Security that works with, not against, your SaaS business


Published on

Enterprises that offer Software-as-a-service (SaaS) solutions are able to provide their customers with clear benefits over on-premise software - lower upfront costs, simplified IT infrastructure and painless updates.

However, security and compliance are the #1 inhibitors to enterprises building SaaS applications. Unlike the old days of selling boxed software, where securing the on-premise environment was your customer’s problem, as a SaaS provider, you now need to be responsible for the security of your entire SaaS infrastructure stack. At the same time, the vast majority of security tools at your disposal were never designed for this new agile, elastic model and are therefore inflexible and unable to cope. Ultimately, poor security choices can impact your SaaS business, slowing down sales opportunities, and hurting customer trust and company brand.

But a new breed of security architecture has now emerged. Born in the cloud and purpose-built to secure SaaS environments, these security-as-a-service solutions automate security and compliance monitoring, and are built to support the scalability, portability and depth of protection you need to secure these elastic environments.

What You Will Learn:

Why static security architectures break Software-as-a-Service business models
What a SaaS business needs to secure its infrastructure
Security-as-a-Service: A new security architecture for SaaS
How CloudPassage Halo has helped secure SaaS business

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security that works with, not against, your SaaS business

  1. 1. Security that works with, not against, your SaaS business Dave Shackleford, Lead Faculty, IANS Rand Wacker, VP Products, CloudPassage 10/2/2013
  2. 2. Who We Are Dave Shackleford Lead Faculty at IANS Copyright © 2013 IANS. All rights reserved. 2 Rand Wacker VP of Products at CloudPassage
  3. 3. Virtualization: First step to Cloud • Security is in upheaval • We must adapt to cloud disruption • Check out Dave’s Cloud Security classes with SANS Copyright © 2013 IANS. All rights reserved. 3
  4. 4. Overview for Today • Business imperatives for SaaS • Cloud-based delivery architecture • Security complexity in agile cloud environments • Customer case studies with Halo Enterprise • Q&A Copyright © 2013 IANS. All rights reserved. 4
  5. 5. Moving to a SaaS Business
  6. 6. © 2013 CloudPassage Inc. Two Sides of the SaaS Coin What Custs Fear – Loss of data / I.P. – Their brand being caught up in a compromise – Failing their own audits – Having to migrate to another provider later… What You Want – Recurring revenue – Organic incremental sales – Nothing to ship, one codebase to support – Higher profit margins at scale… Data protection is often a new business challenge for software providers.
  7. 7. © 2013 CloudPassage Inc. SaaS Adoption and Fear Trends SaaS is the primary cloud investment • 82% of companies use SaaS providers • 50% use SaaS for business-critical apps Source: North Bridge Capital “Future of the Cloud” survey (June 2012) Security, compliance still top concerns • 55% consider security a major issue • 38% view compliance as show-stopper
  8. 8. © 2013 CloudPassage Inc. SaaS Adoption and Fear Trends SaaS is the primary cloud investment • 82% of companies use SaaS providers • 50% use SaaS for business-critical apps Source: North Bridge Capital “Future of the Cloud” survey (June 2012) Security, compliance still top concerns • 55% consider security a major issue • 38% view compliance as show-stopper Companies want to use SaaS but fear security issues. SaaS providers who get security right are at a massive advantage over competitors.
  9. 9. © 2013 CloudPassage Inc. What SaaS Customers Demand 2700 2 Maintaining compliance is more complex in dynamic cloud-based environments.
  10. 10. Building SaaS Today
  11. 11. © 2013 CloudPassage Inc. Cloud Accelerates SaaS Dev • SaaS feature development must stay ahead of competition • DevOps and cloud architectures enable agile development • Accelerates time-to- market, but complicates security…
  12. 12. © 2013 CloudPassage Inc. Poll: SaaS Challenges • What are your biggest challenges in building/transitioning to a SaaS business model? (Select all that apply) – Organizational expertise in building SaaS offerings – Security of service/customer data – Transitioning customers from perpetual to subscription – Cannibalization of existing revenue streams – Other
