Phishing incident shows need for safeguards in SaaS licensing

DALLAS, USA: Software as a Service (SaaS) shows promise to revolutionize the way businesses purchase software products. SaaS turns software into a service that is leased over the Internet, instead of a product bought and installed on company computers.

“The SaaS leasing model permits companies to avoid the expense and headache of installing complex software packages that typically require huge outlays of cash for hardware and software upgrades,” explains William H. Venema a member of the Business Law practice and administrative partner at the Dallas office of Epstein, Becker Green Wickliff & Hall, P.C.,

“Theoretically, SaaS frees users from having to hook up another computer in a remote data center to yet another database to an additional application server to one more security server. The challenge with such an open system is that security can be easily compromised unless the proper protections are in place,” he adds.

One of the best known SaaS providers, SalesForce.com, offers customer tracking and client relationship management services to nearly one million users.

Unfortunately, the company recently experienced one of the weaknesses of the SaaS model, when one of its employees was tricked by an online phishing scam artist into divulging an internal system password that gave access to the company’s customer contact list. This exposed subscribers to spam emails containing fake invoices, computer viruses, and other security problems.

The SalesForce.com phishing incident represented a deficiency in both the technology and the process. The continued lack of Internet standards to authenticate senders or to notify servers of an email recipient’s blocking preferences leaves the door open to phishing attacks.

Just as important, user gullibility is often the cause of phishing security breaches. Enhanced employee training for SaaS providers is essential to the prevention of breaches.

“Proper structuring of software licensing arrangements can help protect users against security breaches such as those that occurred at SalesForce.com,” adds Venema. “At a minimum, licenses should include provisions that address server and technician security. Unfortunately, too many companies fail to include such provisions and thereby increase their vulnerability to such attacks.”