This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
Outsourcing an application means your organization relinquishes some control; don't, however, loosen your grip on security.|
In a bizarre way, the high-profile phishing attack against
|Salesforce.com last fall suggests the software-as-a-service (aka SaaS) model has come of age.
In that attack, a spoofed email message was apparently used to lure a Salesforce.com employee to release certain customer information, which was in turn used to launch a secondary phishing campaign. While the breach was certainly embarrassing, it illustrates the power of the Salesforce.com brand.
It also reminds businesses of all sizes that just because they've outsourced an application doesn't mean they can be any less vigilant about defining a security policy. The difference is now they'll need to entrust enforcement to someone else.
"A lot of time, I find I'm putting myself in the role of a chief security officer," says Mathew Hegarty, director of infrastructure and security for Net@Work, an IT services firm in New York that often recommends the SaaS approach to its customers. There are certain fundamental things you need to study--from authentication policy to infrastructure redundancy to how often the SaaS provider invests in independent penetration testing--especially when you're talking about a single-tenant service where all customers share the same instance of the software, Hegarty says.
"The biggest thing we focus on with all of this is control of the data," says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.
Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. "We have complete access to the data, and we are the only ones with control of the authentication," Mucha says. "The point is that you need a consistent approach to all these situations."
The Salesforce.com breach, which the company acknowledged in an email last November, offers a perfect example of why this is critical. In that message, the SaaS giant acknowledged that data purloined from Salesforce.com was later used to compromise accounts at some of its customers, and Salesforce.com moved to disclose its exposure. Salesforce. com declined to comment on its security policy for this story, but in its email last fall, it made several suggestions for how its customers could protect themselves in the future, including ignoring potential phishing messages, activating IP range restrictions so that the software could only be used on a specified internal network or VPN, or using two-factor authentication.
Building on those ideas, we offer seven questions you should resolve with your provider before investing in SaaS.
This was first published in May 2008