The rise of robust, affordable networks has made it easier and cheaper for software vendors to deliver some of their applications across the Internet as third-party hosted or outsourced services, and most people agree that the number and variety of these services will only increase.
But the Symantec Global Security Consulting division recently has spent much of its time cautioning its clients about the security risks associated with third-party services. The group's message isn't meant to discourage their adoption, but rather to educate people about how best to go about adopting them.
"As we're seeing this shift toward on-demand services delivered over the Internet, it creates different security implications and threat profiles," says Samir Kapuria, principal security strategist for Symantec's consulting wing. "Traditional applications in a corporate environment could be handled with a traditional security approach, but SOAs have changed that paradigm quite a bit."
Bringing a third party into the mix to deliver, manage and maintain the services makes that company a more savory target for would-be attackers, so it's incumbent on customers to make sure their service provider has a sound security profile.
"Companies should conduct security due diligence on these third-party providers in order to understand the impact a third-party relationship may have on the company’s risk posture," Kapuria says.
He says the majority of Symantec Consulting's clients are using some kind of service for applications such as CRM, ERP, human resources or accounting. But the rise in such usage has been met with a corresponding rise in the threats to them. In Symantec's most recently released Internet threat report, about 69 percent of the new vulnerabilities the company identified had affected Web-delivered applications. This problem is exacerbated by the ability of users to access the applications over public computers in Internet cafes or airports, for example.
What companies should do when evaluating a third-party provider is make sure the company has a set list of security criteria that it follows closely and that the applications it is offering as a service were actually designed for Web-based delivery rather than as repurposed PC applications. It also doesn't hurt to drill down further and examine things like the company's own infrastructure security and hiring practices.
"Some third parties that target the SMB space might not have such strict security requirements, and you want to make sure their security practices map to their clients' business models," Kapuria says. "Customers should make sure that in adopting a third-party provider that the third party doesn't become the weakest link in their security program."