As the thirst for low-maintenance on-demand software continues to grow in the enterprise, some security experts and customers worry that security weaknesses could disrupt on-demand applications and leave them high and dry.
For now, these security concerns lurk well below the surface—few of the big vendors pitching their wares at the RSA Conference on Feb. 13 in San Jose, Calif., will have products addressing the security of on-demand offerings. Nevertheless, security experts note that technology departments need to ask tough questions of their service providers and ensure their offerings are as secure as possible.
Meanwhile, the on-demand bandwagon swells. This week, SAP launched on-demand CRM (customer relationship management) software. In November, Microsoft Chairman and Chief Software Architect Bill Gates and Chief Technical Officer Ray Ozzie announced two new Internet-based services: Windows Live and Office Live.
Those two behemoths join the services-based software distribution model pioneered by companies such as Salesforce.com, PeopleSoft (now part of Oracle), Hyperion Solutions and Digital Insight. Lately, the idea has been championed in the consumer space by tech darling Google in programs such as Google Base.
“This is a great business model with some significant benefits, but there are some critical security questions you have to ask your service provider before putting your data on someone elses server,” said John Pescatore, an analyst at Gartner, in Stamford, Conn. “Security has to be a key criterion in your decision to outsource IT and business functions. If you neglect security, youre taking the risk of regulatory exposure and loss of business.”
Translation: Before enterprises can reap the benefits of on-demand software, providers will have to convince IT managers and CIOs that the services they offer are reliable and, perhaps more important, secure. For many, the push to host information and manage customers data raises the specter of massive information breaches such as those that plagued ChoicePoint and LexisNexis last year.
And the on-demand model presents its own set of unique security problems, including threats such as replay and man-in-the-middle attacks, as well as concerns about the security practices of the hosting and service providers themselves.
Advocates argue that service-based software deployments could mean better, not worse, security for many companies that already struggle to keep up with Internet threats. With the market for on-demand software booming, technology for building secure Internet-based products, securing these deployments and protecting users is poised to become a major area of investment in coming years.
For Care Rehab and Orthopaedic Products, a medical device manufacturer, security was an important consideration when the company was evaluating Salesforce.com, a provider of on-demand CRM software services, said Ed Barrett, vice president at the 200-person company.
The company, which makes traction and electrotherapy devices that are used by physical therapy clinics and patients, has been using Salesforce.coms software since March to monitor the activities of its salespeople and to track its entire inventory, as devices are prescribed by doctors and dispensed to patients. Care Rehab audited Salesforce.coms security practices before agreeing to use the software. That audit included getting Salesforce.com staff members to show Care Rehab how they secured the data that was stored on their servers and reading documents describing Salesforce.coms security practices.
The conclusion?
“Their security is superior to what we provide for ourselves,” said Barrett in McLean, Va. “If youre Salesforce.com, you have to have the best people in security and the best redundancies. [We] need to have the best salespeople. Im sure we arent the worlds best security people.”
That kind of thinking is becoming more common from customers considering a move to an on-demand software model, said Michael Topolovac, CEO of Arena Solutions, a provider of on-demand PLM (product lifecycle management) software. Based in Menlo Park, Calif., Arena has approximately 200 customers and 15,000 users in the high-tech, medical devices and consumer electronics industries. “Security has gone from being [a] top-of-mind [concern] for prospects to a point where more prospects seek out on-demand because its secure,” said Topolovac.
But are on-demand deployments really more secure?
Most companies already have significant exposure to Internet-based threats and attacks and may not have the expertise or resources to properly manage that threat, Topolovac said. “Its like keeping your money under the mattress instead of in a bank. Customers already have their data online. Its already tied to the Internet. Youre a machine shop in Milwaukee? Youre on the Internet,” Topolovac said.
More enterprises are looking for ways to connect remote employees, business partners and suppliers to critical applications. In such an environment, companies such as Salesforce.com and Arena are better prepared to address security than most traditional software providers are.
“We dont create a security problem, we provide a solution to it,” Topolovac said.
Next page: What to look for before jumping into on-demand.
What to Look For
Before Jumping Into On-demand”>
That said, the meteoric rise of companies such as Salesforce.com has created a rush to get into the on-demand business, and that could lead to shoddy deployments, Topolovac said.
“Youve got companies taking a client/server tool, putting it behind a firewall and running it on a hosting providers network and saying its on demand,” Topolovac said.
Enterprises looking at on-demand offerings should look for software that was built from the ground up for on-demand deployment, he said.
Companies also need to be mindful of a vendors internal security policies, experts say. If the service provider doesnt have an explicit security policy already in place, chances are security wasnt much of a consideration when the application was built.
“The vendors need upfront security policies. Software as a service needs to protect data right at the front, but thats a little utopian,” said Rick Welch, vice president of the developer division at RSA Security, in Bedford, Mass. “You cant always do it. Maybe you encrypt the most sensitive data in the database, then encrypt all of it in mass storage. The point is, the vendors have to homogenize that. Its hard to do it uniquely [for each customer]. Without security policies, its hard to get consensus on what needs to be encrypted.”
Lagging Defenses
Welch said that the various data breaches that made headlines last year had the unintended effect of raising enterprises awareness level about the need to protect their data, and not just their networks. Because many companies now have partners, customers and others coming in and out of their networks on a regular basis, network security simply is not going to be sufficient to prevent the loss of sensitive data, especially when IT departments dont have complete control of the applications.
