aspose file tools*
The moose likes Security and the fly likes Security for SAAS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Security for SAAS" Watch "Security for SAAS" New topic
Author

Security for SAAS

Pj Murray
Ranch Hand

Joined: Sep 24, 2004
Posts: 194
Hi,

Does anyone know of a good resource for best security practices for delivering Software as a Service (Saas) - the delivery model used by salesforce.com, etc.

In particularly, protecting user records is the top priority.


PJ Murray -
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Assuming that you are talking about a web app, what are you looking for beyond the usual web app security measures?


Ping & DNS - updated with new look and Ping home screen widget
Pj Murray
Ranch Hand

Joined: Sep 24, 2004
Posts: 194
A Google search reveils lots of articles about the problems of SAAS security


For example:

http://www.cxotoday.com/cxo/jsp/article.jsp?article_id=73540&cat_id=908

But there's really not a lot out there regarding solutions. What I'm really looking for is a comprehensive checklist of security items:

-best practices for login passwords, etc
-how to ensure that SaaS provider employees can't see customer data
-how to choose a hosting provider

etc
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27

That article didn't have much meat to it. As I said above, all the principle of web app security apply.

-how to ensure that SaaS provider employees can't see customer data
-how to choose a hosting provider

The provider employees (at least some of them) will be able to see the date. Anything they absolutely must not see should be encrypted. If you distrust the provider you should ask yourself if a different service provider might be a better choice.

You don't generally have a choice of hosting provider. The service provider hosts the app, or with a specific hosting provider, but the customer does not get to choose.
Pj Murray
Ranch Hand

Joined: Sep 24, 2004
Posts: 194
I agree that the article 'does not have much meat to it'.

That's why I'm looking for something more substantial.

I've found a good blog (but again, it's high level).

Here's the reason why we're looking at the SaaS model:


http://blogs.zdnet.com/SAAS/?p=288
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
That article argues that it can be problematic to have data on the desktop, or rather, that it's dangerous to allow people to let them take the data with them (a social problem as much as a technical one). It's not really about traditional web apps vs. ASP/SaaS. It also doesn't address the fact that most ASP/SaaS applications have capabilities to export data to CSV/PDF/text files, which, again, puts the data on the desktop.

I'd say looking at ASP/SaaS because of security implications is the wrong way to go about it, and likely will not even address the issues.
Pj Murray
Ranch Hand

Joined: Sep 24, 2004
Posts: 194
Originally posted by Ulf Dittmer:
That article argues that it can be problematic to have data on the desktop, or rather, that it's dangerous to allow people to let them take the data with them (a social problem as much as a technical one). It's not really about traditional web apps vs. ASP/SaaS. It also doesn't address the fact that most ASP/SaaS applications have capabilities to export data to CSV/PDF/text files, which, again, puts the data on the desktop.

I'd say looking at ASP/SaaS because of security implications is the wrong way to go about it, and likely will not even address the issues.


Thanks - you've identified another security feature - users should only be allowed backup/download data in exceptional circumstances (like stopping the subscription) and there should be no built in feature to do it (i.e. it's a manual operation by the service provider).

One of the key benefits of SaaS is that internal IT/IS staff can not modify the database of the hosted service. That's sometimes a major security hole in an internally hosted packaged software.


You've also identified a security issue with SaaS that applies to all applications - hosted externally or installed on desktops - it's difficult to prevent end users from doing stupid things like writing down their passwords.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
One of the key benefits of SaaS is that internal IT/IS staff can not modify the database of the hosted service. That's sometimes a major security hole in an internally hosted packaged software.

Well, that's a tricky issue. You're trading away reliance on an internal team for reliance on an external team. While the external team has different motivations (e.g., less interest in your company's internals, and more interest in doing a professional job hosting), you are giving away something. It's a legitimate choice, but not one that has a "correct" decision by default.

As an aside, if the internal team is perceived as a security hole, surely that is cause for action of some kind or other.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security for SAAS
 
Similar Threads
Is plagiarism dead?
SaaS Made Simple - a free webinar
Apply Your Lateral Thinking Here
Favourite tv series
Java to Ruby