Software as a service may seem good news for users, but it could also be an open invitation for attackers.
It's rare to get decent tech news from the mainstream media. Usually it takes around six months from the time a story breaks in the specialist media until it finally hits the mainstream. If a story about some new technology has made it that far, it is probably about something significant. So, back in June, my ears pricked up when I listed to a BBC radio programme covering the movement to "software as a service" (SaaS).
The programme covered the key aspects behind SaaS quite well: how, by building on Web 2.0 technologies such as Ajax, developers are able to provide rich applications, accessed through a web browser, from anywhere with an internet connection. It featured the example of a consultancy that had done away not only with their servers, but with all its IT staff. Not so much out sourcing, as unsourcing. Their users were happy, with access to the company's data and key applications from anywhere, using personal technologies the individual users were comfortable with. If you can use gmail, then you can use any SaaS application.
More recently, we've started to see moves towards even greater integration of these Web 2.0 applications, with Redhat promoting the concept of the "online desktop", with a focus on using SaaS applications rather than locally installed ones.
But what about security? Although the BBC made reference to issues with privacy, other security aspects were covered in a more positive way: your applications and data are being entrusted to "specialists", who will take care of everything. So you don't have to worry about availability, backups etc.
But a few months ago a number of things happened, that ought to make anyone think a little harder about security. First, various Google Web 2.0 applications were found to have flaws that enabled attackers to steal contact details or even entire email messages. In September, the US job site Monster.com was compromised. Phishing emails and Trojans had been used to automate the download of information stored in the accounts of advertisers and agencies.
If some of the largest online specialists are already making mistakes, what will happen when everyone jumps on the SaaS bandwagon and rushes out the Web 2.0 versions of their applications?
Unfortunately, the risk profile is also different. With a traditional client server application, an attacker has to be present on your network to get to your systems: either through physically accessing your premises, or by finding a way through your perimeter security. But the very nature of SaaS means that the interfaces to your main systems are now directly on the internet - identifiable and accessible to all. For a SaaS provider to be successful, they must also attract a large number of clients. This makes the "prize" that much greater for an attacker - once a system has been cracked, there is likely to be a lot more data to obtain.
The economic realities also mean that support services, particularly in the event of a breach, will be rather different to those you might get from your in-house department. What would you do if you suspected that you had given your password to an attacker? You can't ask your IT guy to print off the access logs to see if you've been compromised. It is unlikely that the SaaS provider would be as responsive if the impact was only on that one client - they're going to be far more concerned with trying to maintain availability of the service for all their customers. The system isn't going to be stopped while the forensic people get to work.
We've also not yet heard of any denial-of-service attacks on a SaaS provider. But once SaaS services start to become critical, you can be sure that, together with demands for ransom, we'll start to see such attacks.
So, while SaaS holds a lot of promise for a new generation of low-cost, simple-to-use applications, there are a whole new set of dangers from an information security point of view. You have been warned.
- Ian Castle, CISSP, is a senior consultant at ECSC and heads the internet defence division.