SAAS – SECURITY & CHALLENGES

Kannan SubbiahKnowledge Universe Technologies India Pvt Ltd

Services in real life

Own a houseVs

Rent a house

Own a CarVs

Engage Call Taxi

SaaS – What is it?

Software

Services

Business Model

Operating

Model

Application

Architecture

•Chargeable unit•Geographical boundary•Business Domain•Implementation Partners•…

•On-boarding / Exit•Customer Support•Service Level•Contract terms•…

•Hosting infrastucture•Support Multi-tenancy•Scalability•Internationalization•…

SaaS - Evolution

In-houseH/W, S/W

owned and managed.

HostedSoftware

Owned and Managed,

Infrastructure rented

Hosted (ASP)Software

rented, but not

designed to scale

SubscribedSelf

subscribe to the software or parts of software.

Customizable by tenants to an extent

Time

Aff

ord

ab

ility

Characteristics of SaaS

Multi Tenancy Subscription based service Scalability Manageability Self Service Sign-up Tenant specific customization

How does it differ

Attribute Traditional SaaS

Application Delivery Installed Hosted

Updates / Release Cycle

Larger / Longer Smaller / Shorter

Pricing One Time + Maintenance

Subscription

Accounting CAP-EX OP-EX

Implementation Engage Partners / consultants

Simple, end user configurable

Operating Platform Multiple Single

Value proposition Once at the time of selling

Continuous

Benefits for Consumers

Pay per use Any where Access Subscription to service not software Least or no investment on infrastructure

Benefits to Vendors

Stronger protection for IPR Operational control of the environment Recurring revenue stream Shared Infrastructure – PaaS / IaaS

SaaS Maturity Levels

Microsoft – 4 level Scalability, Multi- Tenancy and Configuration

Forrester – 6 Level SEI – for assessing the organization and

not the application Euro Cloud Star Audit None of them are popular

SaaS Maturity Levels by Forrester Level 0 – Outsourcing Level 1 – Manual ASP Level 2 – Industrial ASP Level 3 – Single-app SaaS Level 4 – Business Domain SaaS Level 5 – Dynamic Business Apps

SAAS – CHALLENGES

Design & Development

Solution Design to address Internationalization Cloud Infrastructure Support business & operating model Multi-tenancy Extensibility Security and Audit Wider scope - cover industry needs

Support & Maintenance

Must Support Larger impact SLA driven Disclaimers Increased Focus on

Reliability Availability Extensibility Scalability Quality, etc

Customer On-boarding

Migration from existing software Application Integration Data Integration Data Mining Authentication, Single Sign-on Network infrastructure

Customer Service

Areas of support to include Hosting infrastructure Data center operations Systems and network monitoring Billing Customer education

Longer customer retention for better RoI

Research & Product Improvement Agile approach Rapid releases and upgrades Primary focus on

Rapid action on feedbacks Usage statistics Predict industry trends Platform and tools used Automated testing Service aggregation

Legal

Driving Contracts online Termination and Migration Security, Privacy and related risks Country specific regulations SLAs

Security Concerns

SaaS Security

Data Security

IdM & SSOData

Seggregation

Deployment Model

Deployment

Environment

Network Security

Regulatory

Compliance

Availability

Back up & Recovery

Data Security

Data Location Data Encryption Data Integration APIs Access Logs Return / destruction of data upon exit

Data Security

Data Segregation

Understand the Data & Application Architecture Separate Physical / Virtual Server(s) Separate Instance on shared hardware Separate Database Shared Database

Authentication and Authorization

Data Seggregat

ion

Development Model

Security aware developers Application Design

Application / Data Partitioning Information Sensitivity Design for Performance & Scalability

Configuration Management Security Testing Threat Remediation Build & Release Cycles

Deployment Model

Deployment Environment Boundary Protection Resource Priority Configuration Management Cloud Infrastructure

Certification / accreditation Continuous Monitoring Audit

Deployment

Environment

Network Security

Transmission Integrity Secure Data in transit (SSL)

Intrusion Detection & Prevention Other standard security measures

Man-in-the-middle IP Spoofing Port Scanning Packet Sniffing

Network Security

Regulatory Compliance

Global Legal compliance SAS 70 SOX HIPAA …

Contractual obligations Need for Logs and Audit Trails Data Retention needs

Regulatory

Compliance

Availability

Application Design and Architecture Design for performance Graceful exits Instance Isolation Custom Code Modules

SLA Uptime Guarantees Maintenance / Outage Notifications Documented BC & DRP plans

Code Escrow

Availability

Back up & Recovery

Infrastructure Protection of back up location

Encryption Access control to Backup location

Recovery Documented process Drills

Back up & Recovery

Identity Management

Who manages it? Checks & Controls

Id provisioning Secure storage Password Policies

Federated IdM Trust relationships with tenants Secure federation of user identities

IdM & SSO

Thank You

Follow Me Email: kanna@vsnl.com Facebook: http://

www.facebook.com/kannan.subbiah LinkedIn: http://in.linkedin.com/in/ksubbiah Blog: http://www.kannan-subbiah.com