Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

As the thirst for low-maintenance on-demand software continues to grow in the enterprise, some security experts and customers worry that security weaknesses could disrupt on-demand applications and leave them high and dry.

For now, these security concerns lurk well below the surface—few of the big vendors pitching their wares at the RSA Conference on Feb. 13 in San Jose, Calif., will have products addressing the security of on-demand offerings. Nevertheless, security experts note that technology departments need to ask tough questions of their service providers and ensure their offerings are as secure as possible.

Meanwhile, the on-demand bandwagon swells. This week,

SAP launched on-demand CRM (customer relationship management) software.
In November, Microsoft Chairman and Chief Software Architect Bill Gates and Chief Technical Officer Ray Ozzie announced two new Internet-based services: Windows Live and Office Live.

Click here to read more about Windows Live and Office Live.

Those two behemoths join the services-based software distribution model pioneered by companies such as, PeopleSoft (now part of Oracle), Hyperion Solutions and Digital Insight. Lately, the idea has been championed in the consumer space by tech darling Google in programs such as
Google Base.

“This is a great business model with some significant benefits, but there are some critical security questions you have to ask your service provider before putting your data on someone else’s server,” said John Pescatore, an analyst at Gartner, in Stamford, Conn. “Security has to be a key criterion in your decision to outsource IT and business functions. If you neglect security, you’re taking the risk of regulatory exposure and loss of business.”

Translation: Before enterprises can reap the benefits of on-demand software, providers will have to convince IT managers and CIOs that the services they offer are reliable and, perhaps more important, secure. For many, the push to host information and manage customers’ data raises the specter of massive information breaches such as those that plagued ChoicePoint and LexisNexis last year.

ChoicePoint’s data breach cost the company the largest civil fine from the FTC on record. Click here to read more.

And the on-demand model presents its own set of unique security problems, including threats such as replay and man-in-the-middle attacks, as well as concerns about the security practices of the hosting and service providers themselves.

Advocates argue that service-based software deployments could mean better, not worse, security for many companies that already struggle to keep up with Internet threats. With the market for on-demand software booming, technology for building secure Internet-based products, securing these deployments and protecting users is poised to become a major area of investment in coming years.

For Care Rehab and Orthopaedic Products, a medical device manufacturer, security was an important consideration when the company was evaluating, a provider of on-demand CRM software services, said Ed Barrett, vice president at the 200-person company.

The company, which makes traction and electrotherapy devices that are used by physical therapy clinics and patients, has been using’s software since March to monitor the activities of its salespeople and to track its entire inventory, as devices are prescribed by doctors and dispensed to patients. Care Rehab audited’s security practices before agreeing to use the software. That audit included getting staff members to show Care Rehab how they secured the data that was stored on their servers and reading documents describing’s security practices.

Paul Roberts explains what IT managers need to do before going with software as a service. Click here to listen to the podcast.

The conclusion?

“Their security is superior to what we provide for ourselves,” said Barrett in McLean, Va. “If you’re, you have to have the best people in security and the best redundancies. [We] need to have the best salespeople. I’m sure we aren’t the world’s best security people.”

That kind of thinking is becoming more common from customers considering a move to an on-demand software model, said Michael Topolovac, CEO of Arena Solutions, a provider of on-demand PLM (product lifecycle management) software. Based in Menlo Park, Calif., Arena has approximately 200 customers and 15,000 users in the high-tech, medical devices and consumer electronics industries. “Security has gone from being [a] top-of-mind [concern] for prospects to a point where more prospects seek out on-demand because it’s secure,” said Topolovac.

Is 2006 the year of on-demand software? Click here to read more.

But are on-demand deployments really more secure?

Most companies already have significant exposure to Internet-based threats and attacks and may not have the expertise or resources to properly manage that threat, Topolovac said. “It’s like keeping your money under the mattress instead of in a bank. Customers already have their data online. It’s already tied to the Internet. You’re a machine shop in Milwaukee? You’re on the Internet,” Topolovac said.

More enterprises are looking for ways to connect remote employees, business partners and suppliers to critical applications. In such an environment, companies such as and Arena are better prepared to address security than most traditional software providers are.

“We don’t create a security problem, we provide a solution to it,” Topolovac said.

