Security architecture best practices for saas applications

Security Architecture Best Practices for SaaS Applications

22-May-2014

www.techcello.com

© Techcello www.techcello.com

Housekeeping Instructions

All phones are set to mute. If you have any questions, please type them in the Chat

window located beside the presentation panel.

We have already received several questions from the registrants, which will be

answered by the speakers during the Q & A session.

We will continue to collect more questions during the session as we receive and will

try to answer them during today’s session.

In case if you do not receive answers to your question today, you will certainly

receive answers via email shortly.

Thanks for your participation and enjoy the session!


TechCello Introduction

Cloud Ready, SaaS/Multi-Tenant SaaS Application Development Framework

Provides end-end SaaS Lifecycle Management Solution

Redefines the way SaaS products are built and managed

Saves anywhere between 30%-50% of time and cost


Speaker Profiles

Vittal Raj

International VP, ISACA

Founder, Pristine Consulting

Last two decades into Consulting, Assurance & Training in IS

Security, IT Compliance/Governance, Enterprise Risk

Management, Risk based Internal Audit and Digital Forensics.

Directed and managed projects in the areas of IS Security

Implementation, Cyber Crime Forensics & Cyber Law

Consulting, Network & Web Application Vulnerability

Assessments

Specialist trainer in IT Risk Management and Information

Security

Jothi Rengarajan

Chief Technical Architect

TechCello

14+ years of experience in architecting cloud and SaaS

solutions for both ISVs and Enterprises

Chief architect in designing and constructing TechCello

framework

Plays consultative role with customers in implementing

technical solutions

• Saas market set to top $22 b by 2015

• Surge in software spends by 2015, Stratification of Saas

• CRM, ERP and office & productivity SaaS on the lead

• Multi-tenancy way to go supported by innovative tech

• Customers concerns - Continuity, Security & Contractual

Gartner forecasts on SaaS……

What’s slowing down SaaS adoption ?

• Application Control & Security Governance• Contractual Transparency & SLA Assurance • Business Continuity & Resilience• Security Management

– Security of Data in a multi-tenancy model– Risk driven Security management– Identity and access management (IAM) – Adequacy, Sustainability

• Privacy and Regulatory concerns– Data location , Privacy Compliance, IAM, Licensing, legal & electronic

discovery

• Customisation & Transitioning out• Continual Independent Assurance• Pricing Indemnity 6

Goals to Results

Framework based approachdriven on Stakeholder Expectations

Source: COBIT 5®, ITGI

Application & Interfaces

Business Continuity & Operational Resilience

Change Control & Configuration Management

Data Security & Information Life Cycle Mngt

Data Centre Security

Encryption & Key Management

Governance & Risk Management

Identify & Access Management

Infrastructure & Virtualisation Security

SCM, Transparency & Accountability

Human Resources

Audit, Assurance & Compliance

Key Control Drivers

Source: CCSA – CCS Matrix

Holistic approach for sustainable governance

Source: COBIT 5®, ITGI

Managing Operational Risks in SaaS Services

• SaaS Governance Framework - Client– Risk Assessment &

Management– Service Level Management– Performance Management

(Metrics & Mechanisms)– Auditability and Audits

• Risk Management & Assurance• Standards & Certification• Assurance by CSP• Insurance

• Contract Governance

10

• Security Management– Security Framework –

Encryption, Data Exchange Controls

• Transition Management• Monitoring Capabilities• Billing Control• Litigation Clauses• Regulatory Compliance

International Standards• COBIT 5 – Controls and Assurance in the Cloud• CSA Guides• AICPA Service Organization Control (SOC) 1 Report• AICPA/CICA Trust Services (SysTrust and WebTrust)• ISO 2700x— Information security management system (ISMS) • Cloud Security Matrix—By Cloud Security Alliance• NIST SP 800-53—The NIST IT security controls standards, Health

Information Trust Alliance (HITRUST)• BITS—The BITS Shared Assessment Program

– contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP).

• European Network and Information Security Agency (ENISA)– Cloud Computing—Benefits, Risks and Recommendations for Information Security.

11

‘Trustworthy’ SaaS

key to customer acquisition & loyalty

Feel free to contact me with your questions, comments & feedback:

R Vittal [email protected]

Linkedin: rvittalraj


Data Storage and Segregation

• Is it a dedicated or a shared environment?

• If it a shared environment, how is the data segregated from other shared environments?

• How is security managed in the shared environment? What controls are in place?

ACL

• What type of identity management solution is provided?

• Is Single Sign-On (SSO) provided? What types of SSO options are available? SAML, Open Auth etc?

• What type of user store is available? Can this user store be integrated with Active Directory or any other user store database?

• What type of user security, authentication and authorization options are available?

