Security May Dog Software as a Service

By Paul F. Roberts  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Software is quickly becoming an Internet service, and that is raising concerns about security. Will security weaknesses derail large-scale enterprise adoption?

As the thirst for low-maintenance on-demand software continues to grow in the enterprise, some security experts and customers worry that security weaknesses could disrupt on-demand applications and leave them high and dry.

For now, these security concerns lurk well below the surface—few of the big vendors pitching their wares at the RSA Conference on Feb. 13 in San Jose, Calif., will have products addressing the security of on-demand offerings. Nevertheless, security experts note that technology departments need to ask tough questions of their service providers and ensure their offerings are as secure as possible.

Meanwhile, the on-demand bandwagon swells. This week, SAP launched on-demand CRM (customer relationship management) software. In November, Microsoft Chairman and Chief Software Architect Bill Gates and Chief Technical Officer Ray Ozzie announced two new Internet-based services: Windows Live and Office Live.

Click here to read more about Windows Live and Office Live.

Those two behemoths join the services-based software distribution model pioneered by companies such as Salesforce.com, PeopleSoft (now part of Oracle), Hyperion Solutions and Digital Insight. Lately, the idea has been championed in the consumer space by tech darling Google in programs such as Google Base.

"This is a great business model with some significant benefits, but there are some critical security questions you have to ask your service provider before putting your data on someone else's server," said John Pescatore, an analyst at Gartner, in Stamford, Conn. "Security has to be a key criterion in your decision to outsource IT and business functions. If you neglect security, you're taking the risk of regulatory exposure and loss of business."

Translation: Before enterprises can reap the benefits of on-demand software, providers will have to convince IT managers and CIOs that the services they offer are reliable and, perhaps more important, secure. For many, the push to host information and manage customers' data raises the specter of massive information breaches such as those that plagued ChoicePoint and LexisNexis last year.

ChoicePoint's data breach cost the company the largest civil fine from the FTC on record. Click here to read more.

And the on-demand model presents its own set of unique security problems, including threats such as replay and man-in-the-middle attacks, as well as concerns about the security practices of the hosting and service providers themselves.

Advocates argue that service-based software deployments could mean better, not worse, security for many companies that already struggle to keep up with Internet threats. With the market for on-demand software booming, technology for building secure Internet-based products, securing these deployments and protecting users is poised to become a major area of investment in coming years.

For Care Rehab and Orthopaedic Products, a medical device manufacturer, security was an important consideration when the company was evaluating Salesforce.com, a provider of on-demand CRM software services, said Ed Barrett, vice president at the 200-person company.

The company, which makes traction and electrotherapy devices that are used by physical therapy clinics and patients, has been using Salesforce.com's software since March to monitor the activities of its salespeople and to track its entire inventory, as devices are prescribed by doctors and dispensed to patients. Care Rehab audited Salesforce.com's security practices before agreeing to use the software. That audit included getting Salesforce.com staff members to show Care Rehab how they secured the data that was stored on their servers and reading documents describing Salesforce.com's security practices.

Paul Roberts explains what IT managers need to do before going with software as a service. Click here to listen to the podcast.

The conclusion?

"Their security is superior to what we provide for ourselves," said Barrett in McLean, Va. "If you're Salesforce.com, you have to have the best people in security and the best redundancies. [We] need to have the best salespeople. I'm sure we aren't the world's best security people."

That kind of thinking is becoming more common from customers considering a move to an on-demand software model, said Michael Topolovac, CEO of Arena Solutions, a provider of on-demand PLM (product lifecycle management) software. Based in Menlo Park, Calif., Arena has approximately 200 customers and 15,000 users in the high-tech, medical devices and consumer electronics industries. "Security has gone from being [a] top-of-mind [concern] for prospects to a point where more prospects seek out on-demand because it's secure," said Topolovac.

Is 2006 the year of on-demand software? Click here to read more.

But are on-demand deployments really more secure?

Most companies already have significant exposure to Internet-based threats and attacks and may not have the expertise or resources to properly manage that threat, Topolovac said. "It's like keeping your money under the mattress instead of in a bank. Customers already have their data online. It's already tied to the Internet. You're a machine shop in Milwaukee? You're on the Internet," Topolovac said.

More enterprises are looking for ways to connect remote employees, business partners and suppliers to critical applications. In such an environment, companies such as Salesforce.com and Arena are better prepared to address security than most traditional software providers are.

"We don't create a security problem, we provide a solution to it," Topolovac said.

Next page: What to look for before jumping into on-demand.

That said, the meteoric rise of companies such as Salesforce.com has created a rush to get into the on-demand business, and that could lead to shoddy deployments, Topolovac said.

"You've got companies taking a client/server tool, putting it behind a firewall and running it on a hosting provider's network and saying it's on demand," Topolovac said.

Enterprises looking at on-demand offerings should look for software that was built from the ground up for on-demand deployment, he said.

Companies also need to be mindful of a vendor's internal security policies, experts say. If the service provider doesn't have an explicit security policy already in place, chances are security wasn't much of a consideration when the application was built.

"The vendors need upfront security policies. Software as a service needs to protect data right at the front, but that's a little utopian," said Rick Welch, vice president of the developer division at RSA Security, in Bedford, Mass. "You can't always do it. Maybe you encrypt the most sensitive data in the database, then encrypt all of it in mass storage. The point is, the vendors have to homogenize that. It's hard to do it uniquely [for each customer]. Without security policies, it's hard to get consensus on what needs to be encrypted."