The worm was written by a MySpace user named “Samy” and used a combination of JavaScript and AJAX code and took advantage of lax Web-browser security to silently inject a small piece of malicious code into the MySpace profiles of those users who viewed a page set up by the attacker. The code added Samy to the victims’ lists of friends and also spread to their MySpace profiles. Within 24 hours, the XSS worm had netted Samy over a million new “friends” and prompted to shut down the service to remove the infection.

In a world in which Web-based services such as are used to connect critical applications across company lines, a hack in one part of the Web services chain could quickly spread, MySpace-like, and affect other organizations in the chain, Sima said.

“Companies have to ask: ‘If my partner goes down or gets hacked, how will that appear on my site?’” said Sima.

Development Worries

Security experts agree that lax development practices are responsible for many of the vulnerabilities in software today and that the move to deploy applications on the Internet—especially those that were originally written to run on individual PCs—may be outpacing education on the security risks that go along with that move.

“The age of Internet software is here. The vendors need to get over it and design it all [to be used] that way,” said Gary McGraw, CTO of Cigital, in Dulles, Va., and a well-known expert on writing secure software. “Everybody should be writing code as if it’s going to be exposed on the Internet. Developers have to understand that.

Next page: Locking down Windows Live.

“Eighty percent of the problems we find [in code reviews], we tell the development team, and they say, ‘You’re not supposed to do that.’ They have to overcome that kind of natural optimism. Most developers believe software security is security software,” McGraw said.

Microsoft’s new on-demand products such as Windows Live and Office Live will undergo the same security reviews as the company’s traditional client and server software. However, Microsoft is also planning changes to its

Security Development Lifecycle program that address security issues in Web-based deployments, Howard said.

However, improving developer education is only one part of the solution. On-demand companies also need to secure the networks of ASPs (application service providers) that deliver the applications to customers. For companies such as Microsoft, that means qualifying hosting service providers and even third-party device makers whose products might run services such as Windows Live, said Peter Boden, director of security risk management at Microsoft.

“[On demand] means a big shift in control,” said Samir Kapuria, principal security strategist at Symantec, in Cupertino, Calif. “Enterprises have to rely on third parties to manage and maintain controls and privileges that were [previously] managed by in-house security.”

You’re the First Defense

Despite that shift to more secure development, on-demand customers are still on the hook to comply with regulations regarding the handling of data, even though they do not control the information, Kapuria said.

Microsoft hasn’t decided where data for its Windows Live and Office Live services will reside. The answer to that question ultimately may hinge on the value of the data, Howard said.

The company is currently vetting third-party hosting service providers for the Windows Live and Office Live services. Those providers will have to adhere to Microsoft’s standards for network and physical security. That includes everything from locks and cameras to properly trained administrative staff and well-established business continuity planning, Howard said.

Microsoft also plans to use teams of “white hat” hackers to do penetration testing of hosting partners’ infrastructure before allowing the hosting partners to host Windows Live or Office Live, Howard said.

Client machines are also a major security risk, adding to the difficulty of securing on-demand deployments, experts said.

“Attacks on the client really worry me,” said Howard. “Regardless of the [operating system], if you push [code] down to people’s desktops, bad guys can take advantage of that.”

Even low-tech hacks such as shoulder surfing are a threat to companies that keep reams of sensitive data on servers operated by companies such as or PeopleSoft, said Cliff Bell, CIO of Phoenix Technologies, in Milpitas, Calif.

Phoenix has developed and is testing a product that will use a Web services API with single-sign-on capabilities to allow companies that use Phoenix’s secure BIOS software to generate trusted certificates for securely logging in to The software would require on-demand users to use an authorized laptop and provide a valid user identity and password to access, Bell said.

In the end, the biggest challenge for companies such as Microsoft that see their future in on-demand software may be getting customers to understand and be comfortable with the model.

And, the current state of network and application security at most companies is poor enough to make it hard to imagine on-demand deployments being any worse, experts agree.

“Eventually, your entire desktop will be on Google’s servers, and you’ll just pay to use it on a monthly basis,” said Sima. “All the security people scream and jump about that, saying that all your data is in one location … but is that any worse than what we have today? Hell, no!”

Senior Writer Ryan Naraine contributed to this report.

Check out’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer’s Weblog.