saas as a security hazard - google apps security example

21
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice SaaS as a Security Hazard The Google Apps example Ofer Shezaf, Product Manager, Security Solutions HP ArcSight [email protected]

Upload: newvewm

Post on 30-Oct-2014

928 views

Category:

Technology


0 download

DESCRIPTION

As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as salesforce.com for sales automation and monster.com for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.

TRANSCRIPT

Page 1: SaaS as a Security Hazard - Google Apps Security Example

©2011 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without

notice

SaaS as a Security Hazard

The Google Apps example

Ofer Shezaf,

Product Manager, Security Solutions

HP ArcSight

[email protected]

Page 2: SaaS as a Security Hazard - Google Apps Security Example

About Myself

I live in Kibbutz Yiftah, Israel

I create security products

Currently, Product Manager for Security Solutions at HP ArcSight

Prior to that did security research and product management at Breach Security & at Fortify

I am an application security veteran

OWASP leader and founder of the OWASP Israeli chapter

Leads the Web Application Firewall Evaluation Criteria project

Wrote the ModSecurity Core Rule Set

I really try to learn what information security is

Read my blog at http://www.xiom.com

Be ready to some philosophy of science and cognitive psychology

Page 3: SaaS as a Security Hazard - Google Apps Security Example

What are Google Apps?

Gmail, Calendar, Docs, Sites & Groups

Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office.

Better at sharing and in a way familiar to users

Bottom up push to adapt.

Page 4: SaaS as a Security Hazard - Google Apps Security Example

If It Was Only Cloud…

Page 5: SaaS as a Security Hazard - Google Apps Security Example

Google Apps Role in the IT Environment

5 HP Enterprise Security – HP Confidential

Public Cloud Traditional Private Cloud Managed Cloud

Hybrid Delivery

Non-critical business services will

move to SaaS providers who

provide some level of security 1

Some critical business services will be deployed in

private clouds with customized security controls 2

Some work-loads will move to public clouds with

security components provisioned in image 3

Security will be componentized and automatically

deployed with work-loads, based on sensitivity of

assets 4

Note: future availability of hybrid capabilities

SAAS

SAAS

customization

required automated

provisioning

SAAS

Page 6: SaaS as a Security Hazard - Google Apps Security Example

No, it is not about SQL injection

Google is better than

your programmers in weeding out SQL injections

So what is it about?

Page 7: SaaS as a Security Hazard - Google Apps Security Example

Ownership

Page 8: SaaS as a Security Hazard - Google Apps Security Example

Cloud Entrance Exam: Question 1

Who Owns The Data?

You?

Google?

Your Employee?

Google’s Employee?

Page 9: SaaS as a Security Hazard - Google Apps Security Example

Cloud Entrance Exam: Question 2

Do You Compete With Google?

No (are you serious?)

We do, but not me

I don’t know

Yes (You Bet!)

Page 10: SaaS as a Security Hazard - Google Apps Security Example

Cloud Entrance Exam: Question 3

Who Authorized Access to the Data?

Me

Google

Google, but only if the court asks

Google, but only if the Chinese ask

Page 11: SaaS as a Security Hazard - Google Apps Security Example

Cloud Entrance Exam: Question 4

What About Illegal Material?

I never store such data!

… apart from competitive marketing and stolen images in presentations

… but Google would not interfere with my data

Or would they?

Page 12: SaaS as a Security Hazard - Google Apps Security Example

Regulations

Page 13: SaaS as a Security Hazard - Google Apps Security Example

It’s All About Geography

• National laws

• Limitation of transfer of data

Privacy

• PCI, SOX, SAS 70, ISO 27K…

Compliance

• Google or I? Ownership

So where is the data?

And who is responsible for it?

Page 14: SaaS as a Security Hazard - Google Apps Security Example

Back To Basics

Page 15: SaaS as a Security Hazard - Google Apps Security Example

Where and What do we Manage?

15 HP Enterprise Security – HP Confidential

Public Cloud Traditional Private Cloud Managed Cloud

Hybrid Delivery

Note: future availability of hybrid capabilities

SAAS

SAAS

SAAS

Authenticatio

n

Authorization

Audit

Page 16: SaaS as a Security Hazard - Google Apps Security Example

Authentication & User Management

Password strength is of extreme importance in web based services.

• Complexity, length, lifetime

• Two factor authentication is preferred.

Avoid requiring users to have multiple complex passwords

• Sticky note passwords

Need to make sure users are created, terminated and transferred on all services.

SaaS MUST tie in to enterprise directory.

Page 17: SaaS as a Security Hazard - Google Apps Security Example

Users Permissions & Authorization

Both permissions management and permissions audit are crucial

Unique to SaaS

solutions is the option to share

externally.

Tools both for SaaS and self hosted are not

mature.

Always a hazard in

knowledge sharing

applications.

Page 18: SaaS as a Security Hazard - Google Apps Security Example

Audit

HP ArcSight

On/Off-Premise Data Center

remote

workers

Public Cloud

Page 19: SaaS as a Security Hazard - Google Apps Security Example

For Further Consideration

Page 20: SaaS as a Security Hazard - Google Apps Security Example

Did You Consider?

Encryption: SSL

Disks

Administrator Access Control

Two factor authentication?

Only from within the organization?

Administration Capabilities

Can your administrators access users data if needed?

Backup and Restore

Service Level Agreement (SLA)

Service for Accidental Deletes

Disaster Recovery

Way out

Page 21: SaaS as a Security Hazard - Google Apps Security Example

For Further Questions

Contact:

Ofer Shezaf

[email protected]