Hosted applications, cloud computing, Software as a Service ... what's in the name? the concept is definitely hyped. SaaS comes in many forms but the basic concept is very straightforward. Compared to traditional IT environments, software is no longer purchased and locally installed on a PC or server. SaaS customers buy a license for a software service hosted on the server of the SaaS vendor and available through a monthly, quarterly or yearly subscription fee.

The concept is quite popular, especially in times of economic downturn. According to Forrester the adoption of SaaS in enterprises will grow by 33% on an annual basis. Many already see the benefits of the hosted applications: costs upfront are significantly lower, it is faster and cheaper in deployment, it requires no additional server hardware investments, it is extremely scalable and upgradeable, no dedicated staff is required and thus ROI is guaranteed.

As a result computer users in both leisure and business environments are increasingly using these online applications. Newspaper subscriptions, CRM, HRM, ERP, e-learning services, legal, marketing and real estate services, online gaming and gambling are all types of hosted applications that are increasingly consumed online.

All seem to agree on the many benefits of the hosted model: but SaaS has also a downside both for the user and the vendor.

The decision to use hosted applications often is a business decision: marketers, accountants and HR staff are often the decision-makers when it comes down to choosing a SaaS application (CRM, ERP, payroll and accountancy software) over a proprietary solution or software-in-a-box. Often they are confronted with some scepticism from IT departments. The IT staff usually worries about integration, customisation and above all about security.

IT departments have genuine concerns about security when implementing SaaS: how secure are these hosted applications? After all, your data resides somewhere on a server hosted by the vendor? What measures does the vendor take to make sure that the infrastructure is sufficiently stable and redundant? How do they secure access to the infrastructure and data? You use a simple log-in and password to access the business critical data. Does this provide sufficient protection against data theft through phishing and key logging attempts?  Are you really sure that only your staff can access the data and not the competition, which is most likely using the same SaaS application? What do you do if an employee leaves the company, joins the competition and still uses an old password to access your business critical details?

Authentication is the answer

Strong authentication is already common practice in online banking, protecting banks and customers against transaction fraud. Each individual user is provided with an authentication device. The user knows something, usually a PIN to activate the device, and has something, the authentication device. The device generates one-time passwords (OTP) or dynamic passwords that are valid for only a limited amount of time and can only be used once.  Thanks to the use of the OTP when logging onto the banking application, the bank is sure that a legitimate user is logging on. The same principle can be applied to the SaaS applications, solving the many security concerns IT departments have related to the legitimacy of the users. Not only can they ensure that only authorised users, those equipped with an authentication, can log on and access the business critical data, they also ensure that data are protected against data theft. Since OTPs are only valid for a short time period and cannot be reproduced, they become useless to phishers and keyloggers, desperately trying to intercept passwords to steal data.

The vendor perspective

With authentication added as an extra security layer to hosted applications, SaaS vendors are in a good position to make the growth story reality. However, they are facing a number of challenges themselves to make it a true success story.

What do SaaS vendors do to ensure their revenue streams? Surely with the subscription model they handle, they ensure a year-on-year revenue stream. With software-in-a-box, the customer pays the full 100% fee the first year and renewal rates, which are significantly lower, the following years. With the SaaS subscription model the year-on-year  revenue is 100% guaranteed. But what is the vendor doing against license fraud?

License fraud is common practice among the many users of hosted applications: they buy a limited number of licenses which are shared by a large number of employees. With most hosted applications accessible through static password, passwords are often shared among employees. This not only opens doors for unauthorised staff to access the data, it impacts the number of licenses sold. The SaaS vendor definitely misses out on revenue.

Here again, strong authentication is offering the solution. Authentication links one user to one license. This way the vendors can assure themselves that only licensed users gain access to accounts that they are licensed for. Additionally the vendor can protect their revenue stream while differentiating themselves from the competition:  offering a solution complies with the growing regulatory obligations for online security and protects end-users from online transaction fraud or data theft. 

Jan Valke is president and chief operating officer at Vasco Data Security

Vasco is exhibiting at Infosecurity Europe 2010, held on 27-29 April at Earl's Court, London. The event provides an free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk