It’s the time of the year to make predictions and top 10 lists for the coming year. So, we’re going to make an easy one – SaaS will continue to gain widespread adoption from business of all sizes. And Google Apps in particular will continue to make headway – although we suspect that a bevy of innovative competitors will make themselves known as well.

We’re not really sticking our necks out here.  Gartner put Cloud Computing at the top of its ‘Top 10 Strategic Technologies for 2010‘ list. Everyone is calling for 2010 to be the year of SaaS and cloud computing – except for those who particularly enjoy being naysayers.

In talking to customers, we are finding that one major obstacle in the road to SaaS is the concern about security.  In general, we think that companies like Google and Salesforce can probably do a better job securing and protecting their data than the average organization. They have resources to apply to the problem, and their businesses depend on their ability to secure customer data.

So most of the security concerns are probably overstated. However, access security is something that falls outside of the SaaS solution, and is in general the weakest point. 2009 saw several password-based attacks. Twitter was the target of several high-profile attacks – most recently, someone apparently exploited poor password procedures for the service hosting Twitter’s DNS to redirect users to a malicious site. Ouch.

So, if 2010 is the year SaaS becomes mainstream, it must also be the year that businesses everywhere get serious about protecting SaaS access with strong authentication. We hope that’s true – that this year we start shutting down the password-based attacks against businesses and everyone can feel a little more secure using SaaS applications to run their businesses.

Happy New Year to all.

As businesses grapple with how to handle social media, they are also asking questions about security. Are social networking sites like Facebook and Twitter actually eroding security for business applications?

In and of themselves, social networking sites typically are pretty secure. But they are inherently more susceptible to phishing attacks than other types of sites. This is due to the layer of trust built into social networks.  If you get a direct message that seems to be from a trusted friend, you are more likely to believe it and click on its link than if it is from a Nigerian prince.  That’s just human nature.

However, the question remains whether social networks affect security beyond their own applications. The answer is a qualified yes – not because they are inherently insecure but because they help attackers exploit a major weakness in our standard operating procedures today: sharing passwords between accounts.

Faced with dozens of accounts and passwords to remember, we tend to use the same ones across many accounts. That’s the reason that attackers are targeting Twitter and Facebook accounts.

Says Suzanne Choney in the MSNBC article on the topic, “It’s not so much that a crook wants to read why you’ve written on Twitter, or start posting your tweets. Rather, criminals are looking to see if your account information is the same for other accounts, including those for banks, where the reward for such phishing is more lucrative.”

So the fault lies not with social networks themselves, but with the plethora of accounts that we’re asking people to remember (and perhaps the limitations of human memory and patience).   That’s why secure single sign-on is increasingly a business necessity.

Like it or not, your business users today are on social networks.  According to the Forrester Report “The Broad Reach of Social Technologies“, half of US adults online participate in social networks like Facebook. Yep, your business users are there already.  So don’t make them share credentials with the web accounts they use for your business – give them secure single sign-on instead.

Cute neighborhood children aren’t the only ones dressing up in disguises this October – attackers are finding new ways to hide behind password resets or faked login screens.  The news on October 28^th had two particularly scary stories:

• A new Facebook attack implants a Trojan by pretending to be a Facebook password reset. (See the Computerworld article.)

• A new Twitter phishing attack sends direct messages with links to a fake Twitter login page. (See the Cnet posting.)

I’m not sure what’s more frightening – that these attacks are happening, or that so many people are still susceptible to them.

In the Facebook article, many users reported that they pulled the malicious mail with the zipped executable OUT of their junk mail filters because they thought it was legitimate. Yikes.

In another password-related article, the Wall Street Journal profiled a small business where all users shared a single password to access important applications. Better yet, the password was ‘password’ – now that’s a frightening story.

We can keep shouting from the rooftops about changing passwords and using strong passwords – but it is better, from a business risk perspective, to just stop relying on passwords for our application access. Instead, use federation strengthened with multifactor authentication. Then all of these scary stories won’t keep us up at night.

Photo: http://www.flickr.com/photos/orangeacid/ / CC BY 2.0