View
152
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Dreamforce 2012 1
Securing Information Assets in SaaS Clouds
Deb BanerjeeTechnical Director, Symantec
@banerjeesec
Shared Responsibility for Security in SaaS Clouds
Dreamforce 2012 2
PAAS
IAAS
SAASEnterprise
Responsibility
Dreamforce 2012 3
Shared Security Model: Enterprise Responsibilities
Dreamforce 2012 4
Dreamforce 2012 5
ASSETS
Sensitive Information Assets
Dreamforce 2012 6
• Applications
-Standard -Custom• Documents
• Database Tables
Asset Discovery is a Foundational Capability.
SaaS Information Asset Classification
Dreamforce 2012 7
• PII
• PCI
Data Classification
• Context-based: DLP-Lite
• Content Inspection: Traditional DLP
Force.com Apex agents
SaaS Information Asset Classification: Context-Based
Identifies data owners based on activity streams
Enables Data Classification based on sensitivity of owner roles
Dreamforce 2012 8
Polling Question
Which sensitive data do you have in the Cloud?
Dreamforce 2012 9
•PCI – Credit card data
•PII/EU DP privacy-related
•HIPAA – Health Care
•FERPA - Education
•Other Company Sensitive
Dreamforce 2012 10
VULNERABILITIES
Configuration Vulnerability: External Service Integrations
Dreamforce 2012 11
External Service Integration
Configuration Vulnerability: Application Permissions
Presentation Identifier Goes Here 12
Application Permissions
SaaS Asset Configuration Assessment: Sharing Rules
Dreamforce 2012 13
SaaS Asset Configuration Assessment: User Permissions
Dreamforce 2012 14
SaaS Asset Configuration Assessment: User Permissions
Presentation Identifier Goes Here 15
Presentation Identifier Goes Here 16
PLAYING DEFENSEBest Practices/Solutions
Data Classification
Content-Based Classification
Context-based Classification
Multiple Deployment Models Agents as Salesforce Apps
Activity Monitoring
Cloud Security Brokers
Presentation Identifier Goes Here 17
User Management
User Provisioning/De-Provisioning
Access Control Context-aware e.g. location-based, data sensitvity-aware
Strong Authentication
Presentation Identifier Goes Here 18
Configuration Assessment
Permissions Applications, Users, Roles/Profiles
Configuration Change Assessments Did someone’s permission to sensitive data increase “unusually”?
Applications Which apps, What data, What users, What external services?
Presentation Identifier Goes Here 19
Encryption/Tokenization
Geo-Residency and Privacy Requirements
Defense in Depth
Encryption Key Management
Impact on hosted application
Network Deployment Model Cloud Security Brokers
Dreamforce 2012 20
SaaS Activity Monitoring for Insider Threat Detection
Dreamforce 2012 21
Activity Logs:
Activity Logs:
Solution Architecture: Extending Out From The Enterprise
Dreamforce 2012
22
Asset Feed
Asset Classification
Activity Feed
Asset Metadata Feed
DLP Agent (APEX)
Remediation Agent(APEX)
API Orchestration
Remediation
Asset Feeds
Cloud Security Brokers
Asset Discovery
Activity LogRemediation
Control Assessment
Asset Compliance View
Information Classification View
Activity-based Threat detection
SFDC Collector
Content & Context
SFDC Config Checks
SFDC API
SFDC API
Security & Compliance
Admin
Security Ops
End User
DLP
SIEM/DI
Security Ops
Dreamforce 2012
Polling Question
Which Security Solutions are you using today?
Dreamforce 2012 23
•Data Classification
•User Provisioning and Access Management
•Encryption/Tokenization
•Configuration Assessment
•Activity Monitoring
Deb BanerjeeDeb Banerjee
Technical Director@banerjeesec
Recommended