  13. 13. Securing Cloud Development
  14. 14. Cloud Security Challenges • There are many security challenges in cloud computing • Some are more technical – Tracking data migration from abc (mobility) – Data/customer segmentation (Multi-tenancy) – Identity and Access Management – Incident response in multitenant environments • Some are more “macro” level issues: – Policy and Risk Assessment – Governance – Audit requirements – Compliance “If you’re a large enterprise, somebody in your organization is using cloud computing, but they’re not telling you.” --James Staten, principal analyst at Forrester Research
  15. 15. The Role of Virtualization in the Cloud • Virtualization is a cloud enabler – Pooled resources – Abstracted components and applications – Shared infrastructure – Resource and data migration and replication • Virtualization technologies have security issues, too: – More complexity, more moving parts – New configuration controls – Segmentation and separation – Monitoring
  16. 16. Multi-tenancy: Security Issues • One physical platform may host numerous distinct entities’ data and services • Critical needs arise for: – Segmentation & Isolation – Policy boundaries – Monitoring (availability/security) – Management • Needs may differ for private vs. public cloud types
  17. 17. Visibility • Visibility is a challenge in cloud environments – why? – Customers do not have visibility into the internal security controls in place at a cloud provider facility – Cloud providers need controls that are flexible and dynamic across different environments
  18. 18. Gaining Additional Visibility • SaaS environments will employ IaaS principles and infrastructure to host VMs and application instances • Monitoring these instances can be a challenge as they migrate and balance across clusters • Traditional tools for monitoring (IDS, for example) may have difficulty “following” systems or gaining visibility into virtual environments • Monitoring at the individual VM level makes more sense in a cloud infrastructure Copyright © 2013 IANS. All rights reserved. 18
  19. 19. Change Management in the Cloud • Change management is one of the most important operational aspects of the cloud • Cloud computing is built on a foundation of consistency and uniformity – Changes can affect this dramatically • Issues: – Virtualized infrastructure increases the rate of change due to dynamic nature – Virtualization and multi-tenancy add new levels of complexity • App Virtual OS Virtual Hardware Storage Hypervisor Platform Physical Hardware
  20. 20. Automation and DevOps • In many SaaS cloud environments today, numerous small/rapid code pushes are becoming necessary – Automating this process with proper test and risk assessment is key • DevOps strives for a number of goals and focal areas: – Automated provisioning – No-downtime deployments – Monitoring – “Fail fast and often” – Automated builds and testing
  21. 21. Traditional Security Breaks Cloud Ops • Many traditional security tools and controls are not well-suited to dynamic cloud operational environments • In general, many network-focused and larger architectural controls can be slow to change/adapt – Orchestration tools can help, but API support is required Copyright © 2013 IANS. All rights reserved. 21
  22. 22. Host-Based Security in Cloud Environments • For truly dynamic SaaS deployments, security architecture will be a balance of network and host controls – Many are leaning more toward local system security controls, though • Some of the challenges include: – Resource utilization – Integration with virtualization platforms – Testing with SaaS application instances – Manageability Copyright © 2013 IANS. All rights reserved. 22
  23. 23. Host-based Security Agents • The biggest issue with host-based security agents is resource consumption – Too much RAM, CPU, etc. – This is a serious issue in virtualized environments • A lightweight, specially-adapted agent is needed • Tight integration with the OS kernel and components is also key – Local scans and monitoring need to be as low-impact as possible – Scalability and centralized control are critical
  24. 24. © 2013 CloudPassage Inc. Introducing Halo Enterprise
