Industry Perspective
A conversation with Samir Kapuria
- By Security Products Staff
- Jun 01, 2006
SOFTWARE is quickly becoming an integral part of the security
industry. Just in case you haven't heard it before, there is a
convergence taking place between IT security and the physical security.
Symantec Global Security Consulting experts have been in the business
for decades.Call it software as a service, but what it truly means is that there is a new model for delivering security.
We took the opportunity to sit down with Samir Kapuria, principal security strategist with Symantec Global Security Consulting, to ask a few questions of how software as a service differs from traditional software.
Q. How does software as a service differ from traditional software?
A. Software as a service, sometimes referred to as SaaS, is a new model for delivering software. The traditional licensed software delivery model has required users to purchase an application and either install or download it onto their system. In contrast, the SaaS model eliminates these requirements; the application is hosted on the server of a third party and users access it on an as-needed basis over the Internet, paying on a per-usage basis. Each model has its benefits and drawbacks, and each will likely continue to persist into the future.
Q. What benefits might a user expect from using SaaS offerings?
A. Using a SaaS offering obviates the need for a user to have the technology infrastructure in place to support an application. SaaS eliminates the space and memory requirements associated with software that uses the traditional licensed software delivery model. In many cases, using a SaaS offering also can dramatically reduce the expense of buying and using a new application. With SaaS, customers pay only for what they use.
Q. Are there security concerns associated with SaaS?
A. The SaaS model introduces security concerns for SaaS providers, as well as for enterprises and consumers who use a SaaS offering.
The SaaS model provides a more direct path to the expansive pools of information customers save on the provider's site. These information stores are an attractive target for hackers because they enable an attacker to get to large amounts of sensitive information in one centralized location with less effort than if the information were stored on customers? own individual hard drives.
What's more, because SaaS offerings rely on a Web browser to access the application over the Internet, a SaaS offering is susceptible to hackers who exploit Web browser vulnerabilities in order to propagate spyware or adware, or to circumvent perimeter security devices and reach sensitive data.
Vulnerabilities in Web-based applications, such as SaaS offerings, also represent a security concern. Advances in Web-based application development provide a rich set of capabilities, allowing more people to develop such programs in a shorter period of time. But, application developers may not be adequately trained to incorporate security into the programs they develop. Cross-site scripting attacks may exploit these vulnerabilities, thereby enabling hackers to hijack user accounts and access confidential information. Inadequate security checks in Web-based applications also may make associated databases susceptible to unauthorized access.
Q. Are certain types of SaaS offerings more vulnerable than others?
A. No, although some SaaS applications are more attractive targets than others. Information-rich applications are likely at the greatest risk. These include applications such as accounting, hosted messaging, and enterprise resource planning, human resources and customer relationship management.
Q. Does current Internet threat activity indicate that SaaS offerings might be at risk?
A. Yes, according to the latest Symantec Internet Security Threat Report, which provides a six-month update of Internet threat activity. The most recent report covers the six-month period from July 1 to Dec. 31, 2005.
The report confirmed that hackers are currently motivated more by profit than by notoriety, as evidenced in part by the large percentage of malicious code samples that threatened confidential information. Attackers often attempt to perpetrate criminal acts such as identity theft, extortion and fraud for financial gain. As mentioned before, the large volumes of sensitive customer data that SaaS providers store represent a potentially lucrative target of attack.
There also are more software vulnerabilities than ever before. During 2005, a total of 3,767 vulnerabilities were documented, compared to 2,691 in 2004. The growth in the number of vulnerabilities over the past year has been driven primarily by an increase in the discovery and disclosure of vulnerabilities in Web applications.
Sixty-nine percent of the vulnerabilities documented by Symantec in the second half of 2005 affected Web applications. This increase reflects the shift toward the Internet as a platform for applications. Many applications that were once standalone software suites or client-server solutions are now being implemented as Web applications. This has opened the door to new classes of attacks against these new implementations.
Vulnerabilities in Web browsers also have become more prominent. Between July and December 2005, Symantec documented 24 new vendor-confirmed and non-vendor-confirmed vulnerabilities that affected at least one version of Microsoft Internet Explorer. the average Internet Explorer vulnerability also was rated highly severe. During the same period, Symantec documented 17 new vendor-confirmed and non-vendor-confirmed vulnerabilities affecting the Mozilla Firefox browser; the average Firefox vulnerability also was rated highly severe. A high-severity vulnerability is defined as a vulnerability that, if exploited successfully, could result in a compromise of an entire system. In almost all cases, successful exploitation can result in a complete loss of confidentiality, integrity and availability of data stored on or transmitted across the system.
Q. Does perimeter protection make SaaS more secure?
A. Protecting the network perimeter through firewalls, intrusion detection systems and monitoring systems is effective in a traditional IT network environment. But applications that rely on the Internet deliberately allow all Internet users to access the application, making firewalls and other perimeter protection tactics ineffective.
Q. How can SaaS providers, enterprises and consumers make SaaS activity more secure?
A. SaaS providers must ensure that security is an integral part of the entire application development lifecycle. Enterprises must audit their systems to ensure that no vulnerable Web applications are being hosted in their SaaS environment and keep patch levels of applicable software up to date. They also must enforce strong identification, authentication, authorization, accountability and privacy controls. Enterprises that host their own SaaS offering also can leverage virtual private networks, encryption, network security tools and other mechanisms to address security concerns.
Even though the security of consumers' information in a SaaS model is dependent upon the SaaS provider rather than the customer, consumers can help protect their SaaS activity by keeping their Web browser software and their operating systems up to date with the latest patches.