Cloud Implications on Software Network Structure and Security Risks Terrence August Rady School of Management, UC San Diego Joint with Marius Florin Niculescu and Hyoduk Shin (Georgia Tech & UC San Diego) NSF Grant:
Software Liability Loss liability is a strictly dominated policy for most software security environments
On-premises Browsers: IE, Firefox, Chrome A/V: Sophos, Avira, Symantec Webservers: IIS, Apache HTTP Server Doc Readers: Acrobat Reader, YAP App Servers: Websphere, JBoss, etc. SaaS Enterprise: Salesforce CRM, Netsuite ERP, CRM Productivity: Google Docs Rev. Mgmt: IBM DemandTec Social: LinkedIn, Facebook On-Premises and SaaS Software On-premises and SaaS Microsoft Office and Office 365 Microsoft Dynamics CRM On-premises / Online SAP Business All-in-One / SAP Business One OnDemand Oracle Siebel CRM / Oracle CRM OnDemand Where are we heading??
When to use On-Premises Require solution that meets the unique needs of your company (extensive customization) Require certain level of security and control over data Have a dedicated IT staff Do not want access to data to depend on Internet availability and speed On-site hardware maintenance When to use SaaS Want to get up and running as quickly as possible Require minimal customization (less integrated solution) Have limited IT support and resources Do not want to invest in hardware or pay upfront licensing fees Diverse Consumer Preferences
SAP
Cloud Computing Market Gartner estimates the cloud computing industry will grow to $149 Billion by 2015 U.S. Government championing the Federal Cloud Computing Initiative Encourage agencies to use cloud computing solutions $80 Billion federal IT budget SaaS applications will play an increasing role in firms’ IT strategies
Security Risk comes in two forms: Undirected: Self-replicating attack such as a worm Intent is to spread and distribute payload Examples: Code Red, Slammer, Sasser, Stuxnet, AutoCad worm Security Attacks
WormDate Vulnerability Notice Code Red month Slammer months Blaster month Sasser weeks Zotob days Undirected Risk
Security Risk comes in two forms: Undirected: Self-replicating attack such as a worm Intent is to spread and distribute payload Examples: Code Red, Slammer, Sasser, Stuxnet, AutoCad worm Directed: Targeted attack such as a hacker infiltration Intent is to penetrate a particular organization for either an economic or political objective Examples: distribute.IT, Office 365 token management vulnerability Security Attacks
Sony PlayStation Network Outage (April, 2011) 77 million user accounts compromised including date of birth, address, password information Outage lasted 3 weeks Targeted Attack
Both variants are affected by undirected and directed security attacks On-Premises Characterized by a large network of servers, each running distinct instances of the software Heterogeneous users make independent patching decisions Undirected risk SaaS Characterized by a centralized server or bank of servers Acts more a single, large node Directed risk Risk Profile: On-Premises vs. SaaS
Research questions 1.What are the benefits of developing SaaS versions of on-premises software products, focusing on how the joint offering affects the security risk properties of the software? 2.How does the effect on security of having both on-premises and SaaS variants relate to the classic information good versioning problem? Who should the firm target to use SaaS versions? 3.Compared to benchmark levels of vendor profits and social welfare, what is the impact of jointly offering SaaS versions? 4.How will the security risk faced by users be affected?
Literature Review Software Patching Beattie et al. (2002) August and Tunca (2006) Arora et al. (2006) Choi et al. (2007) Software Diversification Deswarte et al. (1999) Schneider and Birman (2009) Jackson et al. (2011) Chen et al. (2011) SaaS Choudhary (2007) Ma and Seidmann (2008) Zhang and Seidmann (2010) Xin (2011) Versioning Bhargava and Choudhary (2001, 2008) Wei and Nault (2011) Jones and Medelson (2011) Chellappa and Jia (2011) Chellappa and Mehra (2013)
Consumer valuation space: Cost of patching: Money and effort exerted to verify, test, and roll-out patched versions of existing systems On-premises SaaS (On-demand) Valuation Security Losses Price Model
Consumer Strategy Buy On-premises Patch / Not Patch Model Buy SaaS / Not Buy
Population of potential users On-premises Model
Non-users Patched users Unpatched users Population of potential users Don’t contribute to undirected risk Contribute to undirected risk Protect network from undirected risk On-premises Model
On-premises and SaaS Models
Contribute to directed risk
Security Costs where: Model
Consumer Market Equilibrium Structure Unpatched On-premises Users Patched On-premises Users Non-users Threshold structure (2 possible orderings) SaaS Users
Unpatched On-premises Users Patched On-premises Users Non-users SaaS Users Equilibrium Equations
Consumer Market Equilibrium Structure Other ordering Unpatched On-premises Users Patched On-premises Users Non-users SaaS Users
Vendor’s Problem Security Losses Social Welfare
Proposition In equilibrium, there are always some on-premises users who remain unpatched Cause a large externality under high security risk Under SaaS, they will face directed risk Segmenting usage across on-premises and SaaS diversifies this security risk High Security-Loss Environments
Proposition Low patching costs strong incentives to patch Vendor can charge high price because relatively small unpatched population set low SaaS price to version at low end while limiting cannibalization Where should SaaS be targeted?
Security Loss Factor: Optimal pricing and the consumer market
Proposition High patching costs still strong incentives to patch Patching populations fall overall usage declines in the face of high security risk Reduce price of on-premises to increase purchasing and patching populations Strategically target SaaS at middle tier to reduce security risk Where should SaaS be targeted?
Security Loss Factor: Optimal pricing and the consumer market
Proposition Welfare Implications
Benchmark Case Only an on-premises offering (or can set ) In a high security-loss environment, patched and unpatched populations exist in equilibrium under optimal price Use measures of profit, security losses, consumer surplus, and social welfare as benchmarks
Proposition Comparison to Benchmarks
Proposition Comparison to Benchmarks
Proposition Low Security-Loss Environments Uniform valuations and no security externality Don’t version Uniform valuations and idiosyncratic risk Version Even if the strength of the losses becomes small
Proposition Comparison to Benchmarks
Relative Profit Improvement
Proposition Low Security-Loss Environments
Summary Table
Invest to reduce attack likelihood Security Investment UndirectedDirected Effort Cost of Effort Likelihood
Proposition Investment Comparative Statics Low security-loss environment Security investments in on-premises and SaaS both increase as the loss factor increases High security-loss environment Security investment in on-premises can increase while it can decrease in SaaS as the loss factor increases
Security Investment
Summary Model of security risk that includes: On-premises and SaaS versions of software Security externalities stemming from usage and patching Software vendor always versions SaaS can be geared to either the middle or lower tiers sometimes splitting on-premises user populations Average per-user security losses can increase when patching costs are low SaaS targeted to middle tier maintains under security investment