Upload
kanimozhin
View
86
Download
0
Embed Size (px)
Citation preview
© Techcello www.techcello.com
Housekeeping Instructions
All phones are set to mute. If you have any questions, please type them in the Chat
window located beside the presentation panel.
We have already received several questions from the registrants, which will be
answered by the speakers during the Q & A session.
We will continue to collect more questions during the session as we receive and will
try to answer them during today’s session.
In case if you do not receive answers to your question today, you will certainly
receive answers via email shortly.
Thanks for your participation and enjoy the session!
© Techcello www.techcello.com
TechCello Introduction
Cloud Ready, SaaS/Multi-Tenant SaaS Application Development Framework
Provides end-end SaaS Lifecycle Management Solution
Redefines the way SaaS products are built and managed
Saves anywhere between 30%-50% of time and cost
© Techcello www.techcello.com
Speaker Profiles
Vittal Raj
International VP, ISACA
Founder, Pristine Consulting
Last two decades into Consulting, Assurance & Training in IS
Security, IT Compliance/Governance, Enterprise Risk
Management, Risk based Internal Audit and Digital Forensics.
Directed and managed projects in the areas of IS Security
Implementation, Cyber Crime Forensics & Cyber Law
Consulting, Network & Web Application Vulnerability
Assessments
Specialist trainer in IT Risk Management and Information
Security
Jothi Rengarajan
Chief Technical Architect
TechCello
14+ years of experience in architecting cloud and SaaS
solutions for both ISVs and Enterprises
Chief architect in designing and constructing TechCello
framework
Plays consultative role with customers in implementing
technical solutions
• Saas market set to top $22 b by 2015
• Surge in software spends by 2015, Stratification of Saas
• CRM, ERP and office & productivity SaaS on the lead
• Multi-tenancy way to go supported by innovative tech
• Customers concerns - Continuity, Security & Contractual
Gartner forecasts on SaaS……
What’s slowing down SaaS adoption ?
• Application Control & Security Governance• Contractual Transparency & SLA Assurance • Business Continuity & Resilience• Security Management
– Security of Data in a multi-tenancy model– Risk driven Security management– Identity and access management (IAM) – Adequacy, Sustainability
• Privacy and Regulatory concerns– Data location , Privacy Compliance, IAM, Licensing, legal & electronic
discovery
• Customisation & Transitioning out• Continual Independent Assurance• Pricing Indemnity 6
Application & Interfaces
Business Continuity & Operational Resilience
Change Control & Configuration Management
Data Security & Information Life Cycle Mngt
Data Centre Security
Encryption & Key Management
Governance & Risk Management
Identify & Access Management
Infrastructure & Virtualisation Security
SCM, Transparency & Accountability
Human Resources
Audit, Assurance & Compliance
Key Control Drivers
Source: CCSA – CCS Matrix
Managing Operational Risks in SaaS Services
• SaaS Governance Framework - Client– Risk Assessment &
Management– Service Level Management– Performance Management
(Metrics & Mechanisms)– Auditability and Audits
• Risk Management & Assurance• Standards & Certification• Assurance by CSP• Insurance
• Contract Governance
10
• Security Management– Security Framework –
Encryption, Data Exchange Controls
• Transition Management• Monitoring Capabilities• Billing Control• Litigation Clauses• Regulatory Compliance
International Standards• COBIT 5 – Controls and Assurance in the Cloud• CSA Guides• AICPA Service Organization Control (SOC) 1 Report• AICPA/CICA Trust Services (SysTrust and WebTrust)• ISO 2700x— Information security management system (ISMS) • Cloud Security Matrix—By Cloud Security Alliance• NIST SP 800-53—The NIST IT security controls standards, Health
Information Trust Alliance (HITRUST)• BITS—The BITS Shared Assessment Program
– contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP).
• European Network and Information Security Agency (ENISA)– Cloud Computing—Benefits, Risks and Recommendations for Information Security.
11
Feel free to contact me with your questions, comments & feedback:
R Vittal [email protected]
Linkedin: rvittalraj
© Techcello www.techcello.com
Data Storage and Segregation
• Is it a dedicated or a shared environment?
• If it a shared environment, how is the data segregated from other shared environments?
• How is security managed in the shared environment? What controls are in place?
ACL
• What type of identity management solution is provided?
• Is Single Sign-On (SSO) provided? What types of SSO options are available? SAML, Open Auth etc?
• What type of user store is available? Can this user store be integrated with Active Directory or any other user store database?
• What type of user security, authentication and authorization options are available?