  25. 25. © 2013 CloudPassage Inc. Halo Enterprise automates security for large, complex private, public & hybrid clouds • Visibility & control across any infrastructure • Less time demanded from DevOps & Security • More competitive SaaS offerings • Meet compliance needs, remove sales barriers
  26. 26. Confidential NDA material. Do not distribute. Security and Compliance Automation Protect servers and applications in any private, public, or hybrid cloud environment Server Account Managements Security Event Alerting File Integrity Monitoring REST API Integrations Broad set of security controls, critical for securing cloud-hosted applications Firewall Automation System & Application Config Security Multi-Factor Authentication Vulnerability & Patch Scanning
  27. 27. Private cloud & SDDC Virtualized & bare-metal datacenterPublic cloud IaaS Halo security analytics engine Halo administration web portal Halo REST API gateway HALO SECURITY MODULES • Firewall policy orchestration • Multi-factor authentication • File integrity monitoring • Configuration security monitoring • Software vulnerability scanning • System access management
  28. 28. Workload VM Instance Operating System Application Code System Administration Services Application Engine App Storage Volume System Storage Volume Halo Daemon 1 Halo activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates. 1 2 Halo secures privileged access via dynamic firewall rules triggered by multi-factor user authentication. 2 4 Application configurations are scanned for vulnerabilities and are continuously monitored. 4 5 Cryptographic integrity monitoring ensures app code and binaries are not compromised. 5 6 Halo monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities. 6 Halo scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity. 3 3 7 Application data stores are monitored for access; outbound firewall rules prevent data extrusion. 7
  29. 29. © 2013 CloudPassage Inc. Solving Cloud Security Challenges Cloud Complications Virtualization and multi- tenancy Maintaining visibility Taming change management Supporting automation & DevOps CloudPassage Approach Build security into cloud stack Design for automation, portability, an d scalability Broad range of security controls Simplify compliance management
  30. 30. © 2013 CloudPassage Inc. Cloud Security Case Studies
  31. 31. © 2013 CloudPassage Inc. Poll: SaaS Offerings • Today, what percentage of your business is from a SaaS offering (vs boxed product or other?) – All – More than half – Less than half – None – Not applicable to our organization
  32. 32. © 2013 CloudPassage Inc. Case Study: Enabling SaaSification • Top 10 Fortune’s software list • Corporate imperative move boxed product to SaaS • Security is paramount; customers demand SOC2, HIPAA, etc • Running across mix of AWS, VMware, and others
  33. 33. © 2013 CloudPassage Inc. Case Study: Enabling SaaSification Product Line 1 Product Line 2 Product Line 3 SaaS Product 1 SaaS Product 2 SaaS Product 3 Halo automates security and compliance for each BU running in cloud Halo security platform Halo Benefits • Enable fast and agile DevOps model • Security built into stack for portability • Ensures consistency of servers, visibility, and enables rapid response
  34. 34. © 2013 CloudPassage Inc. Case Study: Securing Acquisitions • B2B SaaS pioneer • Core product in virtualized datacenters, traditional security practices • 20+ acquisitions for growth: most built in public cloud • Must extend security and compliance across any infrastructure
  35. 35. © 2013 CloudPassage Inc. Case Study: Securing Acquisitions Core Product Datacenter & IT Security Operations Halo provides security and compliance across all environments Acquisitions built in public & private clouds Halo Benefits • Easily installs into any cloud architecture • No disruption to development pace • Extends existing security operations to cloud
  36. 36. Wrap Up
  37. 37. Summary • SaaS businesses require strong security • Cloud-based development complicates traditional security • Security and compliance must enhance, not slow down, agile SaaS development • Focus security architecture on automation, portability, and visibility Copyright © 2013 IANS. All rights reserved. 37
  38. 38. Q&A and Additional Information Dave Shackleford Lead Faculty, IANS @ians_security Copyright © 2013 IANS. All rights reserved. 38 Rand Wacker VP, Producs @cloudpassage Securing SaaS whitepaper Request a Halo demo or free trial
  39. 39. Thank You!