Embed Size (px)
Citation preview
Security Architecture
Best Practices
for
SaaS Applications
24-March-2014
EII Customers & Project EngagementsAgendaInstructions
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
If you have any questions, please type them in the question tab located at the top
We will provide answers during the Q&A session towards the end of the webinar
Thanks for your participation and enjoy the session
Request all to take part in the survey that pops up
In case if you do not receive answers to your question today, you will certainly receive answers via email shortly
EII Customers & Project EngagementsAgendaSpeakers
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Janaki Jayachandran Jothi Rengarajan
Cloud Solutions Architect,
Aspire Systems
Principal Architect – SaaS Solutions,
Aspire Systems
Global technology services firm with core DNA of software engineering
Specific areas of expertise around Software Engineering, Enterprise
Solutions, Testing and Infrastructure & Application Support
Vertical focus among Independent Software Vendors and Retail, Distribution
& Consumer Products
1400+ employees; 100+ active customers
ISO 9001:2008 and ISO 27001 : 2005 certified
Presence across US, UK, Benelux, Middle East and India
Recognized five consecutive times as “Best Place to Work for” by
GPW Institute
About Aspire
EII Customers & Project Engagements
Shared Responsibility Model
Infrastructure and network related security risks and solutions
Security considerations in each of the architecture layers
Data isolation risks and mitigation plans
Overview of OWASP Security threats
AgendaAgenda
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
“…sometimes risk is compensated with opportunity…”
Why Digitize?EII Customers & Project EngagementsAgendaThe Ever-growing Security Threat
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Unsafe websites detected per week
Jan 2007 – Mar 2015
Why Digitize?EII Customers & Project EngagementsAgendaThe Ever-growing Security Threat
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Sites hosting malware detected per week
Jan 2007 – Mar 2015
Why Digitize?EII Customers & Project EngagementsAgendaNotorious Nine Cloud Threats
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Source: CSA Notorious Nine Top Threats
Data Breaches Data lossAccount/Service traffic hijacking
Insecure APIs Denial of ServiceMalicious Insiders
Abuse of cloud services
Insufficient Due Diligence
Shared Technology
Why Digitize?EII Customers & Project EngagementsAgendaMajor Data Breach Incidents on Cloud
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
2015• In February 2015, Anthem suffered a data breach of nearly 80 million records.
2014• In August 2014, nearly 200 photographs of celebrities were posted to the image
board website 4chan.• In September 2014, Home Depot suffered a data breach of 56 million credit card
numbers.• In October 2014, Staples suffered a data breach of 1.16 million customer payment
cards.
2013• In October 2013, Adobe Systems revealed that their corporate data base was hacked
and some 130 million user records were stolen.• In late November to early December 2013, Target Corporation announced that data
from around 40 million credit and debit cards was stolen.
Why Digitize?EII Customers & Project EngagementsAgendaShared Responsibility Model
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
SaaS ISVs most commonly use IaaS services to deliver
their solution.
Why Digitize?EII Customers & Project EngagementsAgendaShared Responsibility Model
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
• Compliance with customer privacy and data protection laws
• Management of passwords/private keys
• IDM Management and access control
• Application authentication mechanism
• Management of OS, Security patches, etc.
SaaS Provider - ISV
• Physical support of infrastructure
• Physical infrastructure security and availability
• OS Patch management and hardening procedures
• Security platform configuration, maintenance and monitoring
• Increased ownership on managed services
Cloud/Infra Provider
Why Digitize?EII Customers & Project EngagementsAgendaHow Safe Is Your Data?
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Why Digitize?EII Customers & Project EngagementsAgendaHow safe is your data?
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
United States
United Kingdom
Canada
Australia
Germany
Source: Hogan Lovells White Paper on Governmental Access
Why Digitize?EII Customers & Project EngagementsAgendaHardware Level Risks
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Virtualization software used
Implement encryption best practices at all layers/services
Logically group environments and restrict
access within them
Leverage Dedicated Tenancy level groupings to minimize
risks
Define the protocol for accessing keys
Why Digitize?EII Customers & Project EngagementsAgendaOS Security and Access
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Patch management
Operating System
Anti-Virus and Anti-malware
OS Monitoring
Penetration testing and vulnerability scanning
Data Redundancy
Why Digitize?EII Customers & Project EngagementsAgendaNetwork Security and Access
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Compliance standards –PCI, HIPPA, etc.
