Thursday, April 19, 2007

Out of our hands

Everyone is figuring out that Web-based applications are the future of software with Software as a Service (SaaS) as the delivery model of choice. Businesses are migrating to Salesforce.com. Google Apps launched in full force to disrupt Microsoft Office dominance. And who knows how many businesses are been made possible using eBay’s marketplace. The advantages and cost savings of Web-based applications and SaaS are just too good to ignore despite how much sensitive data is being uploaded.

Even us everyday users are taking advantage of easy-to-use Web applications. Online banking, when is the last time you went to your local branch? Heck, even they host their web apps. Taxes, tens of millions filed online this year. They host too. Hundreds of millions use Web mail, instead of or in combination with Desktop email applications. When it comes down to it, it’s hard to know who really has your data anyway, maybe a dozen or more companies. What this also means for security practitioners is that the rules and business requirements have changed dramatically yet again.

Lack of Control
Any information users upload or create (email, documents, spreadsheets, marketing information, etc) is now publicly accessible. (Google Calendar) The data resides publicly available 24/7/365 on someone else's web servers, not on your private local network, and the security is beyond your immediate control. How much do you trust or understand the security practices of the hosting company? You can’t make your data secure even if you want to.

Escalating Risk
While various web-based systems will start off small in terms of users (also like Salesforce.com), they are relatively unattractive targets for the bad guys. However, as they increase in popularity with millions of user registrations, more bad guys will target them for the potential pay off. MySpace is a good example of this and data they store no one would really consider sensitive. Think of other financial or information oriented systems with millions of users, those are the REALLY attractive targets.

Incident Response
Should a breach occur, how would you know? Would the company be legally obligated to tell them? Under what circumstances? (Turbo Tax) What is their backup and disaster recovery policy? Are you our of business during that time? These are serious business security and continuity issues should organizations rely upon these services for day to day operations. Downtime costs could be huge.


Anyway, I wish I had more in the way of immediate solutions beyond testing the security yourself. But that is probably not legal and they are unlikely going to hand over written consent. As more breaches occur, we’ll figure out the answers.

1 comment:

ntp said...

SaaS is the same thing as BPV and Outsourcing. It's been done forever. Nothing new here.

GCalendar was down for at least 4 hours yesterday, and all the GMail/GApps are still listed as BETA (probably indefinitely). They are not Enterprise class software, and neither is Salesforce.

I'm sure (100% positive) all of eBay's and Intuit/TTO's web application vulnerabilities are primarily due to their mis-managed decision-making processes, and a lack of talent in development (based on the fact that they are well-known to be bad places to work for/with).

Google and Microsoft do a better job than most others at knocking out their WA vulnerabilities, but that's probably because they attract better talent (because they are good places to work for) and make good decisions (e.g. listening to their assessors, building security into their products early on, et al).

Identifying burned-in and hardened infrastructure, social, individual, and instructional capital metrics is probably a good way to make decisions about outsourcing.