Cloud Implications on Software
Network Structure and Security Risks
Terrence August
Rady School of Management, UC San Diego
Joint with Marius Florin Niculescu and Hyoduk Shin
(Georgia Tech & UC San Diego)
NSF Grant: 0954234
I nfor m at i on Secur i t y R i sk ( I SR )
U
U ser s
S1
S2
G2
Soft war e
Fir ms
G over nm ent
G1
Legend
G1: Soft ware liabilit y, open source development subsidies, regulat ions on soft ware development securit y
pract ices, and t ax penalt ies on soft ware wit h poor securit y
G2: Soft ware liabilit y, t axes on soft ware usage, incent ive rebat es for pat ching, and subsidies for usage of
open source soft ware and/ or SaaS offerings
S1: Design of soft ware offering (on-premises vs. SaaS), and invest ment in soft ware product securit y
S2: Design of soft ware offering, source code st rat egy (open source or propriet ary), incent ive rebat es for
pat ching, invest ment in soft ware product securit y, and product pricing
U: Consumer usage and pat ching behavior
I SR: Measured by t he likelihood of successful securit y at t acks and expect ed aggregat e securit y losses
Software Liability
Loss liability is a strictly dominated policy for most
software security environments
On-Premises and SaaS Software
On-premises
• Browsers: IE, Firefox, Chrome
• A/V: Sophos, Avira, Symantec
• Webservers: IIS, Apache HTTP Server
• Doc Readers: Acrobat Reader, YAP
• App Servers: Websphere, JBoss, etc.
SaaS
• Enterprise: Salesforce CRM, Netsuite
ERP, CRM
• Productivity: Google Docs
• Rev. Mgmt: IBM DemandTec
• Social: LinkedIn, Facebook
On-premises and SaaS
• Microsoft Office and Office 365
• Microsoft Dynamics CRM On-premises / Online
• SAP Business All-in-One / SAP Business One OnDemand
• Oracle Siebel CRM / Oracle CRM OnDemand
Where are
we heading??
Diverse Consumer Preferences
When to use On-Premises
• Require solution that meets the unique needs of your company (extensive
customization)
• Require certain level of security and control over data
• Have a dedicated IT staff
• Do not want access to data to depend on Internet availability and speed
• On-site hardware maintenance
When to use SaaS
• Want to get up and running as quickly as possible
• Require minimal customization (less integrated solution)
• Have limited IT support and resources
• Do not want to invest in hardware or pay upfront licensing fees
SAP
Cloud Computing Market
 Gartner estimates the cloud computing industry will grow
to $149 Billion by 2015
 U.S. Government championing the Federal Cloud
Computing Initiative
• Encourage agencies to use cloud computing solutions
• $80 Billion federal IT budget
 SaaS applications will play an increasing role in firms’ IT
strategies
Security Attacks
 Security Risk comes in two forms:
 Undirected:
 Self-replicating attack such as a worm
 Intent is to spread and distribute payload
 Examples: Code Red, Slammer, Sasser, Stuxnet,
AutoCad worm
Undirected Risk
Worm
Date
Vulnerability
Notice
Code Red
7.19.2001
1 month
Slammer
1.25.2003
6 months
Blaster
8.11.2003
1 month
Sasser
5.1.2004
2 weeks
Zotob
8.13.2005
4 days
Security Attacks
 Security Risk comes in two forms:
 Undirected:
 Self-replicating attack such as a worm
 Intent is to spread and distribute payload
 Examples: Code Red, Slammer, Sasser, Stuxnet,
AutoCad worm
 Directed:
 Targeted attack such as a hacker infiltration
 Intent is to penetrate a particular organization for
either an economic or political objective
 Examples: distribute.IT, Office 365 token
management vulnerability
Targeted Attack
Sony PlayStation Network Outage (April, 2011)
 77 million user accounts compromised including date
of birth, address, password information
 Outage lasted 3 weeks
Risk Profile: On-Premises vs. SaaS
 Both variants are affected by undirected and directed security
attacks
 On-Premises
 Characterized by a large network of servers, each running
distinct instances of the software
 Heterogeneous users make independent patching decisions
 Undirected risk
 SaaS
 Characterized by a centralized server or bank of servers
 Acts more a single, large node
 Directed risk
Research questions
1. What are the benefits of developing SaaS versions of on-premises
software products, focusing on how the joint offering affects the
security risk properties of the software?
2. How does the effect on security of having both on-premises and
SaaS variants relate to the classic information good versioning
problem? Who should the firm target to use SaaS versions?
3. Compared to benchmark levels of vendor profits and social
welfare, what is the impact of jointly offering SaaS versions?
