Salesforce.com reached a milestone last fall: 1 million people using the online software company to host their customer relationship management systems and other key business processes. Those users were at more than 1,600 financial services firms including ABN Amro, SunTrust Banks, Daiwa Securities and Bear Stearns–Merrill Lynch & Co. alone accounted for 25,000.

That amounts to a big cultural shift. As recently as 2005, financial firms kept all their customer data close, behind corporate firewalls, in steel safes. Wall Street hardly seemed ready to entrust that data to a start-up. However, Salesforce.com challenged that thinking by proving, first to Merrill Lynch and then others, that its security was as good as a bank’s. With trust came respectability and customers, as well as unwanted attention from hackers.

In October, the San Francisco-based company acknowledged that it had lost data in an attack. “A Salesforce.com employee had been the victim of a phishing scam that allowed a Salesforce.com customer contact list to be copied,” said technology EVP Parker Harris in a letter to customers. “To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database.”

According to Harris, the contact list included full names of Salesforce.com clients, company names, e-mail addresses, telephone numbers and other “administrative information.” The hackers used the data to send e-mails to Salesforce.com customers, attempting to gain access to their accounts. “A small number of our customers began receiving bogus e-mails that looked like Salesforce.com invoices, but were not–they were also phishes,” said Harris. “Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher.”

SunTrust and Automatic Data Processing (ADP) were reportedly among those firms. “It has been determined that the stolen e-mail contact information in this database is being used to notify clients and others with the from’ address spoofed to look like a valid ADP e-mail address,” ADP said in a statement.

In response to the incident, Salesforce.com conducted a security analysis to find the source of the leak and contacted all of its clients, warning them about fraudulent e-mails. It also conducted an online security seminar for customers.

However, some clients complained that it took Salesforce.com several months to react, with the initial breach reportedly occurring in March. Salesforce.com officials repeatedly turned down media interview requests following the incident, and provided no additional details of what went wrong. When contacted by Securities Industry News for this article, Salesforce.com declined to comment.

Precautionary Measures

The event underscores the potential dangers of putting sensitive data in the hands of a third party. Even otherwise innocuous information can give hackers ammunition against a target’s defenses. To protect against that, financial services users of Salesforce.com and other software-as-a-service (SaaS) providers are working to safeguard client access to the applications, running security audits of the providers and educating users about how to interact with them.

Messages between SaaS vendors and their users are sent over the public Internet. While this may seem risky, it’s actually the most secure step–the messages are encrypted using the same techniques employed by online retailers and e-brokerages. The client computer, on the other hand, is extremely vulnerable: There might be a Trojan or a virus on it, secretly collecting passwords; it could be physically stolen; or the computer itself could be a hacker.

To bolster the client side of the SaaS relationship, some firms are requiring users to first sign in to the corporate network, running regular security checks on client machines, and using tokens or other two-factor authentication techniques.

But as on-demand applications proliferate, users can get lax about following correct procedures and keeping track of the different passwords and log-ins. Some companies are offering single-sign-on solutions, and vendors like Salesforce.com are working to integrate easier log-in procedures with individual firms’ policies.

Solutions are also available from vendors such as Los Gatos, Calif.-based TriCipher, which on Feb. 25 introduced a product, myOneLogin–also an SaaS offering–that can act as a gateway to multiple online applications. The service is compatible with Salesforce.com, Cisco Systems’ online meeting platform WebEx, and Google Apps, which lets firms share online documents, spreadsheets and presentations. It also works with other vendors and even internally developed Web applications that use standards-based access and authentication controls.

Another approach is to limit customers’ access to information. For example, Forex Capital Markets (FXCM), a Salesforce.com client, enforces tight controls over security permissions and privileges. “The flexibility that Salesforce allows us to have is paramount to our success,” said Sharifa Shafi, a business analyst at New York-based FXCM, in a statement.

Loss of Control

For financial firms using SaaS, the biggest problem may be the loss of control. “Even with service-level agreements in place, at the end of the day that’s not going to save you if everything is lost or stolen,” said David Boissonneault, IT infrastructure manager at Manitoba, Canada-based brokerage firm Wellington West Capital.

Boissonneault said that his number-one concern is a vendor’s systems being compromised along with his company’s data. “Not managing the infrastructure around this application, we would have no way of knowing for ourselves if this even happened unless we were told or found out the hard way,” he said. “I prefer to host data relating to clients internally since the risk associated with this is far too great to have a third party take responsibility for.”

However, Boissonneault said he does use SaaS vendors for applications that are not mission-critical–”it won’t make or break the firm if something unfortunate were to happen.”

One security advantage that SaaS vendors might have is easier management of patches and other security fixes, he noted, since they all take place in a centralized location. “I do believe that eventually there might be some [other] real security advantages, they just aren’t apparent yet,” added Boissonneault. He recommends that firms carefully screen their vendors, matching the sensitivity of the data to their level of trust in the provider.

“We get scrutinized against various reference models,” said Steve McCalmont, CEO of Nashua, N.H.-based risk assessment software provider Avior Computing Corp. Avior offers an online service that guides companies through the process of evaluating their vendors. Most customers are large financial institutions, according to McCalmont, and the evaluation models include those from the Financial Services Roundtable’s Bits division and the Gramm-Leach-Bliley Act standards, among others.

The risk analysis tools that Avior uses to rate third-party providers are the same ones it turns on its own hosting services, he added.

Vendors like Avior actually have an advantage when it comes to security, claimed McCalmont. “The total resources of our company are dedicated to making sure our application is safe, secure and fireproof, whereas if we go to any of our major customers, their IT department may be supporting 2,000 or 3,000 different applications. It’s a different model of security and threat analysis.”

Human Fallibility

But as the Salesforce.com phishing incident illustrates, even the best security can’t protect against human error–though it can help reduce the consequences. One of the biggest security problems that firms have faced over the past few years has been the human propensity to lose things.

“A lot of times what happens is that a third-party vendor has information on a laptop and then leaves the laptop in a taxi cab,” said Bill Jensen, product marketing manager of Redwood City, Calif.- and Tel Aviv-based Check Point Software Technologies, which makes security gateways used at many top global financial institutions.

To prepare for such mishaps, said Jensen, firms should insist that any data that leaves the vendor’s secure location be encrypted.

And users need to be educated, experts say, on telling the difference between legitimate e-mails and phishing attempts, keeping their protections up to date, and guarding their passwords. Proper oversight can help here too. Check Point, for example, offers a product called Integrity Clientless Security that can scan a user’s machine to ensure that there’s a working antivirus program, a firewall, and no Trojans, spy programs or key-loggers running in the background.

“That does create a level of confidence in the end user,” Jensen said. “It makes sure he has a good clean machine.”

According to research firm Gartner, the SaaS industry will see a compound annual growth rate of 22.1 percent through 2011–twice the rate of software in general. At Salesforce.com, the phishing problems have not been a barrier to growth: 2,900 customers signed up for the service in the quarter ending Jan. 31, helping to propel the vendor to record-high earnings.

Article first appeared in Securities Industry News. (Paid subscription required.)