Software as a Service Sans Target™
No customer login data or keys stored anywhere

Software as a Service
SaaS ("Software as a Service") is a recent and very successful model for software distribution and sales. With SaaS, customers do not pay for owning the software itself but rather for using it from web servers. Also known as On-Demand or hosted software, SaaS has many benefits for enterprise customers over installed solutions, including:
  • Much lower cost of deployment
  • Much lower cost of operation
  • No download, no installation, practically zero set-up time
  • Automatically updated
  • Easier integration with other applications
However, SaaS, has a major vulnerability regarding the customers' data at the servers providing the service. The vulnerability includes both technical and business issues.

SaaS Customer Data Vulnerability
Customer data in SaaS online servers are vulnerable to a wide range of attacks, with external and internal causes that may also be exploited in combination. This is caused by hackers, automatic password crackers, virus, worms, buffer-overflow, software bugs, zero-day-exploits, delayed patching, patch conflicts, security gaps, collusion, conflicting business interests, lack of legal protection for "data at rest", and other security breach reasons that plague Internet servers. These risk factors are not going away anytime soon, and are joined frequently by yet newer exploits.

SaaS ups the ante on the already large —and growing— Internet risk by using a multi-tenant architecture, where servers hold an "egg nest" with data belonging to many different customers.

Even though current best-of-breed SaaS systems may protect each customer's data in separate, encrypted areas of different servers, SaaS customers are in fact outsourcing risk into a situation that they cannot control. For example, even if the customer areas are encrypted, the keys to decrypt the customer areas are potentially available not only to anyone compromising the server but also to the organizations and people regularly involved in running and maintaining the server. Further, compromise in one area of an SaaS system may compromise data of more than one customer.

The importance of this vulnerability was highlighted in Q3/2007 by a phishing and spoofing attack reportedly targeting (a well-known SaaS provider) customers' data in Salesforce's servers.
In one case, a phishing email purporting to be from the U.S. Federal Trade Commission was sent to a customer. The email contained business information about a company's client, that the public at large would not know, which was available in the customer's area at the servers. The email asked for more information about the customer's client. In other cases, customers received bogus emails that looked like invoices, with virus and key-logging software that could completely compromise the recipient's security and privacy -- including passwords typed by the user
With conventional SaaS, the customers' data become attack targets, with mounting risks as the number of customers increase in the multi-tenant architecture.

NMA SaaS-ST™ Solution
NMA's ZSentry™ Technology was developed to solve the vulnerability of user data in online servers and can be directly applied to improve the conventional SaaS model to what we call SaaS-ST™, where "ST" stands for Sans-Target™.

With SaaS-ST, each customer's data is protected in separate by NMA's "No Target" ZSentry technology, and configurable, encrypted metadata (with keys also protected by NMA's "No Target" ZSentry technology) providing a protected, standards-compliant, unique user experience and feature set for each customer.

The best defense against data theft is to not have the data in the first place.

SaaS-ST does not have or access copies of customer login data and keys, so that there are no customer targets to be attacked and cracked. Customer data is encrypted per user and per page, using the ZSentry-protected keys. ZSentry protects both the privacy of customer data and the keys that protect the privacy.

ZSentry does not suffer from the server vulnerability of user data, common in the conventional SaaS model. ZSentry SaaS protection is assured not by some fictitious "Fort Knox" type of security that (vainly) promises to prevent all attacks, but by using NMA's "No Target" ZSentry technology that renders such attacks impossible by the sheer lack of existence of user data to attack. In other words, when you use ZSentry in SaaS-ST, your customers' data are never in danger in the servers providing the service, from outside or inside attacks.

SaaS-ST is both a delivery and user data protection mechanism and a business model, which support each other. With the improved SaaS-ST model, the service is scalable to an arbitrarily large number of customers without increasing the liability associated with more user data stored in the servers. The number of servers and instances on the back-end can be increased or decreased as necessary to match demand, without requiring additional re-architecting of the application, additional insurance or living with mounting liability. Changes or fixes can still be rolled out to thousands of customers as easily as for a single customer.

Competitive Edge
With SaaS-ST, service providers allow customers to have much more control over their secure IT environment and user data for a lot less money than competitive solutions, and without the potential headache of data breach at the servers providing the service. ZSentry's familiar interface also provides a simple-to-use and yet secure user experience, preventing spoofing, fishing, and other attacks.

On the business side as a service provider, the unique features of SaaS-ST allows the service provider to avoid operational, legal, and market risks conventionally associated with storing customer data, and also the costs that would be associated both with mitigating such risks and with any breach. As a result, the service budget should scale better with volume and in time, with less initial and contingency costs.

For example, California Security Breach Information Act (SB-1386), which went into effect July 1 2003, requires all organizations that collect certain personal information to protect it against possible "identity theft." In addition, the Act stipulates that if there is a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained personal information. Because SaaS-ST protects personal information and other sensitive information by using NMA's "No Target" ZSentry technology, which can be leveraged into standards-compliant data encryption/decryption without any stored keys, the servers do not store personal information or personal keys, nor is the service made aware of personal information. There is, thus, no personal information that might be affected by a security breach.

Likewise, for use in the health sector regulated by Health Insurance Portability and Accountability Act (HIPAA) safeguards, the SaaS-ST user interface can easily be designed so that the data viewed or generated for transmission constitute fully compliant standard transactions under HIPAA. Because the service is not made aware of Protected Health Information (PHI), the service provider (or a third-party hosting the service) is, thus, not required to sign a Business Associate Agreement for its customers.

By eliminating the Achilles' heel of SaaS (the customer data risk at the servers), while retaining all the benefits of SaaS, NMA's "No Target" ZSentry Technology behind SaaS-ST can be used as a sustainable competitive differential in technical (e.g., scalability, privacy, and security), legal (e.g., liability reduction, Intellectual Property protection), and business (e.g., insurance reduction, less sales barriers, easier adoption) terms.

NMA's SaaS-ST model not only considerably simplifies rolling out the service and servers, but should also reduce customers' concerns due to uncertainties on user data protection at Internet servers they do not physically control.

The competitive edge provided by NMA's SaaS-ST is particularly important to reach new markets, for new services, for larger customers, and for customers who must follow privacy and security regulations such as HIPAA, FFIEC, GLBA, SOA, SB 1386, and ISO 17799. In short, and increasing in importance, to any organization.

Learn More >>

Contents of this entire site are © Copyright, NMA Inc., 2007-2009. Titles and product names are trademarks of NMA, Inc. as described in our Legal Statement at