Security Is In The Air – Are The SaaS Vendors Ready?

RSA Conference 2009 is currently underway at San Francisco and
Information Security experts from all over the world are converging at this
event to discuss all things security. There are a number of folks who are
talking about Cloud Security during this event. In fact, a new initiative called
Cloud Security
Alliance is going to be launched during the RSA conference. You can read
about Cloud Avenue’s coverage of Cloud Security Alliance here.

I thought I will take this moment to voice my concern about the security of
SaaS applications. No, I am not going to discuss about application security or
any security issues that might be present in the underlying Cloud architecture.
I am going to discuss about a more trivial issue of user password security. When
thinking about how we use SaaS, I am worried about the risks associated with the
password reuse by most of the users. This is a major concern as we move into a
SaaS based world. Sooner than later, we are going to see multiple schemes to
grab the passwords of SaaS applications causing havoc on a scale that we haven’t
yet seen in this web era.

There are many ways for the crackers to grab the users’ passwords. They could
use malicious emails to trick the users or use a key logger to grab them from
remote machines or use one of the many available techniques to grab the
passwords used by users in unsecured wifi networks including the ones provided
in many of the conferences. Once the password is snatched away from the users,
the attackers could gain access to more than one SaaS applications. This could
happen due to various factors and I will list two of the widely accepted reasons
here.

• Many users indulge in the password reuse and if the password for one
  application is grabbed by the attacker, they could, then, gain access to wide
  variety of applications.
• Many SaaS vendors integrate their apps to give a seamless experience to
  users. For example, Google Docs or Zoho Suite (disclaimer: Zoho is the sole sponsor of this blog but it has
  nothing to do with the mention here) use the Single Sign On approach to offer a
  seamless experience while using the apps available in their suite. If an
  attacker gains access to an users’ passwd, he/she can access all the
  applications and the associated data of the user.

These are just two examples of how users could get into trouble due to the
current approach to authentication by many SaaS vendors. Once SaaS enters the
mainstream users, this is definitely going to cause havoc and it is time for
SaaS vendors to address this issue sooner than later.

I wrote this post today because I will be talking to a vendor who addresses a
similar issue in the traditional IT world. I am planning to ask them if they
have any solutions to tackle this issue in the SaaS based world. If they have
anything interesting to offer on this topic, I will talk about them in this
space in the near future. Many people might dismiss this danger as a
non-problem. But my gut feeling tells me that this is going to come back and
bite many SaaS vendors. If you have any insight to offer in this regard, please
feel free to share it in the comments section below.

Update 1: As pointed out by Eric in the comments section, Cloud Security Alliance will be speaking at Gluecon and vendors like Ping Identity (glue sponsor) will be addressing the whole “seamless experience” aspect of this as well. You can listen to them by registering for the conference with the discount code spkr09. We are also having three tickets to give away later in the day. Watch this space for the post.

Update 2: I spoke to the company I mentioned above. They are doing some interesting stuff in solving this problem. I will do a post next week about the company and their product. Right now, they are doing rounds in RSA conference at SFO.