the same regardless of where the dataresides. Meanwhile, Web 1.0 vendors are stuck with the products theycreated, he noted.
“I don’t see them evolving this new capability. We will see otherstart-ups dedicated to this new space,” predicted Platt.
What constitutes secured data for the SaaS customer may be completelydifferent from what a SaaS vendor considers secure. Therein lies aroot cause of the security concerns for customers.
“A big plus for SaaS security is that the [application] developer maybe able to invest more in security than other developers. So thepotential is there for users to have a better security blanket,” BrianChess, chief scientist and cofounder of Fortify Software, told TechNewsWorld.
Beforecoming to Fortify, Chess was director of software development for SaaSvendor NetSuite.
Don’t Assume Trust
SaaS vendors can cut corners by adopting different security standardson account access and other security policies, Chess said. When thesales force policies are not the same between vendor and SaaS appcustomers, those trying to get data by phishing can have a much easiertime, he explained.
“When it comes to SaaS security, it is ‘buyer beware.’ There is no setstandard to ensure that you can trust it,” Chess said.
With that rule in mind, companies using SaaS apps need to talk to theapp vendor to make sure that the security policies are in agreement,he suggested.
SaaS comes with several distinct security risks, Chess noted. One isthat user information is more exposed. Anybody with an Internetconnection and a password can access the data.
The second security risk is that the SaaS provider has an incentive torun a money-making business. That means providers tend to shareresources within a SaaS platform, including servers.
The potential exists for an application vendor to not build insufficient separation of data to prevent other app users from accessing it, heexplained. It is this temptation to over-optimize that gets both SaaSdevelopers and Web site operators into security trouble, according toChess.
Product developers in pre-SaaS days faced challenges in making moresecure software. Today’s challenges are very similar.
“It is the normal evolution of companies being aware of data securityissues,” Bob Egner, U.S. president of Egress Software Technologies,told TechNewsWorld.
The problem with security when it comes to shared data in a central delivery is thatthere is no mechanism to keep the data safe, he said.
What makes security in the cloud different from traditional datastorage? Losing control of sensitive information when it is availableoutside of a company’s computers, Egner noted.