Software as a Service (SaaS) is one of the hot trends in Information Technologies. “SaaS” is the name given to the concept of having applications run on the infrastructure of the service provider, rendering service to the customer over the net.
The SaaS architecture promises lower cost of ownership, better scalability, and ease of maintenance. There are other advantages, and a few limitations as well. One of the key concerns regarding SaaS is about security. Corporate security officers claim that a security risk arises with the storage of corporate data off-site. This is probably true, but to be able to assess the risk accurately, the stakeholder needs to properly understand what the risk is exactly, and where most of this risk comes from. Following is my take on this.
At a high level, the risk stems from the ability of the application provider to get at the corporate data and use or sell it. SaaS proponents claim that this risk applies as well and as much to local applications. Every software provider can plant malware in its code, which will leak data out as soon as the application starts having interesting data fed into it; SaaS or no SaaS. According to such claims, the added security risk of SaaS is minor. You had to trust your software providers before, and you have to trust them now.
However, I think the risk is increased by SaaS; not as much due to increased potential damages, but mostly due to the lowered barrier of execution, as well as due to the lower risk of committing attacks.
Risk is a function of both the amplitude of the possible damage and the probability of its occurrence (the chances that it actually takes place.) This probability is often linked to the complexity of mounting the attack, the incentive of the attacker, his risks, and other interesting factors. The risk of using SaaS as compared to local applications is multiplied; not due to higher possible damages but due to higher likelihood of an attack taking place. Likelihood is increased by the lower complexity of the attack, as well as by the lack of need for the attacker to commit to an intent.
How secure is a fence made of thin glass, compared to no fence at all? The right answer is: “much more secure (at least against some of the crimes.)” It’s not as secure as a cement wall, but it is significantly more secure than no fence, despite its being made of thin glass. The reason is that breaking in (while also breaking the glass) requires the offender to commit to an intent. By breaking the glass, he asserts himself as a trespasser — not wandering around, not strolling in by mistake; but a criminal.
If the software provider of a local application wanted to get at the data the application processes, it had to infest the software with spying capabilities. Other than the effort it took, it put the software provider at a notable risk. If the malicious code is ever to be discovered, the software provider is likely to be out of business, probably with its executives in jail as well. No provider would take this risk, unless having strong interest in the data involved.
With SaaS, the barrier to mounting an attack is significantly lower, not only in terms of complexity, but also in terms of the risk involved for the offender. To get a hold of the corporate data, there is no need to commit to a malicious intent. There is no need to plant anything that can later be discovered. All the software provider needs to do is run one extra query on that database that it hosts anyway, and keep the results to himself. No trace, almost no effort, and almost no risk of ever facing hard evidence.
Since attacks against customer data become as simple as running a query, one side-effect to cope with is the explosion in the number of potential attackers. Planting malware in software takes the collusion of many. Yet, stealing data from a database can be done by anyone with enough access privileges at the provider site. Combine this with the lower risk of being caught, and we conclude that corporate data becomes at risk not just of high-grade espionage, but also at risk of a casual employee who wants to help a friend out with some data.
Corporate data has always been under a threat from malevolent software providers, but never was this threat as likely to materialize.