Researchers say search, seizure protection may not apply to SaaS data

By Robert Westervelt, News Editor 31 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Firms embracing Software as a Service (SaaS) are not protected from government and civil search and seizure actions and may not be informed if their SaaS data is seized from their provider, according to a researcher studying the issue.

"In cloud computing, you will not have the ability to fight seizure before it happens," said Alex Stamos, co-founder and partner of security consultancy iSEC Partners Inc.. "You may not even know. There are no legal requirements for [SaaS providers] to notify you, and in fact, they may be gagged from doing so."

Black Hat USA 2009 Get the latest news and interviews from this year's Black Hat USA in Las Vegas.

Stamos is referring to the SaaS model, in which the entire IT stack, from the servers to the front-end JavaScript software, is hosted outside the company walls. Since the SaaS data is off premise, it could be considered unprotected by the Fourth Amendment, which guards against unreasonable searches and seizures. As a result, law enforcement could potentially only be required to get a subpoena to seize a company or individual's data residing in a SaaS vendor's servers, Stamos said. To issue subpoenas, which command a person to appear before court or produce documents, there are less legal hurdles to overcome. A search warrant, by contrast, requires probable cause to get approved.

Stamos highlighted the issue during a presentation on cloud computing models and vulnerabilities given Thursday at the 2009 Black Hat conference in Las Vegas. He was joined by fellow researchers Andrew Becherer and Nathan Wilcox, who examined a variety of security issues presented by platform and infrastructure service providers.

The Electronic Frontier Foundation, a non-profit free speech and digital rights organization, has weighed in on the issue, warning that "storing data yourself, on your own computers -- without relying on the cloud -- is the most legally secure way to handle your private information, generally requiring a warrant and prior notice."

Stamos said he contacted Google Inc. and was told that Google policy is to inform a customer of any legal orders it receives. Stamos, however, points out that there is no such statement written into end-user license agreements (EULAs) for Google Docs and other cloud-based services it offers. Its privacy policy states that the company will share data with the government to satisfy "any applicable law, regulation, legal process or enforceable government request."

"By letter of the law, physical ownership of machines is very important, no matter what different lawyers say," Stamos said.

In addition, most EULA agreements for SaaS and other cloud-based service providers fail to promise anything to the customer. Stamos urges people who are negotiating with a SaaS vendor to try to get a written promise from the service provider to help in the event of a data breach, data loss or other disaster where information needs to be recovered.

Even if the SaaS provider could offer assistance, Stamos found that many lacked the audit and log data necessary to aid in an investigation. Although some providers, like Salesforce.com, support login and admin events, Google Apps and Microsoft Office Live do not. Still, all three offerings fail to support the ability to read document-read records.

Also, not all service providers allow external penetration testing. Amazon Web Services, however, does allow the practice, and Salesforce.com and Google similarly allow application-level pen testing of hosted applications.

Companies can take over some controls from the SaaS provider. Although the approach obviously defeats the purpose of SaaS, Stamos said, it does provide more security controls. Enabling Security Assertion Markup Language (SAML), for example, could give IT the ability to closely control and monitor authentication. SAML also gives a company the option to place the SaaS portal behind a VPN.

Ultimately, enterprises need to set strong security policies with regard to SaaS and educate users on basic security procedures.

"It's difficult to teach all non-technical people, but user education is key," Stamos said. "Phishing attacks are not just a personnel issue, but an enterprise issue, too."

Tags: Secure SaaS: Cloud services and systems,  Data Loss Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure SaaS: Cloud services and systems Cloud computing data security starts with internal strategy, experts say Network security expert urges hardening of cloud protocols Security challenges with cloud computing services Is Identity Management as a Service (IDaaS) a good idea? Burton Group warns of cloud computing risks McAfee to acquire email SaaS vendor MX Logic How secure is 'Platform as a Service (PaaS)?' When to use the service features of the Metasploit hacking tool Cloud-based security services should start private Cloud computing security: Infrastructure issues Data Loss Prevention Health Net healthcare data breach affects1.5 million Layoffs prompt insider threat fears, cybersecurity survey finds Breach prevention: How to keep track of data and applications Trend Micro to address DLP after analyst report criticizes strategy How to secure USB ports on Windows machines DLP technology challenges security costs Defining DLP Analyst DLP study finds maturity, ranks top DLP vendors Data protection tips for corporate compliance leaders Trustwave acquires data loss prevention vendor Vericept

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary