Comment: Security doubts about the cloud

Security concerns swirl around cloud computing and SaaS
Security concerns swirl around cloud computing and SaaS
Jan Valcke, VASCO Data Security
Jan Valcke, VASCO Data Security

Hosted applications, cloud computing, software as a service (SaaS)…these are buzz words used all over the IT landscape at the moment. SaaS comes in many flavours, but the overall concept remains the same: software is no longer purchased and installed on local PCs and servers. Nowadays, organizations buy a license for a software service hosted on the server of the SaaS vendor. Licenses are available through a monthly, quarterly or yearly subscription fees.

The model is very popular, especially in the current economic downturn. SaaS’ promise of flexible pricing has made it attractive to companies that need to reduce their IT costs without compromising the performance of services and applications that are essential to their business.

Furthermore, upfront costs tend be lower, deployment is faster and cheaper, and Saas does not require additional server hardware investments or dedicated staff. As the SaaS model can be extended across the whole enterprise, it is becoming the licensing model of choice across many departments, such as marketing, helpdesk support and human resources.

As a result, computer users both in private or business environments leverage these online applications. Newspaper subscriptions, CRM, HRM, ERP, e-learning services, legal, marketing and real estate services, and online gaming and gambling are all types of hosted applications that are consumed in the notorious cloud.

SaaS applications raise security concerns

For all the added value and cost savings that hosted applications deliver, SaaS has also a downside both for user and vendor. Decision makers choosing SaaS applications over proprietary software or software-in-a-box are often confronted with some resistance from the IT department. IT staff not only see the benefits that SaaS yields, they are mainly occupied with concerns such as integration, customization and – above all – security.

SaaS raises serious questions regarding security issues. How secure are these hosted applications? Is data integrity of business-critical information ensured? And how can you securely access data on an external server while preventing unauthorized access at the same time?

By default, hosted applications offer simple log-on procedures using single-factor authentication. Users log-on using a username and static password, such as the name of their favourite pet. Such passwords, however, are very vulnerable, as they are easy to obtain or intercept and don’t provide sufficient protection against data theft via phishing and key logging attempts.

And what if an employee leaves the company for a job with a competitor and uses his old password to access his previous organizations business critical data? Moreover, static passwords can easily be shared between colleagues, resulting in revenue loss for SaaS providers.

Two-factor authentication solves legitimacy issues

Protecting hosted applications doesn’t necessarily need to be complicated. Strong two-factor authentication overcomes many of the aforementioned objections.

Strong authentication is already commonplace in online banking. End-users generally possess an authentication device that generates one-time passwords. These dynamic passwords can only be used once and expire after a limited amount of time. Two-factor authentication gives application providers the guarantee that the user requesting access is actually who he or she claims to be. The same principle can be applied to SaaS applications, solving security issues related to the legitimacy of users.

Preventing revenue loss

By adding strong user authentication as an extra security layer, SaaS vendors are able to sidestep security issues and turn the concept into a potential success story. However, there still remain some challenges that need to be faced.

How can SaaS vendors ensure their revenue streams? It may seem a superfluous question at first, as they work according to a subscription model that should guarantee a year-on-year revenue stream. But, as previously mentioned, what if subscribers start sharing passwords? How can SaaS vendors prevent their high-praised licensing model from becoming their own revenue trap?

License fraud is common practice by users of hosted applications: they buy a limited number of licenses, which are then shared by a large number of employees. SaaS providers are at risk of lost revenue caused by licensed subscribers sharing their credentials with unlicensed users, minimizing the effectiveness of the application and impacting the number of licenses sold. Simply put: SaaS vendors stand to lose revenue.

Strong authentication offers the golden solution. Authentication enables vendors to link one user to one license. This way the vendor can ensure themselves that only licensed users gain access to accounts that they are licensed to access. Additionally, the vendor can protect its revenue stream while differentiating them from the competition. For example, the vendor offers a solution that complies with the growing regulatory obligations for online security and it is protecting end-users from online transaction fraud or data theft.

Hence, strong authentication addresses the growing requirement for online applications and software-as-a service (SaaS) providers to protect their investment and service.

Jan Valcke is the president and COO of VASCO Data Security. He was co-founder and member of the board of directors of Digiline, the company that developed and marketed the first Digipass strong authentication tokens, back in 1991. From 1992 until joining VASCO in 1996, Valcke served as VP of sales and marketing for Digipass NV/SA, a member of the Digiline International group. In this position, Valcke dramatically strengthened the position of Digipass as the strong authentication solution for financial institutions.

When Digiline/Digipass was acquired in 1996 by VASCO, Valcke took responsibility for the worldwide sales of the new company. In 2000, he became VASCO’s executive VP for sales & marketing, and by the end of 2002, Valcke was appointed VASCO’s president and COO.

VASCO is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

What’s hot on Infosecurity Magazine?