Lagging Defenses

Welch said that the various data breaches that made headlines last year had the unintended effect of raising enterprises' awareness level about the need to protect their data, and not just their networks. Because many companies now have partners, customers and others coming in and out of their networks on a regular basis, network security simply is not going to be sufficient to prevent the loss of sensitive data, especially when IT departments don't have complete control of the applications.

In fact, traditional network protections such as IDS (intrusion detection system) and firewalls may not be a very effective solution for a new generation of threats that target Web-based applications, experts say.

For Mike Howard, the senior security program manager at Microsoft, SQL injection attacks are the bogeymen that keep him up at night. In SQL injection attacks, dynamically generated strings in Web applications are manipulated by attackers to send malicious SQL commands to the back-end database.

"We're seeing more SQL injection attacks, and it's very worrying. You can have a firewall in place, and people can still do whatever they want," Howard said in Redmond, Wash.

Technologies such as JavaScript, XML and AJAX (Asynchronous JavaScript and XML) have also introduced new avenues for attack and exploitation, said Caleb Sima, co-founder and chief technology officer at SPI Dynamics, in Atlanta.

In January, Forum Systems, of Sandy, Utah, warned customers that AJAX-enabled applications were transforming Web browsers into Web services portals, exposing users to potentially corrupted data that can cause the browser to crash, slow servers or cause widespread disruptions by consuming network bandwidth.

Click here to read more about the warning from Forum Systems.

An XSS (cross-site scripting) worm that downed popular social networking site MySpace.com in October could be a harbinger of things to come as companies move to Web-based services, Sima said.

The worm was written by a MySpace user named "Samy" and used a combination of JavaScript and AJAX code and took advantage of lax Web-browser security to silently inject a small piece of malicious code into the MySpace profiles of those users who viewed a page set up by the attacker. The code added Samy to the victims' lists of friends and also spread to their MySpace profiles. Within 24 hours, the XSS worm had netted Samy over a million new "friends" and prompted MySpace.com to shut down the service to remove the infection.

In a world in which Web-based services such as Salesforce.com are used to connect critical applications across company lines, a hack in one part of the Web services chain could quickly spread, MySpace-like, and affect other organizations in the chain, Sima said.

"Companies have to ask: 'If my partner goes down or gets hacked, how will that appear on my site?'" said Sima.

Development Worries

Security experts agree that lax development practices are responsible for many of the vulnerabilities in software today and that the move to deploy applications on the Internet—especially those that were originally written to run on individual PCs—may be outpacing education on the security risks that go along with that move.

"The age of Internet software is here. The vendors need to get over it and design it all [to be used] that way," said Gary McGraw, CTO of Cigital, in Dulles, Va., and a well-known expert on writing secure software. "Everybody should be writing code as if it's going to be exposed on the Internet. Developers have to understand that.

Next page: Locking down Windows Live.

"Eighty percent of the problems we find [in code reviews], we tell the development team, and they say, 'You're not supposed to do that.' They have to overcome that kind of natural optimism. Most developers believe software security is security software," McGraw said.

Microsoft's new on-demand products such as Windows Live and Office Live will undergo the same security reviews as the company's traditional client and server software. However, Microsoft is also planning changes to its Security Development Lifecycle program that address security issues in Web-based deployments, Howard said.

However, improving developer education is only one part of the solution. On-demand companies also need to secure the networks of ASPs (application service providers) that deliver the applications to customers. For companies such as Microsoft, that means qualifying hosting service providers and even third-party device makers whose products might run services such as Windows Live, said Peter Boden, director of security risk management at Microsoft.

"[On demand] means a big shift in control," said Samir Kapuria, principal security strategist at Symantec, in Cupertino, Calif. "Enterprises have to rely on third parties to manage and maintain controls and privileges that were [previously] managed by in-house security."

You're the First Defense

Despite that shift to more secure development, on-demand customers are still on the hook to comply with regulations regarding the handling of data, even though they do not control the information, Kapuria said.

Microsoft hasn't decided where data for its Windows Live and Office Live services will reside. The answer to that question ultimately may hinge on the value of the data, Howard said.

The company is currently vetting third-party hosting service providers for the Windows Live and Office Live services. Those providers will have to adhere to Microsoft's standards for network and physical security. That includes everything from locks and cameras to properly trained administrative staff and well-established business continuity planning, Howard said.

Microsoft also plans to use teams of "white hat" hackers to do penetration testing of hosting partners' infrastructure before allowing the hosting partners to host Windows Live or Office Live, Howard said.

Client machines are also a major security risk, adding to the difficulty of securing on-demand deployments, experts said.

"Attacks on the client really worry me," said Howard. "Regardless of the [operating system], if you push [code] down to people's desktops, bad guys can take advantage of that."

Even low-tech hacks such as shoulder surfing are a threat to companies that keep reams of sensitive data on servers operated by companies such as Salesforce.com or PeopleSoft, said Cliff Bell, CIO of Phoenix Technologies, in Milpitas, Calif.

Phoenix has developed and is testing a product that will use a Web services API with single-sign-on capabilities to allow companies that use Phoenix's secure BIOS software to generate trusted certificates for securely logging in to Salesforce.com. The software would require on-demand users to use an authorized laptop and provide a valid user identity and password to access Salesforce.com, Bell said.

In the end, the biggest challenge for companies such as Microsoft that see their future in on-demand software may be getting customers to understand and be comfortable with the model.

And, the current state of network and application security at most companies is poor enough to make it hard to imagine on-demand deployments being any worse, experts agree.

"Eventually, your entire desktop will be on Google's servers, and you'll just pay to use it on a monthly basis," said Sima. "All the security people scream and jump about that, saying that all your data is in one location ... but is that any worse than what we have today? Hell, no!"

Senior Writer Ryan Naraine contributed to this report.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.