SaaS Customer Concerns


Data Security

• How is the primary data encrypted? What encryption schemes are used? Who has access to the decryption keys? How often is this tested?

Audits

• What application & data access audit logs are available? How often can you get this?

• What type of investigative support is provided in cases of breach?

SaaS Customer Concerns


Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data.

Robust Tenant data isolation

Flexible RBAC – Prevent unauthorized action

Proven Data security

Prevention of Web related top threats as per OWASP

Strong Security Audit Logs

SaaS Security Architecture Goals


Tenant Data Isolation

Design for a Hybrid Approach


Tenant Data Isolation

Database Routing Based On Tenant

Application Layer Auto Tenant Filter

Tenant Based View Filter


ACL Architecture


Authentication

• Separate Common Identity Provider• Identity Provider Support Options

• Custom Username Password Authentication

• AD Integrated SSO

• Open ID Authentication

• Multi factor authentication

• Hybrid Authentication Support

Role Based Access Control (RBAC)



Authorization

• ACL Metadata• Use privileges• Map with roles• Roles should be defined by business users• Role mapped to privileges and user mapped to roles

• Access Check Services• Control at a URL, Action, Data and Field level• Configuration based privilege control



Authorization

• Rest API Implementation• External Application Integration

• Oauth2.0 • HMAC

• Internal Application Integration• Session Token• Cookie


OWASP – TOP 10 Threats 2013

A1 Injection

A2 Broken Authentication and Session Management (was

formerly A3)

A3 Cross-Site Scripting (XSS) (was

formerly A2)

A4 Insecure Direct Object

References

A5 Security Misconfiguration (was

formerly A6)

A6 Sensitive Data Exposure (merged from former A7

Insecure Cryptographic Storage and former A9 Insufficient

Transport Layer Protection)

A7 Missing Function Level Access Control (renamed/broadened

from former A8 Failure to Restrict URL Access)

A8 Cross-Site Request Forgery

(CSRF) (was formerly A5)

A9 Using Known Vulnerable

Components (new but was part of former A6 – Security

Misconfiguration)

A10 Unvalidated Redirects and

Forwards


Security Testing

Dynamic Testing

Static TestingSecurity

Verification


Event Audit

• Audit positive events, more importantly audit negative events

• Should cover,• Who does the action?• What action is performed?• What is the context in which the

operation is performed?• What time is the action

performed?• Audit details stored in a separate

datastore for better performance• Real-time audit details – audit cache

server

Security Audit


Transaction and Change Audit

• Transaction Audit• Snapshot: Exact copy of the row stored in history tables

• More suitable if requests to access past data are more• More data growth

• Change Audit• Only the delta of the state change captured as part of change tables• More suitable when changes need to be reported and past data are not

required much• Used more for Security tracking purposes• Easier to implement by using methods available out of the box in RDBMS

such as CDC for SQL server• Asynchronous Mode : For better performance and if we wish that audit

should not roll back the transactions it is advisable to audit in a asynchronous thread.

Security Audit


User Action Audit

• Audit all user actions• Capture the entry url, time, location details, browser details, response

status, any exceptions• Provide analysis on the user actions• Can be customized at application layer or can use the webserver logs

Security Audit


Security Audit

How does it work?

Cloud Ready, Multi-Tenant Application Development Framework

Tenant Provisioning Licensing Metering Billing Data BackupAdministrative

Modules

User Management

Role/Privilege Mgmt. Single Sign-on Dynamic Data

Scope AuditingSecurityModules

Business Rules Workflow Dynamic

Forms

Enterprise Engines

Events Notification Templates

Integration Modules

Query Chart Reports

Ad-hoc BuildersCode

TemplatesMaster Data

Mgmt.Forms

Generation

Productivity Boosters

Application Multi-Tenancy & Tenant Data Isolation

Custom Fields Custom LoV Settings Template

Themes & Logo

Pre & Post Processors

ConfigurabilityModules

Cello Cloud Adapters

Cello Stack – At a Glance


Contact Details

Jothi Rengarajan ([email protected])

Vittal Raj ([email protected])

Reference URLs

Web : http://www.techcello.com

ROI Calculator : http://www.techcello.com/techcello-roi-calculator

Demo Videos : http://www.techcello.com/techcello-resources/techcello-product-demo

SaaS e-Book: http://www.techcello.com/techcello-resources/techcello-resources-white-papers

Thank You

mailto:[email protected]

mailto:[email protected]

http://www.techcello.com/

http://www.techcello.com/

http://www.techcello.com/techcello-roi-calculator

http://www.techcello.com/techcello-roi-calculator

http://www.techcello.com/techcello-resources/techcello-product-demo



http://www.techcello.com/techcello-resources/techcello-resources-white-papers

