RSA Conference 2009 is currently underway at San Francisco and Information Security experts from all over the world are converging at this event to discuss all things security. There are a number of folks who are talking about Cloud Security during this event. In fact, a new initiative called Cloud Security Alliance is going to be launched during the RSA conference. You can read about Cloud Avenue’s coverage of Cloud Security Alliance here.

I thought I will take this moment to voice my concern about the security of SaaS applications. No, I am not going to discuss about application security or any security issues that might be present in the underlying Cloud architecture. I am going to discuss about a more trivial issue of user password security. When thinking about how we use SaaS, I am worried about the risks associated with the password reuse by most of the users. This is a major concern as we move into a SaaS based world. Sooner than later, we are going to see multiple schemes to grab the passwords of SaaS applications causing havoc on a scale that we haven’t yet seen in this web era.

There are many ways for the crackers to grab the users’ passwords. They could use malicious emails to trick the users or use a key logger to grab them from remote machines or use one of the many available techniques to grab the passwords used by users in unsecured wifi networks including the ones provided in many of the conferences. Once the password is snatched away from the users, the attackers could gain access to more than one SaaS applications. This could happen due to various factors and I will list two of the widely accepted reasons here.

• Many users indulge in the password reuse and if the password for one application is grabbed by the attacker, they could, then, gain access to wide variety of applications.
• Many SaaS vendors integrate their apps to give a seamless experience to users. For example, Google Docs or Zoho Suite (disclaimer: Zoho is the sole sponsor of this blog but it has nothing to do with the mention here) use the Single Sign On approach to offer a seamless experience while using the apps available in their suite. If an attacker gains access to an users’ passwd, he/she can access all the applications and the associated data of the user.

These are just two examples of how users could get into trouble due to the current approach to authentication by many SaaS vendors. Once SaaS enters the mainstream users, this is definitely going to cause havoc and it is time for SaaS vendors to address this issue sooner than later.

I wrote this post today because I will be talking to a vendor who addresses a similar issue in the traditional IT world. I am planning to ask them if they have any solutions to tackle this issue in the SaaS based world. If they have anything interesting to offer on this topic, I will talk about them in this space in the near future. Many people might dismiss this danger as a non-problem. But my gut feeling tells me that this is going to come back and bite many SaaS vendors. If you have any insight to offer in this regard, please feel free to share it in the comments section below.

Update 1: As pointed out by Eric in the comments section, Cloud Security Alliance will be speaking at Gluecon and vendors like Ping Identity (glue sponsor) will be addressing the whole "seamless experience" aspect of this as well. You can listen to them by registering for the conference with the discount code spkr09. We are also having three tickets to give away later in the day. Watch this space for the post.

Update 2: I spoke to the company I mentioned above. They are doing some interesting stuff in solving this problem. I will do a post next week about the company and their product. Right now, they are doing rounds in RSA conference at SFO.