Information Security
Software as a Service as a Security Battleground | Perimeters Protected, Firms Look Inward | Server Virtualization: Powerful Tool, Extra Exposure |
Software as a Service as a Security Battleground
As on-demand applications proliferate, customers take extra steps to protect their data
March 24, 2008
Salesforce.com reached a milestone last fall: 1 million people using the online software company to host their customer relationship management systems and other key business processes. Those users were at more than 1,600 financial services firms including ABN Amro, SunTrust Banks, Daiwa Securities and Bear Stearns--Merrill Lynch & Co. alone accounted for 25,000.
That amounts to a big cultural shift. As recently as 2005, financial firms kept all their customer data close, behind corporate firewalls, in steel safes. Wall Street hardly seemed ready to entrust that data to a start-up. However, Salesforce.com challenged that thinking by proving, first to Merrill Lynch and then others, that its security was as good as a bank's. With trust came respectability and customers, as well as unwanted attention from hackers.
In October, the San Francisco-based company acknowledged that it had lost data in an attack. "A Salesforce.com employee had been the victim of a phishing scam that allowed a Salesforce.com customer contact list to be copied," said technology EVP Parker Harris in a letter to customers. "To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."
According to Harris, the contact list included full names of Salesforce.com clients, company names, e-mail addresses, telephone numbers and other "administrative information." The hackers used the data to send e-mails to Salesforce.com customers, attempting to gain access to their accounts. "A small number of our customers began receiving bogus e-mails that looked like Salesforce.com invoices, but were not--they were also phishes," said Harris. "Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher."
SunTrust and Automatic Data Processing (ADP) were reportedly among those firms. "It has been determined that the stolen e-mail contact information in this database is being used to notify clients and others with the from' address spoofed to look like a valid ADP e-mail address," ADP said in a statement.
In response to the incident, Salesforce.com conducted a security analysis to find the source of the leak and contacted all of its clients, warning them about fraudulent e-mails. It also conducted an online security seminar for customers.
However, some clients complained that it took Salesforce.com several months to react, with the initial breach reportedly occurring in March. Salesforce.com officials repeatedly turned down media interview requests following the incident, and provided no additional details of what went wrong. When contacted by Securities Industry News for this article, Salesforce.com declined to comment.
Precautionary Measures
The event underscores the potential dangers of putting sensitive data in the hands of a third party. Even otherwise innocuous information can give hackers ammunition against a target's defenses. To protect against that, financial services users of Salesforce.com and other software-as-a-service (SaaS) providers are working to safeguard client access to the applications, running security audits of the providers and educating users about how to interact with them.
Messages between SaaS vendors and their users are sent over the public Internet. While this may seem risky, it's actually the most secure step--the messages are encrypted using the same techniques employed by online retailers and e-brokerages. The client computer, on the other hand, is extremely vulnerable: There might be a Trojan or a virus on it, secretly collecting passwords; it could be physically stolen; or the computer itself could be a hacker.
