Firms embracing Software as a Service (SaaS) are not protected from government and civil search and seizure actions and may not be informed if their SaaS data is seized from their provider, according to a researcher studying the issue.
"In cloud computing, you will not have the ability to fight seizure before it happens," said Alex Stamos, co-founder and partner of security consultancy iSEC Partners Inc.. "You may not even know. There are no legal requirements for [SaaS providers] to notify you, and in fact, they may be gagged from doing so."
Stamos highlighted the issue during a presentation on cloud computing models and vulnerabilities given Thursday at the 2009 Black Hat conference in Las Vegas. He was joined by fellow researchers Andrew Becherer and Nathan Wilcox, who examined a variety of security issues presented by platform and infrastructure service providers.
The Electronic Frontier Foundation, a non-profit free speech and digital rights organization, has weighed in on the issue, warning that "storing data yourself, on your own computers -- without relying on the cloud -- is the most legally secure way to handle your private information, generally requiring a warrant and prior notice."
"By letter of the law, physical ownership of machines is very important, no matter what different lawyers say," Stamos said.
In addition, most EULA agreements for SaaS and other cloud-based service providers fail to promise anything to the customer. Stamos urges people who are negotiating with a SaaS vendor to try to get a written promise from the service provider to help in the event of a data breach, data loss or other disaster where information needs to be recovered.
Even if the SaaS provider could offer assistance, Stamos found that many lacked the audit and log data necessary to aid in an investigation. Although some providers, like Salesforce.com, support login and admin events, Google Apps and Microsoft Office Live do not. Still, all three offerings fail to support the ability to read document-read records.
Also, not all service providers allow external penetration testing. Amazon Web Services, however, does allow the practice, and Salesforce.com and Google similarly allow application-level pen testing of hosted applications.
Companies can take over some controls from the SaaS provider. Although the approach obviously defeats the purpose of SaaS, Stamos said, it does provide more security controls. Enabling Security Assertion Markup Language (SAML), for example, could give IT the ability to closely control and monitor authentication. SAML also gives a company the option to place the SaaS portal behind a VPN.
Ultimately, enterprises need to set strong security policies with regard to SaaS and educate users on basic security procedures.
"It's difficult to teach all non-technical people, but user education is key," Stamos said. "Phishing attacks are not just a personnel issue, but an enterprise issue, too."