An interesting comment has been posted to a blog I wrote last September relating to Salesforce.com and how my opinions at the time leave me supposedly with “egg on face” following the recent security breach that they suffered.
The blog article in question is here.
I stand by what I wrote. For instance:
There are certainly some barriers to the adoption of PaaS: security, compliance and privacy concerns will, I’m sure, hold growth in check to some degree while the “followers” learn the mistakes of the “early adopters”.
Early adopters of new technologies have to acknowledge high risk and where data is concerned, the risk of this being compromised through methods that maybe haven’t been fully taken into account. The fact that SFDC suffered an incident where accounts were accessed without authorisation as a result of phished authentication credentials is more bad luck than bad security.
However, targeted phishing attacks against SaaS services are probably going to become the norm rather than the exception so strong authentication (one-time passwords, tokens, IP address restrictions) are essential. I would also expect to see companies such as Salesforce deploying fraud monitoring and phishing detection services.
I don’t see phishing attacks as being any reason to avoid SaaS providers, although there will always be those who will doubtless fall victim. SaaS providers need to be seen and required to up their game an make strong authentication mandatory.