4. How will the security risk faced by users be affected?
Literature Review
Versioning
• Bhargava and Choudhary (2001, 2008)
• Wei and Nault (2011)
• Jones and Medelson (2011)
• Chellappa and Jia (2011)
• Chellappa and Mehra (2013)
SaaS
• Choudhary (2007)
• Ma and Seidmann (2008)
• Zhang and Seidmann (2010)
• Xin (2011)
Software Patching
• Beattie et al. (2002)
• August and Tunca (2006)
• Arora et al. (2006)
• Choi et al. (2007)
Software Diversification
• Deswarte et al. (1999)
• Schneider and Birman (2009)
• Jackson et al. (2011)
• Chen et al. (2011)
Model
 Consumer valuation space:
On-premises
SaaS
(On-demand)
Valuation
Security Losses
Price
 Cost of patching:
 Money and effort exerted to verify, test, and roll-out
patched versions of existing systems
Model
 Consumer Strategy
Buy On-premises
Patch / Not Patch
Buy SaaS /
Not Buy
On-premises Model
Population of
potential users
On-premises Model
Population of
potential users
Non-users
Patched users
Protect network from
Unpatched users
undirected risk
Don’t contribute to
undirected risk
Contribute to
undirected risk
On-premises and SaaS Models
On-premises and SaaS Models
Contribute to
directed risk
Model
Security Costs
where:
Consumer Market Equilibrium Structure
 Threshold structure (2 possible orderings)
Non-users
SaaS
Users
Unpatched
On-premises
Users
Patched
On-premises
Users
Equilibrium Equations
Non-users
SaaS
Users
Unpatched
On-premises
Users
Patched
On-premises
Users
Consumer Market Equilibrium Structure
 Other ordering
Non-users
Unpatched
On-premises
Users
SaaS
Users
Patched
On-premises
Users
Vendor’s Problem
Security
Losses
Social
Welfare
High Security-Loss Environments
Proposition
 In equilibrium, there are always some on-premises users who
remain unpatched
 Cause a large externality under high security risk
 Under SaaS, they will face directed risk
 Segmenting usage across on-premises and SaaS diversifies
this security risk
Where should SaaS be targeted?
Proposition
 Low patching costs  strong incentives to patch
 Vendor can charge high price because relatively small
unpatched population  set low SaaS price to version at
low end while limiting cannibalization
Optimal pricing and the consumer market
 Security Loss Factor:
Opt im al P r ices
0.5
0.9
Consum er T hr eshold Valuat ions
0.85
0.45
0.8
0.4
vd ; vu ; vp
p¤ ; p¤s
0.75
pL
0.35
pM
s
vu
0.7
vp
0.65
0.3
0.25
vd
0.6
pM
pLs
0.55
0.2
0.1
0.2
0.3
cp
0.4
0.5
0.6
0.5
0.1
0.2
0.3
cp
0.4
0.5
0.6
Where should SaaS be targeted?
Proposition
 High patching costs  still strong incentives to patch
 Patching populations fall  overall usage declines in the
face of high security risk
 Reduce price of on-premises to increase purchasing and
patching populations
 Strategically target SaaS at middle tier to reduce security
risk
Optimal pricing and the consumer market
 Security Loss Factor:
Opt im al P r ices
Consum er T hr eshold Valuat ions
0.5
1
0.95
0.45
0.9
L
p
0.85
0.35
SaaS
0.8
pM
s
vd ; vu ; vp
p¤ ; p¤s
0.4
pLs
vp
0.75
vu
0.7
pM
0.3
0.65
SaaS
0.6
0.25
vd
0.55
0.2
0.1
0.2
0.3
cp
0.4
0.5
0.6
0.5
0.1
0.2
0.3
cp
0.4
0.5
0.6
Welfare Implications
Proposition
Benchmark Case
 Only an on-premises offering (or can set
)
 In a high security-loss environment, patched and unpatched
populations exist in equilibrium under optimal price
 Use measures of profit, security losses, consumer surplus,
and social welfare as benchmarks
Comparison to Benchmarks
Proposition
Comparison to Benchmarks
Proposition
Low Security-Loss Environments
Proposition
 Uniform valuations and no security externality
 Don’t version
 Uniform valuations and idiosyncratic risk
 Version
 Even if the strength of the losses becomes small
Comparison to Benchmarks
Proposition
Relative Profit Improvement
P er cent age I ncr ease in Vendor P r o¯t abilit y
60
50
40
30
¦
C: cp = 0:30; ¼0u = 0:55
20
³
¦
¤
¡ ¦
BM
BM
´
£ 100 %
B: c0p = 0:50; ¼u = 0:23
10
0
A: cp = 0:30; ¼u = 0:23
0
5
10
15
®
20
25
30
Low Security-Loss Environments
Proposition
Summary Table
Security Investment
Invest to reduce attack likelihood
Undirected
Effort
Cost of Effort
Likelihood
Directed
Investment Comparative Statics
Proposition
 Low security-loss environment
 Security investments in on-premises and SaaS both
increase as the loss factor increases
 High security-loss environment
 Security investment in on-premises can increase while it
can decrease in SaaS as the loss factor increases
Security Investment
(a) Consumer Threshold Valuat ions
(b) Opt imal E®ort Levels
0.06
1
vp
0.95
(A)
(A )
(B)
(B)
0.05
0.9
0.04
SaaS
0.8
vu
² ¤u , ² ¤d
vd ; vu ; vp
0.85
0.75
0.03
¤
²u
0.7
SaaS
0.02
0.65
0.6
vd
0.01
¤
²d
0.55
0
5
10
15
®
20
25
30
0
5
10
15
®
20
25
30
Summary
 Model of security risk that includes:
 On-premises and SaaS versions of software
 Security externalities stemming from usage and patching
 Software vendor always versions
 SaaS can be geared to either the middle or lower tiers
sometimes splitting on-premises user populations
 Average per-user security losses can increase when patching
costs are low
 SaaS targeted to middle tier maintains under security
investment