Most Attractive Targets SaaS

"SaaS" stands for "Software as a Service", which is the new hot topic on the market. It is so hot, it radiates light. Of course all vendors are jumping into the SaaS bandwagon, and for a reason. The usual benefits/reasons that are given to new clients are: 01 There is no upfront cost involved._, _02 There is no admin and setup overhead._, _03 In the long term it costs less._, _04 And it scales quite well (patching, bug fixes and machine power are instant).

So in CONFidence, I wanted to attend a talk which looked quite interesting. However, it turned to be the most brutal commercial I have ever seen. I had left after the first 15 minutes but I learned something interesting. I learned who their clients are and how their SaaS works.

In summary, company X was bragging about their awesome SaaS product which will put an end to all your problems. Local agents, which reside within your network, monitor various kinds of activities and backup critical data with constant push backs to the SaaS. That data is analyzed with some overestimated forensics engine witch in tern tells you whether your security perimeter has been breached. And if NASA and NATO are using it why shouldn't we? Why? That's the question.

The "Why?"

"Why?" Well, it makes the SaaS more attractive target. It makes total sense for attackers to crack into some 3rd-party organization which provides access to a couple of hundred client network then hacking into each client network individually. Do you agree? Anyone who has been long enough in this field knows that there isn't an impenetrable target, so don't start with the usual "yes but if the SaaS network is secure...". Such kind of thing does not exist. Some targets take longer to break into but at the end all it is need is some good mental health, optimism and persistence in order to be successful.

Recently, I saw another presentation related to email security. Again, the vendor was showing off their SaaS. Again, the SaaS will put the end of all your email problems. It will eliminate all your SPAM but leave your important business communications untouched. All you have to do is to use their mail servers which are located in some scalable data warehouse. If your infrastructure fails then you can still access your emails through their Web console.

It makes total sense but what they don't mention is what will happen if they get hacked, which they probably will if they continue showing off with their client base which consists of several well recognized law firms, hundreds of government agencies, a couple of well-recognized enterprises and so on. If they get hacked, the attackers will have so much data on their hands that they can easily play it all out on the stock market and make a couple of gazillions for example. Or maybe even sell it to the mob or some other organization that might be very interested in buying.

Conclusion

In conclusion, I need to say that SaaS is not necessary a bad thing. It makes total sense sometimes. But, you have to be conscious. Just because you've outsourced all your email to some organization, this doesn't mean that now you can stop worrying about your email security anymore. In fact, if you really do save money, this is a perfect opportunity to spend them all on security professionals who know what they are talking about. At the end of the day, money is energy and energy becomes useless if it doesn't transform from one form into another.

Archived Comments

Craig Balding

Hi pdp Thanks for your blog - I read it on and off and find it useful. You're right to suggest that SaaS concentrates customer data and access in one logical system via the public Internet. In some sense SaaS does feel like it lowers the (unauthorised) barrier to entry , but on the other hand, central data stores with juicy data from multiple orgs are not new. In the past they would have been hidden behind some kind of partner network. But reading the recent Verizon report on breaches, partner networks feature heavily in compromises so will the SaaS approach make a real difference to breaches? My view is that for SaaS providers, the very public nature of running a public SaaS means that intrusions are more likely to get widely reported. Even if the SaaS provider fails to detect the intrusion, when the data gets out and gets abused all roads lead back to the SaaS provider. We know that orgs often fail to report breaches for fear of reputation damage (amongst other things). Regulators now require reporting for certain categories of incident but that is limited and specific to certain industries. However a web facing SaaS provider is now under the glare of all. There isn't any hiding when they get 0wned. In the end, this may ultimately lead to either better security practices or SaaS providers requiring all customers to sign NDA's that include clauses to limit notification of breaches... This is a good topic and its given me an idea for a future blog post :-). Anyway, if you are interested in cloud security stuff, then check out http://cloudsecurity.org. Cheers Craig

pdp

I cannot really say whether SaaS is more secure or less secure solution. All I can say is that SaaS infrastructures are definitely more attractive to attackers. :) Also when speaking about SaaS security I must say that it very much comes down to the same concepts I have been talking about during this year.

The security model is often shared. The security of the server depends on the security of the individual clients, while the security of the individual clients depends on the security of the server they are interacting with.

In a similar way, the SaaS security model is shared between itself and its clients. And we all know what too much sharing leads to.

Chris Snyder

Yeah, bravo. I find myself talking about "attractive targets" more and more these days, and my colleagues just look at me with blank stares. I have yet to see a fully transparent open-source, open-process SaaS company, let alone one with a proven security track record. Until that happens, I'll roll my own thank you very much. When you aggregate petabytes of juicy data under a single service, it is reasonable to expect that the service will be attacked, again and again. And do you think the operators will tell you when your data is compromised?

James Blake

The centralisation of customer data onto a SaaS provider's infrastructure is bound to make it an attractive target. The SaaS provider's reputation is in a large part based on the security of customer data, which makes SaaS vendors more motivated to keep that data secure. This is opposed to organisations themselves that store that data on-premises, where IT and infomation security primarily is not seen as a core area business. At the same time, SaaS vendors can achieve economies of scale with regards threat mitigation, regular risk assessments and 24 x 7 incident monitoring and response. You could ask if email is more secure scattered across thousands of laptops in an organisation without any form of end point security as PSTs, or are they better stored in a centralised email server from which you can build some form of centralised policy and enforcement regime? - it is the same sort of on-premise vs SaaS argument. One of the biggest threats is SaaS vendors who are, in effect, really just hosting providers. These vendors take off-the-shelf commercial products and then just strap several of them together with some form of management framework (billing, provisioning, etc) to form a 'solution'. The SaaS vendor is this situation has no control over the underlying technology, in fact they may not even truly understand it. The several different point solutions they use often have gaps between each and the overlaid management layer adds an additional attack vector. Traditional on-premises vendors are also moving in the SaaS space, often with products that are not designed with multi-tenancy in mind - causing more potential threats. Potential buyers should look carefully at what they are buying, not all SaaS solutions are alike. Customer should look for someone who has considered the risks of centralisation and multitenancy and then worked to mitigate them - rather than just throwing some software on a publicly accessible server and calling it SaaS. Customer's anxieties at storing data off-site made sure that when we were designing our SaaS service we designed a distributed data store from the ground up, it was the only way we could have control over the entire lifecycle of the customer data, including its confidentiality and integrity. You cannot build a SaaS service that doesn't offer customers the granularity to determine their own security policy, you end up enforcing the lowest common denominator on all your customers. SaaS security is the fun challenge for the 21st century - embrace it!

Rebecca

Good post. I agree that SaaS can be somewhat sketchy in terms of security. However, you should take a look at Brick N Click from MTI. This is a retail SaaS that has industry approved security so that data is well protected. The technology also has excellent data recovery due to centralized storage. Perhaps it would interest you to attend a webinar about the technology http://www.mtiretail.com/BrickNClick.cfm?PgID=1or take a look at this page for more information and perspective. http://www.mtiretail.com/SaaS_Info.cfm