How safe is Software-as-a-service? My thoughts…

It seems that every five minutes I hear the words SaaS (Software as a Service), almost like its some kind of new phenomenon to sweep the business world. I think what has made it become more of a buzz word, is that many of the bigger software players like Microsoft and Adobe now offer many of their products on a subscription model.

Hosting software in the cloud and making it accessible to clients via web browsers is a great service. Whilst this sounds incredible and very handy for business, nobody seems to have questioned the safety of it?

When we started E-Tale, security was a top priority as we were handling data for so many tier 1 brands. However, for the general consumer, it sometimes seems that this is swept under the carpet.

Only last week there was panic over WhatsApp security after the Electronic Frontier Foundation (EFF) rated WhatsApp the worst for security out of 24 companies, receiving only one star in it’s fifth annual report: ‘Who Has Your Back report’.

It’s not just WhatsApp, Facebook get scrutinised everyday for its sharing information policies, which are deemed equally as bad. The truth is all cloud storage presents a security risk.  You only have to look at the hacks with Ebay, LinkedIn and Sony to realise that the risk is very real.

Sony for example: Hackers obtained over 100 terabytes of data ranging from employee passwords and credit card details to medical histories and executive salary details, including loss of revenue from leaked future films. Ebay suffered just as bad with hackers stealing personal details including: Addresses, phone number and dates of birth belonging to all 145 million customers were stolen.

Even if you’re software has been scientifically tested, there are numerous security threats you need to be able to identify and deal with if a security crisis was to arise, we only need to look at the Cloud scandal a few years ago where celebrity photos were leaked – these crises never end well!

With this all in mind, I thought I would share my top tips for both consumers and startups when handling sensitive data. I have broken this down into tips for the end user, and tips for the company making the software.

My top tips for the SaaS user:

  • Minimise what personal information you share, for example, is it essential that you give permission to third parties to use your contact information? No, of course not. Be vigilant about what you’re sharing, give as little information about yourself as possible. Any service you sign up to, make sure you take down the contact details so incase of emergency you can cancel your account.

  • Change your password periodically, any subscription should be telling you the importance of changing your password anyway. If you’re using name and numbers in your password e.g. ‘Wife2015’ and this password gets leaked, it is normal for hackers to assume this password is used across all your social networks too, so try not to use the same password! Whilst you’re changing passwords, you might as well backup your data just to ensure if it’s ever lost you can claim it back from somewhere.

  • Think about your past internet history, remember that subscription service you signed up to 5 years ago that you now don’t use? They’re still storing your credit card information. If you’re no longer using services or accounts on specific websites, the best advice I can give is delete your profiles on all of them. It’s the safest option and you’ll thank me later for it!

  • Once you’ve looked at your past internet history, you will come across some services and accounts you need to keep, however you should prioritise which of these NEED your data, you might also want to think about updating the passwords and setting reminders to change them often as well. After all, if someone hacked you, it could go as far as stealing your identity without you even knowing it’s happened. Create stronger passwords, harder security questions and try to get your mobile or e-mail linked to these accounts so you can be aware if anyone has tried to gain access to your account.

  • ALWAYS read the small print. We have all skipped through those pesky terms and conditions when signing up for things, just happily clicking the ‘accept’ button. When signing up for a subscription online,  my biggest tip is to read the fine print, you don’t want to be signing up for more than you bargained for and you should also check that your computer security software is running correctly so it can minimise threats further.

My top tips for start-ups providing SaaS: (This is where it gets a bit more technical…)

  • Be clear on your privacy policy. What data do you store and why? Where is it stored? If in Europe state that?  If the service is based in the UK for example, register the service with the ICO.org (Information Commissioner) and reference this within the policy. This will give the consumer clear evidence and confidence that you have considered the governance of their data.

  • Secure the communication between consumer and service – really simple, use SSL certificates for the service to secure the information in-transit between the consumer and your service.  The SSL certificate will also confirm the service end-point is valid and belongs to your organisation.

  • Ensure the development team understand the concepts of holding customer data. I know a company that was hacked and held to a 24 hour ransom because a developer left the company’s root amazon authentication keys in a script that they then submitted to open-source to help other developers. A case where developers are trying to innovate and a simple slip exposes the entire solution to a threat. The developer was mortified when the CIO received the ransom.

  • A simple tip but most users will be accessing the software from a public computer, set up a reminder for them to log out if they try to leave the page and shut down the browser. Use a cache control to ensure this process works efficiently, whilst it may annoy users, it’s the safest option. Also consider setting up an autocomplete attribute for the login form that controls a computer’s cookie lifetime, there is a checkbox which asks about storing passwords, if you set this to ‘off’ on public computers, users aren’t at risk of saving their passwords publicly allowing anybody access.

  • If your users are using private computers then I would recommend a saved password format, just because users often pick difficult passwords with lots of numbers or hard to spell words. It will also sound alarm bells for your consumer if they’re ever prompted to enter their password, if it’s already saved then there should be no need and they can differentiate the real site from a scam phishing site!

  • Be weary of Javascript files! Don’t put any private user data or restricted access files in the Javascript files, surprisingly the URL’s can be guessed very easily and data will be exposed. HTML files containing scripts need to be uploaded through hidden iframes rather than naked scripts, it’s the same principle if you don’t trust a site don’t load it in a frame. And if you use Internet Explorer? Don’t use frames at all.

  • Cross-site request forgery (CSRF) is when a malicious site can cause a visitor’s browser to make a request to your server which will potentially change it. These requests can range from logging the visitor out, writing comments from the visitors account and changing their preferences, which means gaining access to their credit card information too! These attacks usually happen through Javascript so ensure your software is safe from these sort of attacks!

  • Lastly, cross-site scripting (XSS) is when an attacker can inject scripts into a page sent by your server. If a malicious site links to a URL on your software, it can do multiple things: steal cookies from that site, steal passwords, see users data and ultimately let the hacker control the user’s account. My best advice would be to not let Javascript or similar services allowed in user-submitted HTML and specify the character set of every page, so hackers have a harder job of trying to determine the character set.

I hope these tips have helped, would love to hear others thoughts on the subject!

power-sass-multi-device

3 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s