Network firewall Virtual Private Network
Single Sign On Inter region and intra region transfer of data
Backup data storage location and access
control
Why Digitize?EII Customers & Project EngagementsAgendaInternational Security Standards
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
COBIT 5 – Controls and Assurance in the Cloud
CSA Guides
AICPA Service Organization Control (SOC) 1 Report
AICPA/CICA Trust Services (SysTrust and WebTrust)
ISO 2700x— Information security management system (ISMS)
Cloud Security Matrix—By Cloud Security Alliance
NIST SP 800-53—The NIST IT security controls standards, Health Information Trust Alliance (HITRUST)
BITS—The BITS Shared Assessment Program
contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP).
European Network and Information Security Agency (ENISA)
Cloud Computing—Benefits, Risks and Recommendations for Information Security.
Poll
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSaaS Security Architecture Goals
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data.
SaaS Application Security Areas
• Database access control
• SaaS application access control
• Access control for third party applications/ Mobile layer which are integrated to your SaaS application
• Data at transit security
• Data at rest security
• Audits
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaTenant Data Isolation
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Design for a Hybrid Approach
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaTenant Data Isolation
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
DB Interceptor
Service Security Scanner
Tenant Based View Filter
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaACL Architecture
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaRole Based Access Control (RBAC) - Authentication
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Custom Username
Password
Authentication
AD Integrated
SSO
Open ID
Authentication
Multi factor
authentication
Hybrid
Authentication
Support
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaRole Based Access Control (RBAC)
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
ACL For
Resources
Web
Endpoints
Rest
Endpoints
Actions
Data
Fields
Identity Management
ACL Metadata/ Definition
service
Decision Service
Enforcement Service
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaREST API Access Control
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Identity
• Common
identity for an
application
• Granular User
Identity
Sources
• External
Applications
• Mobile
Applications
Mechanisms
• Access Keys
• OAUTH 2.0
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaOWASP – Top Threats
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
A1
Injection
A2
Broken Authentication and Session Management (was
formerly A3)
A3
Cross-Site Scripting (XSS) (was formerly A2)
A4
Insecure Direct Object References
A5
Security Misconfiguration (was formerly A6)
A6
Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9
Insufficient Transport Layer Protection)
A7
Missing Function Level Access Control
(renamed/broadened from former A8 Failure to Restrict URL Access)
A8
Cross-Site Request Forgery (CSRF) (was formerly A5)
A9
Using Known Vulnerable Components (new but was
part of former A6 –Security Misconfiguration)
A10
Unvalidated Redirects and Forwards
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Testing
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Dynamic
Testing
Static
Testing
Security
Verification
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaData at Transit and Rest
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Data at Rest
• Adopt Symmetric Key encryption
• Use Strong Keys
• Encrypt Your Encryption key
• Use Strong Key Stores
• Keep the Key Away From Data
Data at Transit
• Browser to web. This can be secured via https.
• Between web and services. This can also be secured using https in case of
rest services
• Direct access to application services - secured via https or you could use
message encoding. If it is soap based services use ws* security protocol
• Application to database – Servers such as oracle and MSSQL server
support
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
User Action Audit
• Audit all user actions
• Capture the entry URL, time, location details, browser details,
response status, any exceptions
• Provide analysis on the user actions
• Can be customized at application layer or can use the webserver
logs
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Event Audit
• Audit positive events, more importantly
audit negative events
• Should cover,
• Who does the action?
• What action is performed?
• What is the context in which the
operation is performed?
• What time is the action performed?
• Audit details stored in a separate datastore
for better performance
• Real-time audit details – audit cache server
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Transaction and Change Audit
• Transaction Audit
• Snapshot: Exact copy of the row stored in history tables
• More suitable if requests to access past data are more
• More data growth
• Change Audit
• Only the delta of the state change captured as part of change tables
• More suitable when changes need to be reported and past data are not required
much
• Used more for Security tracking purposes
• Easier to implement by using methods available out of the box in RDBMS such as CDC
for SQL server
• Asynchronous Mode : For better performance and if we wish that audit should not roll
back the transactions it is advisable to audit in a asynchronous thread.
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaAnti-Patterns
US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Let me summarize some of the anti-patterns in security of a SaaS
application. Unfortunately we also find it a lot in practice.
• Opening the DB access to tenants directly
• Depending on the developers to handle tenant isolation
• Storing Keys for encryption loosely
• Storing connection strings without encryption
• Encrypting unnecessary data
• Loose physical access policy for the production database
• Rigid access control tied to roles instead of privileges
• Depending on developers to handle authorization checks
• Loose authentication mechanism for rest service calls or other gateways
• Lack of access control enforcement at the service layer
• Lack of Audits
Q & A
Thank You
