Security Architecture Best Practices for SaaS Applications 22-May-2014 www.techcello.com
Housekeeping Instructions • All phones are set to mute. If you have any questions, please type them in the Chat window located beside the presentation panel. • We have already received several questions from the registrants, which will be answered by the speakers during the Q & A session. • We will continue to collect more questions during the session as we receive and will try to answer them during today’s session. • In case if you do not receive answers to your question today, you will certainly receive answers via email shortly. • Thanks for your participation and enjoy the session!
TechCello Introduction • Cloud Ready, SaaS/Multi-Tenant SaaS Application Development Framework • Provides end-end SaaS Lifecycle Management Solution • Redefines the way SaaS products are built and managed • Saves anywhere between 30%-50% of time and cost
Speaker Profiles • Last two decades into Consulting, Assurance & Training in IS Security, IT Compliance/Governance, Enterprise Risk Management, Risk based Internal Audit and Digital Forensics. • Directed and managed projects in the areas of IS Security Implementation, Cyber Crime Forensics & Cyber Law Consulting, Network & Web Application Vulnerability Assessments • Specialist trainer in IT Risk Management and Information Security • 14+ years of experience in architecting cloud and SaaS solutions for both ISVs and Enterprises • Chief architect in designing and constructing TechCello framework • Plays consultative role with customers in implementing technical solutions
Gartner forecasts on SaaS…… • Saas market set to top $22 b by 2015 • Surge in software spends by 2015, Stratification of Saas • CRM, ERP and office & productivity SaaS on the lead • Multi-tenancy way to go supported by innovative tech • Customers concerns - Continuity, Security & Contractual
What’s slowing down SaaS adoption ? • Application Control & Security Governance • Contractual Transparency & SLA Assurance • Business Continuity & Resilience • Security Management • Security of Data in a multi-tenancy model • Risk driven Security management • Identity and access management (IAM) – Adequacy, Sustainability • Privacy and Regulatory concerns • Data location , Privacy Compliance, IAM, Licensing, legal & electronic discovery • Customisation & Transitioning out • Continual Independent Assurance • Pricing Indemnity
Framework based approach driven on Stakeholder Expectations Goals to Results Source: COBIT 5®, ITGI
Application & Interfaces Data Security & Information Life Cycle Mngt Encryption & Key Management Infrastructure & Virtualisation Security Data Centre Security Key Control Drivers Identify & Access Management Change Control & Configuration Management SCM, Transparency & Accountability Human Resources Business Continuity & Operational Resilience Audit, Assurance & Compliance Governance & Risk Management Source: CCSA – CCS Matrix
Holistic approach for sustainable governance Source: COBIT 5®, ITGI
Managing Operational Risks in SaaS Services • Security Management • Security Framework – Encryption, Data Exchange Controls • Transition Management • Monitoring Capabilities • Billing Control • Litigation Clauses • Regulatory Compliance • SaaS Governance Framework - Client • Risk Assessment & Management • Service Level Management • Performance Management (Metrics & Mechanisms) • Auditability and Audits • Risk Management & Assurance • Standards & Certification • Assurance by CSP • Insurance • Contract Governance
International Standards • COBIT 5 – Controls and Assurance in the Cloud • CSA Guides • AICPA Service Organization Control (SOC) 1 Report • AICPA/CICA Trust Services (SysTrust and WebTrust) • ISO 2700x— Information security management system (ISMS) • Cloud Security Matrix—By Cloud Security Alliance • NIST SP 800-53—The NIST IT security controls standards, Health Information Trust Alliance (HITRUST) • BITS—The BITS Shared Assessment Program • contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP). • European Network and Information Security Agency (ENISA) • Cloud Computing—Benefits, Risks and Recommendations for Information Security.
Feel free to contact me with your questions, comments & feedback: R Vittal Raj firstname.lastname@example.org Linkedin: rvittalraj
SaaS Customer Concerns • Data Storage and Segregation • Is it a dedicated or a shared environment? • If it a shared environment, how is the data segregated from other shared environments? • How is security managed in the shared environment? What controls are in place? • ACL • What type of identity management solution is provided? • Is Single Sign-On (SSO) provided? What types of SSO options are available? SAML, Open Auth etc? • What type of user store is available? Can this user store be integrated with Active Directory or any other user store database? • What type of user security, authentication and authorization options are available?
SaaS Customer Concerns • Data Security • How is the primary data encrypted? What encryption schemes are used? Who has access to the decryption keys? How often is this tested? • Audits • What application & data access audit logs are available? How often can you get this? • What type of investigative support is provided in cases of breach?
SaaS Security Architecture Goals Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data. • Robust Tenant data isolation • Flexible RBAC – Prevent unauthorized action • Proven Data security • Prevention of Web related top threats as per OWASP • Strong Security Audit Logs
Tenant Data Isolation Design for a Hybrid Approach
Tenant Data Isolation • Database Routing Based On Tenant • Application Layer Auto Tenant Filter • Tenant Based View Filter
Cello Stack – At a Glance How does it work? Administrative Modules Tenant Provisioning Licensing Metering Billing Data Backup Security Modules User Management Role/Privilege Mgmt. Single Sign-on Dynamic Data Scope Auditing Configurability Modules Custom Fields Custom LoV Settings Template Themes & Logo Pre & Post Processors Enterprise Engines Integration Modules Business Rules Workflow Dynamic Forms Events Notification Templates Ad-hoc Builders Productivity Boosters Query Chart Reports Code Templates Master Data Mgmt. Forms Generation Application Multi-Tenancy & Tenant Data Isolation Cello Cloud Adapters Cloud Ready, Multi-Tenant Application Development Framework
Thank You Contact Details JothiRengarajan(email@example.com) Vittal Raj (firstname.lastname@example.org) Reference URLs Web : http://www.techcello.com ROI Calculator : http://www.techcello.com/techcello-roi-calculator Demo Videos : http://www.techcello.com/techcello-resources/techcello-product-demo SaaS e-Book: http://www.techcello.com/techcello-resources/techcello-resources-white-papers