SaaS Customer Concerns
© Techcello www.techcello.com
Data Security
• How is the primary data encrypted? What encryption schemes are used? Who has access to the decryption keys? How often is this tested?
Audits
• What application & data access audit logs are available? How often can you get this?
• What type of investigative support is provided in cases of breach?
SaaS Customer Concerns
© Techcello www.techcello.com
Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data.
Robust Tenant data isolation
Flexible RBAC – Prevent unauthorized action
Proven Data security
Prevention of Web related top threats as per OWASP
Strong Security Audit Logs
SaaS Security Architecture Goals
© Techcello www.techcello.com
Tenant Data Isolation
Database Routing Based On Tenant
Application Layer Auto Tenant Filter
Tenant Based View Filter
© Techcello www.techcello.com
Authentication
• Separate Common Identity Provider• Identity Provider Support Options
• Custom Username Password Authentication
• AD Integrated SSO
• Open ID Authentication
• Multi factor authentication
• Hybrid Authentication Support
Role Based Access Control (RBAC)
© Techcello www.techcello.com
Role Based Access Control (RBAC)
Authorization
• ACL Metadata• Use privileges• Map with roles• Roles should be defined by business users• Role mapped to privileges and user mapped to roles
• Access Check Services• Control at a URL, Action, Data and Field level• Configuration based privilege control
© Techcello www.techcello.com
Role Based Access Control (RBAC)
Authorization
• Rest API Implementation• External Application Integration
• Oauth2.0 • HMAC
• Internal Application Integration• Session Token• Cookie
© Techcello www.techcello.com
OWASP – TOP 10 Threats 2013
A1 Injection
A2 Broken Authentication and Session Management (was
formerly A3)
A3 Cross-Site Scripting (XSS) (was
formerly A2)
A4 Insecure Direct Object
References
A5 Security Misconfiguration (was
formerly A6)
A6 Sensitive Data Exposure (merged from former A7
Insecure Cryptographic Storage and former A9 Insufficient
Transport Layer Protection)
A7 Missing Function Level Access Control (renamed/broadened
from former A8 Failure to Restrict URL Access)
A8 Cross-Site Request Forgery
(CSRF) (was formerly A5)
A9 Using Known Vulnerable
Components (new but was part of former A6 – Security
Misconfiguration)
A10 Unvalidated Redirects and
Forwards
© Techcello www.techcello.com
Event Audit
• Audit positive events, more importantly audit negative events
• Should cover,• Who does the action?• What action is performed?• What is the context in which the
operation is performed?• What time is the action
performed?• Audit details stored in a separate
datastore for better performance• Real-time audit details – audit cache
server
Security Audit
© Techcello www.techcello.com
Transaction and Change Audit
• Transaction Audit• Snapshot: Exact copy of the row stored in history tables
• More suitable if requests to access past data are more• More data growth
• Change Audit• Only the delta of the state change captured as part of change tables• More suitable when changes need to be reported and past data are not
required much• Used more for Security tracking purposes• Easier to implement by using methods available out of the box in RDBMS
such as CDC for SQL server• Asynchronous Mode : For better performance and if we wish that audit
should not roll back the transactions it is advisable to audit in a asynchronous thread.
Security Audit
© Techcello www.techcello.com
User Action Audit
• Audit all user actions• Capture the entry url, time, location details, browser details, response
status, any exceptions• Provide analysis on the user actions• Can be customized at application layer or can use the webserver logs
Security Audit
How does it work?
Cloud Ready, Multi-Tenant Application Development Framework
Tenant Provisioning Licensing Metering Billing Data BackupAdministrative
Modules
User Management
Role/Privilege Mgmt. Single Sign-on Dynamic Data
Scope AuditingSecurityModules
Business Rules Workflow Dynamic
Forms
Enterprise Engines
Events Notification Templates
Integration Modules
Query Chart Reports
Ad-hoc BuildersCode
TemplatesMaster Data
Mgmt.Forms
Generation
Productivity Boosters
Application Multi-Tenancy & Tenant Data Isolation
Custom Fields Custom LoV Settings Template
Themes & Logo
Pre & Post Processors
ConfigurabilityModules
Cello Cloud Adapters
Cello Stack – At a Glance
© Techcello www.techcello.com
Contact Details
Jothi Rengarajan ([email protected])
Vittal Raj ([email protected])
Reference URLs
Web : http://www.techcello.com
ROI Calculator : http://www.techcello.com/techcello-roi-calculator
Demo Videos : http://www.techcello.com/techcello-resources/techcello-product-demo
SaaS e-Book: http://www.techcello.com/techcello-resources/techcello-resources-white-papers
Thank You