Cloud // Software as a Service
Commentary
9/7/2011
01:05 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Protecting SaaS Users From Identity Exploits

A variety of attacks can be used to gain access to SaaS apps. Here's how to protect user accounts from exploit.

InformationWeek SMB - Sept. 12, 2011 InformationWeek Green
Download the entire InformationWeek SMB, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

Kurt Marko: Saas ID Security

Data security is a perennial concern for cloud customers. But one issue many SMBs overlook is identity protection. The risks are real when it comes to Office-like productivity suites because one login grants access to email, contacts, calendar, documents, and more. And in this era of browser-based applications, it's easier than you think to hijack credentials.

The easiest way to compromise Web application identities is via session hijacking, a.k.a. sidejacking. This exploit, made popular by the Firesheep Firefox extension, takes advantage of the common practice of websites using an unencrypted cookie to store state information in a session key. While the initial site login is SSL-encrypted, subsequent transactions between the client and various Web pages within a site's ecosystem are authenticated via an unencrypted token. Anyone who intercepts the cookie--and that's easy to do on public Wi-Fi networks--can impersonate the user. While Gmail on a PC isn't vulnerable to this particular exploit, Facebook and Twitter are, as were Google services on Android until Google rushed out a patch a few months ago. Microsoft says Office 365 uses SSL for all application connections.

Another technique is a variant of a cross-site scripting attack that exploits privileges granted to extensions in Google's Chrome browser to access credentials and inject code into other browser sessions. In a recent demo at the Black Hat conference, researchers developed a "malicious extension" that could do everything from scan ports on the local network to access a user's Google credentials and email contacts and chat with friends. It could even inject a JavaScript keylogger onto another Web page, say a bank or credit card account, open in another tab. This exploit is particularly pernicious because Google doesn't vet browser extensions.

Another way to compromise Web logins is through the combination of weak password-recovery processes and clever social engineering that makes it easy for attackers to impersonate legitimate users and steal their identities. This technique was made famous when a hacker reset the password to a Twitter executive's public Gmail account, combed through emails to discover the executive's Google Apps account name (which used the same password), and then stole documents from Twitter's internal email system.

Now, while none of these attacks is unique to SaaS applications, when you run your business on the Web, you open up your users to these threats. Nevertheless, these exploits shouldn't be a SaaS showstopper if you employee prudent security practices. For instance, use SSL wherever possible (Google Apps has a domain-wide setting to enforce this). Monitor accounts for unusual activity. Use VPN tunnels (making sure all traffic traverses the VPN with split tunneling turned off) on public Wi-Fi networks. Mobile users of Google Apps who access their accounts from untrusted networks should strongly consider enabling Google's two-step verification, which augments the basic user name and password login with a security token sent to a smartphone. Domain admins may have to set this up for their users, and probably should.

Comment  | 
Print  | 
More Insights
The next wave in APM
The next wave in APM
Find out how to get the benefits of application monitoring while avoiding the complexity and performance headaches.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.