Everyone is figuring out that Web-based applications are the future of software with Software as a Service (SaaS) as the delivery model of choice. Businesses are migrating to Salesforce.com. Google Apps launched in full force to disrupt Microsoft Office dominance. And who knows how many businesses are been made possible using eBay’s marketplace. The advantages and cost savings of Web-based applications and SaaS are just too good to ignore despite how much sensitive data is being uploaded.
Even us everyday users are taking advantage of easy-to-use Web applications. Online banking, when is the last time you went to your local branch? Heck, even they host their web apps. Taxes, tens of millions filed online this year. They host too. Hundreds of millions use Web mail, instead of or in combination with Desktop email applications. When it comes down to it, it’s hard to know who really has your data anyway, maybe a dozen or more companies. What this also means for security practitioners is that the rules and business requirements have changed dramatically yet again.
Lack of Control
Any information users upload or create (email, documents, spreadsheets, marketing information, etc) is now publicly accessible. (Google Calendar) The data resides publicly available 24/7/365 on someone else's web servers, not on your private local network, and the security is beyond your immediate control. How much do you trust or understand the security practices of the hosting company? You can’t make your data secure even if you want to.
Should a breach occur, how would you know? Would the company be legally obligated to tell them? Under what circumstances? (Turbo Tax) What is their backup and disaster recovery policy? Are you our of business during that time? These are serious business security and continuity issues should organizations rely upon these services for day to day operations. Downtime costs could be huge.
Anyway, I wish I had more in the way of immediate solutions beyond testing the security yourself. But that is probably not legal and they are unlikely going to hand over written consent. As more breaches occur, we’ll figure out the answers.