It’s Thursday, and keeping up with this week’s theme, we are climbing further up the service model stack and looking at Software as a Service. I’ve already covered some of the key security issues with using a cloud service, but SaaS is a little bit different. So grab a coffee, and learn about the favorite service of organizations which also happens to be one of the favorite models for hackers.
Software as a service refers to an application or software that is hosted in the cloud and accessed through a web portal. The great thing is that it’s usually licensed on a per-use basis, as opposed to an up front licensing fee. This is a great option for smaller organizations who do not want to make the up front license purchase, or for large enterprises who want an easy way to lower the costs of using applications, minimize the resources required to install and maintain software, and want a quick implementation. A famous example of the SaaS model is Salesforce.com whom uses a web-based model for users to access from anywhere in the world. This makes it easy for reps whom may work remotely, or for large dispersed organizations that want to standardize on a single software platform.
So what about security? SaaS models create a few key areas of concern. On the enterprise side, most of these are solved by implementing standard security controls such as VPN, encruption, network security, and ideally a web application firewall, such as Imperva. On the end-user (or consumer) side, it’s a little tricker because the software that is being accessed is secured to the user by whatever security controls exist on the end users’ machine, but also the security of the service provider and the application itself.
It might sound like SaaS is a pretty safe model to adopt, but keep in mind that it’s also a beautifully streamlined, efficient and easy way for hackers to get direct access to tons of business critical and sensitive data. Normally hackers had to get past tons of network sniffing security devices to get to the good sensitive data, but now with SaaS, its really like putting tons of different corporate sensitive data in a central location, and give it a web interface for people to tinker away at, or even just use the account of a legitimate user.
Think about it, hackers are getting more sophisticated, and really, lazier. They want to hit lots of systems quickly, without tons of busy work. So a web browser is a perfect gateway for them, since they can do things such as forcing spyware or botnet installs through web browsers, one of the most common security threats. The biggest source of vulnerabilities to this day are designed to affect web applications, with SQL injection being one of the favorite tools of hackers along with cross-site scripting.
So, how can organizations make SaaS more secure? Well it really comes down to making sure providers have well managed and enforced security policies and governance reviews. They should also have a disaster recovery plan in place that also has its own failover mechanisms. The more critical the business asset, such as a CRM or ERP system, the more important the security measures required. Remember, the minute your application talks through a web browser directly to the end-user, firewalls are going to be useless (with the exception of web application firewalls), so you need solutions that protect the application specifically.
The key thing to take away from all this is that the minute you give access to applications through a web browser, you need to ensure that your applications are being protected, not just your infrastructure. SaaS is a great model to utilize to benefit from all the cost savings and efficiencies that make up the service, but you need to make sure that those cost savings are allocated at least in part, to ensuring your application is secure.