SaaS and Cloud Computing change the CIA paradigm

Although cloud computing and Software as a Service (SaaS) offer tremendous opportunities for business innovation and return on investment, they also present unique challenges that companies developing new technologies, looking to take advantage of new services, or investors looking for new opportunities must understand.

Security, especially integrity of the service and confidentiality of the information, is critical to the market success of companies offering cloud computing and SaaS solutions. Traditionally security has lagged behind technology innovation, from the dawn of the Internet, to mobility, to virtualization, security is for the most part an afterthought. When security has become important it has generally been driven from the perspective of availability, whether it is the impact of SPAM on email flow or worm attacks that consumed network bandwidth, most organizations have prioritized security concerns once it has impacted availability.  Right or wrong, for traditional enterprise software it is easy to understand the importance of service availability over data integrity or confidentiality.

However when we introduce a 3rd party, which is responsible for data integrity and data confidentiality, then these are perceived as and become much more important than data availability. Mashups, offsite data storage, delivery of critical information from a 3rd party, the heavy use of web-based technologies, all introduce opportunities for significant security incidents, especially since SaaS and cloud computing are so reliant on open Internet protocols, many of which are fundamentally insecure. Recently we have seen a dramatic increase in high-profile vulnerabilities against the core routing infrastructure of the Internet, such as DNS and BGP, these impact everyone, but they are especially devastating to organizations highly reliant on Internet stability.

A major security incident against a company offering SaaS or cloud computing is inevitable, the question will become how resilient is the company in responding to the incident and what impact will the incident have on the companies reputation. Salesforce.com experienced a major security incident in 2007, in which a phising attack resulted in the disclosure of customer data, this was then used to phish for more data from salesforce.com customers. In this case the extent of damage was limited, but it could of been worse. Recently a couple of young hackers were able to redirect all Comcast customers to their own website, luckily this was more of a prank but the results could of been much more devastating. In the long run SaaS and cloud computing will thrive, regardless of issues of security, but there will be a lot of companies that will not be able to withstand the damage to their brand reputation if they experience a high-profile security incident.

Against the backdrop of an orgy of breach disclosures, the fundamental weaknesses of the core Internet protocols, and a dramatic increase in financially motivated cyber crime it is imperative that companies offering SaaS or cloud computing implement effective security controls.  Companies looking to take advantage of these new services or investors looking for opportunities for growth should investigate and understand the security models implemented by SaaS and cloud computing companies.