saas as a security hazard - google apps security example
DESCRIPTION
As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as salesforce.com for sales automation and monster.com for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.TRANSCRIPT
©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without
notice
SaaS as a Security Hazard
The Google Apps example
Ofer Shezaf,
Product Manager, Security Solutions
HP ArcSight
About Myself
I live in Kibbutz Yiftah, Israel
I create security products
Currently, Product Manager for Security Solutions at HP ArcSight
Prior to that did security research and product management at Breach Security & at Fortify
I am an application security veteran
OWASP leader and founder of the OWASP Israeli chapter
Leads the Web Application Firewall Evaluation Criteria project
Wrote the ModSecurity Core Rule Set
I really try to learn what information security is
Read my blog at http://www.xiom.com
Be ready to some philosophy of science and cognitive psychology
What are Google Apps?
Gmail, Calendar, Docs, Sites & Groups
Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office.
Better at sharing and in a way familiar to users
Bottom up push to adapt.
If It Was Only Cloud…
Google Apps Role in the IT Environment
5 HP Enterprise Security – HP Confidential
Public Cloud Traditional Private Cloud Managed Cloud
Hybrid Delivery
Non-critical business services will
move to SaaS providers who
provide some level of security 1
Some critical business services will be deployed in
private clouds with customized security controls 2
Some work-loads will move to public clouds with
security components provisioned in image 3
Security will be componentized and automatically
deployed with work-loads, based on sensitivity of
assets 4
Note: future availability of hybrid capabilities
SAAS
SAAS
customization
required automated
provisioning
SAAS
No, it is not about SQL injection
Google is better than
your programmers in weeding out SQL injections
So what is it about?
Ownership
Cloud Entrance Exam: Question 1
Who Owns The Data?
You?
Google?
Your Employee?
Google’s Employee?
Cloud Entrance Exam: Question 2
Do You Compete With Google?
No (are you serious?)
We do, but not me
I don’t know
Yes (You Bet!)
Cloud Entrance Exam: Question 3
Who Authorized Access to the Data?
Me
Google, but only if the court asks
Google, but only if the Chinese ask
Cloud Entrance Exam: Question 4
What About Illegal Material?
I never store such data!
… apart from competitive marketing and stolen images in presentations
… but Google would not interfere with my data
Or would they?
Regulations
It’s All About Geography
• National laws
• Limitation of transfer of data
Privacy
• PCI, SOX, SAS 70, ISO 27K…
Compliance
• Google or I? Ownership
So where is the data?
And who is responsible for it?
Back To Basics
Where and What do we Manage?
15 HP Enterprise Security – HP Confidential
Public Cloud Traditional Private Cloud Managed Cloud
Hybrid Delivery
Note: future availability of hybrid capabilities
SAAS
SAAS
SAAS
Authenticatio
n
Authorization
Audit
Authentication & User Management
Password strength is of extreme importance in web based services.
• Complexity, length, lifetime
• Two factor authentication is preferred.
Avoid requiring users to have multiple complex passwords
• Sticky note passwords
Need to make sure users are created, terminated and transferred on all services.
SaaS MUST tie in to enterprise directory.
Users Permissions & Authorization
Both permissions management and permissions audit are crucial
Unique to SaaS
solutions is the option to share
externally.
Tools both for SaaS and self hosted are not
mature.
Always a hazard in
knowledge sharing
applications.
Audit
HP ArcSight
On/Off-Premise Data Center
remote
workers
Public Cloud
For Further Consideration
Did You Consider?
Encryption: SSL
Disks
Administrator Access Control
Two factor authentication?
Only from within the organization?
Administration Capabilities
Can your administrators access users data if needed?
Backup and Restore
Service Level Agreement (SLA)
Service for Accidental Deletes
Disaster Recovery
Way out