Meeting the SaaS Security Challenge

2007 enterprise software budgets are showing a 10 percent year-over-year increase, according to a recent Forrester Research survey, with software-related spending expected to account for 30 percent of the total.

Companies are looking to spend that money on improving integration between applications, upgrading security environments and adopting service-oriented architecture (SOA).

In addition to SOA, Software as a Service (SaaS) and other forms of on-demand applications are becoming more prevalent within enterprises, according to the report. As the use of on-demand applications increases, so does the likelihood of attacks by cybercriminals.

The nature of on-demand applications poses particular security challenges. In order to detect and prevent attacks, enterprise IT managers are increasing their use of message encryption, as well as implementing multifactor authentication and multilayered security environments.

Increasingly, they’re building security considerations into company business processes and compliance procedures, in order to reduce the ever-present security threats that start with acts of so-called “social engineering.”

Cybercriminals are motivated to keep up with corporate efforts to expand antihacker measures, which include finding loopholes to poke through enterprisesystem architectures and software. Why do they do it? As notorious bank robber Willie Sutton said when asked why he robbed banks, “Cause that’s where the money is.”

An IT Arms Race

“The most significant changes in the threat landscape over the past few years have been the motivation for attack and the ubiquitous nature of online information,” ESET’s Randy Abrams told CRM Buyer.

“The fact that so much information of value is stored on Internet-accessible servers has made the situation financially irresistible for organized crime. On-demand applications regularly require information from individuals that can be used for financial fraud and identity theft. Following a predictable trend dating back to the invention of the spear, the bad guys have used every new technology to further their quest for profit,” Abrams said.

It’s not that the nature of threats to on-demand applications has changed significantly, of late, Abrams continued. Rather, the frequency of attacks — and their complexity — has risen with the growing use of on-demand applications. Hackers have come to the realization that the potential for financial gain is high for anyone who can successfully evade and penetrate the security systems that protect these applications.

“Remediation efforts, such as two-factor authentication, have resulted in more complex attacks,” said Abrams.

Historically, attacks have become more elaborate as solutions increase in complexity. That said, simple social engineering is still able to defeat a number of security defenses without the need for any real sophistication, he added.

Distributed Apps

As distributed software and systems become more prevalent, the challenge of securing on-demand applications intensifies.

“There are two major categories of changes which are already occurring but will be accelerated by the use of SOA and on-demand applications,” BEA Systems Principal Engineering Technologist Hal Lockhart told CRM Buyer. Lockhart is also cochair of theOASIS (Organization for the Advancement of Structured Information Standards) technical advisory board and cochair of the OASIS XACML and security services technical committees.

“The first is that enterprise applications will have more of the characteristics of the Internet.They will be very large scale, subject to continuous change, operated by multiple organizations and based on open standards,” Lockhart explained.

“The other category is that completely standalone applications will disappear in favor of services, which will be composed together,” he added. “Applications will include services both inside and outside the firewall. Security will need to be more fine-grained, flexible in its application and federated across organizational boundaries.”

In terms of addressing the security issues for distributed systems and software applications, Lockhart added, “Much of what is needed is not necessarily stronger mechanisms, such as cryptographic algorithms or authentication protocols, but standards … so that what we have becomes more practical to use and more dynamic and tolerant of change.”

Distributed Identities

The challenges of managing and securing user identities across a distributed systems architecture — such as those used for on-demand applications — comes with its own set of security needs and challenges.

“Distributed identity management remains the challenge,” commented Ray Wang, a principal analyst at Forrester Research. “Basically, you need the infrastructure to federate identity across a number of integration points. You don’t want to set up users one at a time.

“Another approach is to enforce consistent access security with LDAP (Lightweight Directory Access Protocol), which would be easier. However, most providers use … published APIs (application programming interfaces) to connect into identity systems. Often, the on-demand APIs lack the necessary scalability and performance. When they do, the other challenges are making sure [a Web Services addressing standard] and SAML (Security Assertion Markup Language) are followed across all apps,” explained Wang.

“Federation is one of the key technologies here — but, for now, organizations are dealing with this far more tactically, addressing security and identity in a poorly scalable manner. We see a lot of one-off administration rather than flexible frameworks, and also a lot of perimeter-based security. We expect adoption of federation to grow rapidly in the next 24 months,” added Jonathan Penn, a vice president and research director at Forrester.

“We advise organizations to start small on these projects — a few partners and a few applications,” Penn added. “Also, they need to focus on a particular specification first, but will quickly have to adopt the others as well since they’ll likely have little say in the specifications selected by partners.

“Thus, a key feature of the federation products is not just checkbox support for multiple protocols, but how well they actually translate and route among them,” he said.

To Protect and Detect

Enterprises and other organizations with particularly valuable and sensitive data have been building multilayered security environments. They include online systems for authenticating users, and for detecting and foiling attacks from a continually shifting variety of malware — as well as from the relatively straightforward incursions that result from surreptitiously obtaining key access and systems information from insiders and other users.

“No single layer of defense will do the job,” said ESET’s Abrams. “Policy can become quickly outdated. If there is no compliance, the policy has no effect. Patching, while critical, is usually a response to an exploitable vulnerability. It may be too late by the time one patches.

“Antimalware defenses are also generally reactive. Even solutions such as ESET’s NOD32 that use advanced heuristics are defeated by determined hackers with targeted attacks. Access control is still easily defeated by simple social engineering attacks. This does not mean that the solutions are useless or ineffective; rather, you are going to need a clip of ammunition because there is no silver bullet,” asserted Abrams.

Across Multiple Fronts

Organizations need to protect a range of IT systems in order to secure on-demand applications, and it isn’t uncommon for developers to miss one or more critical aspects of comprehensive security, Abrams pointed out.

“The first mistake developers often make is requiring users to install other software, not included in the actual application. This may be Flash or other additional software that may contain vulnerabilities. The end result is that the user’s attack surface has been expanded,” he explained.

“Windows Vista ships with Windows Defender. Although Vista is not an ‘on-demand’ application, the principle applies. Vista comes with Windows Defender automatically installed. Microsoft recently issued a patch to address a critical vulnerability in Windows Defender.

“Banking applications that require ActiveX controls may introduce … vulnerabilities that can then be exploited from completely unrelated Web sites,” continued Abrams. “A secure on-demand application will introduce as little extraneous software as is possible.”

Because organizations and developers commonly make use of confidential information that is stored or transmitted as plain text, he explained, on-demand applications must secure data in the best way possible. “In most cases, SSL is required at the least. Cookies should be strongly encrypted.”

Setting Standards

OASIS is one of the IT industry organizations working to address such issues through an open, collaborative standards development process. In terms of the current state of security technology for distributed applications, Lockhart said that “in many cases, we already have highly effective mechanisms available, but they are insufficiently dynamic, federated, flexible, interoperable or scalable.

“WS-Security, WS-SecureConversation, WS-Trust [and] WS-SecurityPolicy primarily address attacks like interception, impersonation, message modification and spoofing. XACML (eXtensible Access Control Markup Language) addresses unauthorized access. SAML (Security Assertion Markup Language) is concerned with federating information used to prevent impersonation and abuse of privilege,” Lockhart said.