Zendesk hack a reminder of SaaS risk

The recent Zendesk hack that compromised user data from Twitter, Tumblr and Pinterest reflects the risks in using third-party service providers.

Zendesk sells cloud-based customer service software for storing, organizing and answering email sent to clients' support staff. On Thursday, the company reported that a hacker had breached its systems this week and siphoned the email addresses and subject lines of three customers, which were identified by Wired as Tumblr, Pinterest and Twitter. The tech site also reported that some phone numbers were stolen.

Zendesk provided no details of the break in, other than saying the vulnerability had been patched and the hacker no longer had access to its systems.

"We're incredibly disappointed that this happened and are committed to doing everything we can to make certain it never happens again," the company said. "We've already taken steps to improve our procedures and will continue to build even more robust security systems."

While the data taken was not as valuable as credit card or bank account information, the theft does provide fodder for spam and phishing attacks. In addition, the break in reflects the security risk in the use of software-as-a-service (SaaS) vendors, which can be less expensive than on-premise applications.

"Third-party risk is consistently one of the biggest concerns my CISO (chief information security officer) clients have," Rick Holland, analyst for Forrester Research, said in an email Friday.

The basic steps in reducing risks when using SaaS providers is to have the right to audit to insure data security meets what's outlined in the service level agreement. In addition, the companies should be certified in related standards set by the International Organization for Standardization (ISO) (www.iso.org/iso/home.htm) and provide operational procedures under the requirements of the Statements on Standards for Attestation Engagements (SSAE), which are set by the American Institute of CPAs. (http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx)

Beyond these basics, Holland recommends use of the Collective Intelligence Framework to check whether the SaaS provider has been listed on any of a variety of open source sites that track how often Web sites are compromised by spammers or hackers. CIF (http://code.google.com/p/collective-intelligence-framework/) is an open source cyber threat intelligence management system.

"This gives you a general idea of the third parties ability to detect and remediate compromised hosts," Holland said. "If they have a high number, then it would not indicate a particularly mature security capability."

Read more about cloud security in CSOonline's Cloud Security section.