Security Think Tank: Three key security questions on web-based apps

What are the security pitfalls of web-based applications and how are they best avoided?

Before we started to call everything “cloud” there were desktop applications, that were nicely confined to the relative safety of individual companies’ networks. 

As the millennium approached, some applications emerged that allowed business processes to be operated via a web browser: the very same web browser that people mostly used to consume information. Today, millions of companies use web-based applications for their critical, or less critical, business processes.

The key question that springs to mind is what are the security implications of using externally hosted web-based applications in our critical processes?

Take Salesforce for example: many small and medium-sized enterprises (SMEs) have subscribed to its cloud-based customer relationship management (CRM) solution for many years. Almost everyone is now, often unconsciously, using some sort of web-based email system, such as Google mail, Office365 and many national variants. 

There must be clear business benefits for using such applications, despite organisations having very little, if any, control over the security of the infrastructure, application and the data processes in these web-based applications.

In general, plaudits can be offered to software as a service (SaaS) providers, who successfully develop and manage those web-based applications. They typically have very good security policies, controls and a good grasp on application security. Many end-user companies do not command similar resources. However, there are some issues that companies should be aware before moving its data to cloud-based web applications.

The main pitfalls to consider when deciding whether to go for a specific web-based application are:

  • If  I am dissatisfied with my current cloud provider, or if my partnership is coming to an end, how do I take my data elsewhere? Will the data be in a transportable format that I can use with a new provider?
  • How will my business be affected when the web-based application is not available for minutes, hours, days or even weeks?
  • Do I breach any legal and regulatory obligations by having my data, or data I am a custodian of, in a datacentre somewhere in the world? For example, should it remain with the European Union only?

These are just three key questions to ask any cloud service provider. 

Of course, there are many more outstanding questions that cover network, data, identity management, log management, application and host security and all other cyber security mumbo jumbo! All have a direct influence on one or more of the three key questions outlined above.

So, before you start using web-based applications, address these fundamental questions. Less than comprehensive answers is simply not good enough! You have a responsibility to your organisation, your clients and your customers to ensure that the safety and continuity of service is paramount to providing a secure service.

Vladimir Jirasek, director of research, UK chapter Cloud Security Alliance

Read more on Cloud security