Software as a Service and Security

By | February 7, 2006

These days, computer users are online not only for longer periods of time and more frequently, but they are also conducting more important transactions via e-mail and the Internet. Activities like banking online, trading stock, purchasing products and services, and managing personal accounts through Web sites are becoming more common. While the Internet makes conducting such activities more convenient, it has also opened up a new form of fraud that scammers are taking advantage of in increasing numbers. As a result, online fraud is becoming a growing problem – not only for consumers but for enterprises as well.

What is software as a service?

Software as a service is software that is not downloaded onto a client like traditional software but instead is hosted on a server and accessible to a client over the Web. In addition, rather than the traditional licensing model, the software as a service platform typically uses a usage-based pricing model.

Is software as a service targeted at consumers or enterprises?

The software as a service concept is targeted at and offers benefits to both consumers and enterprises. For example, with little up-front expense, quick implementation, and usage-based pricing, software as a service can lower the costs of using applications. In addition, because it is not downloaded onto a client, it also obviates the space and memory requirements typically associated with software applications.

What are the security implications of software as a service?

The software as a service model creates a number of areas of concern. Enterprises can leverage virtual private networks (VPNs), encryption, network security tools, and other mechanisms to address many of these concerns. But for consumers, software as a service means that the security of the information associated with the hosted application is dependent not only on their local security but also on the security of the service provider and of the application itself.

Software as a service environments also become a more attractive target for hackers since it offers a more streamlined, efficient, and direct path to volumes and volumes of sensitive information. Whereas a hacker traditionally would have to expend considerable time and effort to locate and then gain access to confidential corporate or customer information, the software as a service model puts the data of its many clients in a central location that is accessible over the Web by authorized customers as well as by malicious users who might simply hijack the account of a legitimate user.

Does the current threat landscape reflect any threats to software as a service?

Software as a service relies on a Web browser in order to access applications over the Internet. Web browsers are also becoming a preferred point through which hackers enter systems. Drive-by downloading—the user of vulnerabilities in browsers to force software installs such as spyware—has become common. According to the Symantec Internet Security Threat Report covering the first six months of 2005, six of the top 10 spyware programs and eight of the top 10 adware programs reported to Symantec were installed through Web browsers.

Also, Web applications, which rely on a browser for their user interface and are often hosted on Web servers, are the foundation of software as a service. Yet, vulnerabilities in Web-based applications are a security concern. According to the same Internet Security Threat Report, the majority of vulnerabilities documented by Symantec affected Web applications. During this period, 1,100 vulnerabilities—or 59 percent of the total volume—were classified as Web application vulnerabilities, marking a 59 percent increase over the 694 Web application vulnerabilities disclosed in the last six months of 2004.

What’s more, vulnerabilities in Web-based applications are threatening because they are traditionally exposed to the Internet through a Web server. Cross-site scripting attacks exploit vulnerabilities in a Web-based application to spoof content. These attacks can have many possible consequences, including hijacked user accounts.

SQL injection attacks are attacks on a database server used by a Web-based application that are made possible by inadequate security checks in the application. The consequences also vary, from unauthorized disclosure of potentially sensitive data to complete compromise of the database.

Also, input validation vulnerabilities occur when an application fails to check externally supplied data for validity. Data of an unexpected form can sometimes cause security failures if the vulnerable application has not implemented validation checks.

How do vendors make software as a service more secure?

To ensure the confidentiality, availability, and integrity of software as a service, vendors need to ensure that the application they are hosting is secure; that operational security mechanisms—their policies, procedures, and protocols—are in place and well managed; and that they have established a disaster recovery program with redundancy and failover.

What types of applications tied into software as a service are at greatest risk from a security perspective?

Any Web application is at risk, as is anything that uses software to run—whether it is a network printer, a handheld device, a mainframe computer, or a traditional client-server application. All of these can have security vulnerabilities.

While there is no single type of application that poses more of a security risk than another, some applications are more likely targets for hackers. These include information-rich applications such as customer relationship management (CRM), enterprise resource planning (ERP), accounting, and human resources (HR) applications as well as hosted messaging applications.

What does software as a service mean for the security perimeter?

The perimeter dissipates in the software as a service model. In the traditional, infrastructure-focused view of security, the network perimeter is protected from malicious users via layered defense such as firewalls, intrusion detection systems, monitoring systems, and more. This layered defense was put in place to keep unauthorized individuals and malicious code away from the critical applications and sensitive data contained behind those lines of defense.

When these applications are put on the Internet, firewalls no longer can keep unauthorized users out because the Web application is deliberately allowing all Internet users to access the application. As a result, to maintain security in a software as a service environment, application security becomes a top priority.

What are the regulatory compliance implications of software as a service?

A company must show due diligence in its relationships with third-party providers to ensure that those providers maintain and comply with U.S. and international regulations to which that company is subject. Under such regulations, it is the responsibility of the company—not the software as a service provider—to protect sensitive information.

What are some best practices for enterprises and consumers?

Symantec recommends that administrators audit their systems to ensure that no vulnerable Web applications are being hosted in their software as a service infrastructure. They should also keep patch levels of applicable software up-to-date and enforce strong identification, authentication, authorization, accountability, and privacy controls.

Leave a Reply