In fact, traditional network protections such as IDS (intrusion detection system) and firewalls may not be a very effective solution for a new generation of threats that target Web-based applications, experts say.
For Mike Howard, the senior security program manager at Microsoft, SQL injection attacks are the bogeymen that keep him up at night. In SQL injection attacks, dynamically generated strings in Web applications are manipulated by attackers to send malicious SQL commands to the back-end database.
“Were seeing more SQL injection attacks, and its very worrying. You can have a firewall in place, and people can still do whatever they want,” Howard said in Redmond, Wash.
Technologies such as JavaScript, XML and AJAX (Asynchronous JavaScript and XML) have also introduced new avenues for attack and exploitation, said Caleb Sima, co-founder and chief technology officer at SPI Dynamics, in Atlanta.
In January, Forum Systems, of Sandy, Utah, warned customers that AJAX-enabled applications were transforming Web browsers into Web services portals, exposing users to potentially corrupted data that can cause the browser to crash, slow servers or cause widespread disruptions by consuming network bandwidth.
An XSS (cross-site scripting) worm that downed popular social networking site MySpace.com in October could be a harbinger of things to come as companies move to Web-based services, Sima said.
The worm was written by a MySpace user named “Samy” and used a combination of JavaScript and AJAX code and took advantage of lax Web-browser security to silently inject a small piece of malicious code into the MySpace profiles of those users who viewed a page set up by the attacker. The code added Samy to the victims lists of friends and also spread to their MySpace profiles. Within 24 hours, the XSS worm had netted Samy over a million new “friends” and prompted MySpace.com to shut down the service to remove the infection.
In a world in which Web-based services such as Salesforce.com are used to connect critical applications across company lines, a hack in one part of the Web services chain could quickly spread, MySpace-like, and affect other organizations in the chain, Sima said.
“Companies have to ask: If my partner goes down or gets hacked, how will that appear on my site?” said Sima.
Development Worries
Security experts agree that lax development practices are responsible for many of the vulnerabilities in software today and that the move to deploy applications on the Internet—especially those that were originally written to run on individual PCs—may be outpacing education on the security risks that go along with that move.
“The age of Internet software is here. The vendors need to get over it and design it all [to be used] that way,” said Gary McGraw, CTO of Cigital, in Dulles, Va., and a well-known expert on writing secure software. “Everybody should be writing code as if its going to be exposed on the Internet. Developers have to understand that.
Next page: Locking down Windows Live.
Locking Down Windows Live
“Eighty percent of the problems we find [in code reviews], we tell the development team, and they say, Youre not supposed to do that. They have to overcome that kind of natural optimism. Most developers believe software security is security software,” McGraw said.
Microsofts new on-demand products such as Windows Live and Office Live will undergo the same security reviews as the companys traditional client and server software. However, Microsoft is also planning changes to its Security Development Lifecycle program that address security issues in Web-based deployments, Howard said.
However, improving developer education is only one part of the solution. On-demand companies also need to secure the networks of ASPs (application service providers) that deliver the applications to customers. For companies such as Microsoft, that means qualifying hosting service providers and even third-party device makers whose products might run services such as Windows Live, said Peter Boden, director of security risk management at Microsoft.
“[On demand] means a big shift in control,” said Samir Kapuria, principal security strategist at Symantec, in Cupertino, Calif. “Enterprises have to rely on third parties to manage and maintain controls and privileges that were [previously] managed by in-house security.”
Youre the First Defense
Despite that shift to more secure development, on-demand customers are still on the hook to comply with regulations regarding the handling of data, even though they do not control the information, Kapuria said.
Microsoft hasnt decided where data for its Windows Live and Office Live services will reside. The answer to that question ultimately may hinge on the value of the data, Howard said.
The company is currently vetting third-party hosting service providers for the Windows Live and Office Live services. Those providers will have to adhere to Microsofts standards for network and physical security. That includes everything from locks and cameras to properly trained administrative staff and well-established business continuity planning, Howard said.
Microsoft also plans to use teams of “white hat” hackers to do penetration testing of hosting partners infrastructure before allowing the hosting partners to host Windows Live or Office Live, Howard said.
Client machines are also a major security risk, adding to the difficulty of securing on-demand deployments, experts said.
“Attacks on the client really worry me,” said Howard. “Regardless of the [operating system], if you push [code] down to peoples desktops, bad guys can take advantage of that.”
Even low-tech hacks such as shoulder surfing are a threat to companies that keep reams of sensitive data on servers operated by companies such as Salesforce.com or PeopleSoft, said Cliff Bell, CIO of Phoenix Technologies, in Milpitas, Calif.
Phoenix has developed and is testing a product that will use a Web services API with single-sign-on capabilities to allow companies that use Phoenixs secure BIOS software to generate trusted certificates for securely logging in to Salesforce.com. The software would require on-demand users to use an authorized laptop and provide a valid user identity and password to access Salesforce.com, Bell said.
In the end, the biggest challenge for companies such as Microsoft that see their future in on-demand software may be getting customers to understand and be comfortable with the model.
And, the current state of network and application security at most companies is poor enough to make it hard to imagine on-demand deployments being any worse, experts agree.
“Eventually, your entire desktop will be on Googles servers, and youll just pay to use it on a monthly basis,” said Sima. “All the security people scream and jump about that, saying that all your data is in one location … but is that any worse than what we have today? Hell, no!”
Senior Writer Ryan Naraine contributed to this report.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.