News Stay informed about the latest enterprise technology news and product updates.

Researchers say search, seizure protection may not apply to SaaS data

Researchers examining cloud computing security issues presented a number of technical and legal hurdles that Software as a Service users could face.

Firms embracing Software as a Service (SaaS) are not protected from government and civil search and seizure actions and may not be informed if their SaaS data is seized from their provider, according to a researcher studying the issue.

"In cloud computing, you will not have the ability to fight seizure before it happens," said Alex Stamos, co-founder and partner of security consultancy iSEC Partners Inc.. "You may not even know. There are no legal requirements for [SaaS providers] to notify you, and in fact, they may be gagged from doing so."

Black Hat USA 2009

Get the latest news and interviews from this year's Black Hat USA in Las Vegas.
Stamos is referring to the SaaS model, in which the entire IT stack, from the servers to the front-end JavaScript software, is hosted outside the company walls. Since the SaaS data is off premise, it could be considered unprotected by the Fourth Amendment, which guards against unreasonable searches and seizures. As a result, law enforcement could potentially only be required to get a subpoena to seize a company or individual's data residing in a SaaS vendor's servers, Stamos said. To issue subpoenas, which command a person to appear before court or produce documents, there are less legal hurdles to overcome. A search warrant, by contrast, requires probable cause to get approved.

Stamos highlighted the issue during a presentation on cloud computing models and vulnerabilities given Thursday at the 2009 Black Hat conference in Las Vegas. He was joined by fellow researchers Andrew Becherer and Nathan Wilcox, who examined a variety of security issues presented by platform and infrastructure service providers.

The Electronic Frontier Foundation, a non-profit free speech and digital rights organization, has weighed in on the issue, warning that "storing data yourself, on your own computers -- without relying on the cloud -- is the most legally secure way to handle your private information, generally requiring a warrant and prior notice."

Stamos said he contacted Google Inc. and was told that Google policy is to inform a customer of any legal orders it receives. Stamos, however, points out that there is no such statement written into end-user license agreements (EULAs) for Google Docs and other cloud-based services it offers. Its privacy policy states that the company will share data with the government to satisfy "any applicable law, regulation, legal process or enforceable government request."

"By letter of the law, physical ownership of machines is very important, no matter what different lawyers say," Stamos said.

In addition, most EULA agreements for SaaS and other cloud-based service providers fail to promise anything to the customer. Stamos urges people who are negotiating with a SaaS vendor to try to get a written promise from the service provider to help in the event of a data breach, data loss or other disaster where information needs to be recovered.

Even if the SaaS provider could offer assistance, Stamos found that many lacked the audit and log data necessary to aid in an investigation. Although some providers, like, support login and admin events, Google Apps and Microsoft Office Live do not. Still, all three offerings fail to support the ability to read document-read records.

Also, not all service providers allow external penetration testing. Amazon Web Services, however, does allow the practice, and and Google similarly allow application-level pen testing of hosted applications.

Companies can take over some controls from the SaaS provider. Although the approach obviously defeats the purpose of SaaS, Stamos said, it does provide more security controls. Enabling Security Assertion Markup Language (SAML), for example, could give IT the ability to closely control and monitor authentication. SAML also gives a company the option to place the SaaS portal behind a VPN.

Ultimately, enterprises need to set strong security policies with regard to SaaS and educate users on basic security procedures.

"It's difficult to teach all non-technical people, but user education is key," Stamos said. "Phishing attacks are not just a personnel issue, but an enterprise issue, too."

Dig Deeper on Secure SaaS: Cloud application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.