What Comes Next

It has always been hard for the enterprise to address emerging information security issues proactively; usually these things end up dealt with by the majority of companies once a loss has hit close to home or regulatory attention has been brought to bear. I was lucky to be able to work with some very smart companies during the transition to the Internet-connected enterprise and ecommerce, as these companies recognized that dealing with new information security risks proactively enabled them to aggressively go after new revenue or cost savings.

I think this is the kind of thing that CIOs and CISOs will need to be thinking about as emerging technologies reshape the organizational and physical footprint of IT and add an order of magnitude more interconnections between applications and systems.

My good friend and long time co-conspirator Stephen Cobb recently asked what I thought were the emerging threats to enterprise security. There are a few threats that I’ve been giving some thought to lately that I haven’t seen addressed effectively; I’ll tackle one of these in this post and leave the others for later.

Security of Software as a Service

There is a lot of momentum behind the software as a service model; Salesforce.com is the poster child, but a big set of products that used to be delivered from inside the corporate datacenter are now bought as services and delivered from shared vendor resources outside. Some dismiss security concerns about SaaS as cynical, but I think there is a lot more to this story. The enterprise security issues can be broken down into a few sections:

Product security

The concerns about product security are much the same for SaaS as they are for traditional enterprise software purchases. Architecture, security features, and underlying implementation are all key factors in the overall security of the product.

There a couple of distinctions between the two that come into play: the evaluation of SaaS offerings is feature driven and does not typically include implementation detail, and the lack of an in-house integration phase (a key benefit of the SaaS approach) means that vendor claims are never put to the test in the way that happens during the real-world integration of software products in the enterprise.

Among the risk elements that come from these distinctions is the lack of visibility onto and control of scope of compromise and consequences of component failure. Essentially, without visibility onto implementation detail, and real-world verification of vendor claims, it is very difficult for the enterprise to understand the security impact of the failure of any part of the system.

Multi-tenancy

A set of security issues unfamiliar to the enterprise is introduced by a key component of the SaaS model: the hosting of multiple customers on shared infrastructure. Multi-tenancy takes a variety of forms:

• application level divisions between customers

The most basic form of multi-tenancy is implemented by SaaS vendors as an application construct. This means that the divisions between customers are unique to the application, and are not subject to outside scrutiny. A bug at the application level can result in a failure of separation, meaning that other customers or even the general public may have access to enterprise data.

This option requires custom development by SaaS vendors, typically provides for the most attractive customer density and scalability profiles, and presents the most difficult security challenges for the enterprise.

• logical separation between customers

Separation implemented below the application level relies on integration mechanics to keep the divisions between customers intact. For example, individual web server instances (running on shared hardware) mapped to different hostnames might provide a front-end separation. This can be continued through routing of requests to similarly configured middleware instances and database servers. Often some components will still be fully shared, such front-end load balancing / caching and back-end storage networks.

Since this option depends on features of 3rd party components, and implements multi-tenancy through integration and component configuration rather than software development, it is both easier to validate from a security perspective and involves less up-front cost to the SaaS vendor. Customer density and scalability, as well as complexity of new customer deployment, can be impacted.

Security issues can sometimes be severe in this case as well, when the failure of an infrastructure component threatens a key assumption about logical separation. Failure of VLAN separation due to a bug in Cisco’s switching software, for example, could compromise logical separation between customers if those protections are not implemented in a layered way.

• physical or pseudo-physical separation between customers

An extreme case of the integration-level separation described above is the use of virtual OS instances or physically separate systems to provide independent instances of applications and supporting infrastructure such as database servers. This case provides the most easily validated architectural security; as OS virtualization matures and server hardware is designed for these workloads, the scalability, density, and deployment cost/complexity challenges of physical separation will likely improve.

The security impact of multi-tenancy, along with core product security, comprise the directly technical part of the challenge for the enterprise.

Operations

The operational issues stemming from the use of SaaS are not particularly technical, but can be difficult to manage and control. At the heart of the issue is the fact that critical enterprise data must exist, for an extended time, on systems controlled by a third party.

• Direct Operational Issues

The employees of the SaaS vendor manage its systems; they have access, ultimately, to the data of their enterprise customers. While not unmanageable, the potential for access by employees not subject to direct monitoring and control by the enterprise presents a significant risk.

• Organizational Issues

Custody of enterprise data by a 3rd party presents some broader challenges as well. Since the 3rd party has access, they could faced with subpoenas or other challenges that might be handled differently by the enterprise directly. Business relationships, changes of control, or even acquisition of directly competitive customers can create real or perceived misalignments of interest.

Essentially, the law recognizes certain providers of business services, such as legal counsel or accounting services, as having a special or protected relationship with their clients. It remains to be seen how the law evolves to handle these new types of service provider whose access is no less sensitive.

SaaS isn’t going anywhere, but the fact that there haven’t been any front-page losses yet isn’t a reason to put off thinking about these security issues. I think that there are probably some opportunities for technical solutions to control some of this risk, and make the process of ensuring and validating security of SaaS deployments much more manageable for the enterprise.

In the mean time, I think an exploration of these issues by the enterprise in looking at SaaS deployments will lead to more sophisticated requirements and vendor selection, and better understanding and control of risk today.