Your SlideShare is downloading. ×
0
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
SaaS as a Security Hazard - Google Apps Security Example
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SaaS as a Security Hazard - Google Apps Security Example

670

Published on

As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as …

As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as salesforce.com for sales automation and monster.com for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
670
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SaaS as a Security Hazard The Google Apps exampleOfer Shezaf,Product Manager, Security SolutionsHP ArcSightofr@hp.cm©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change withoutnotice
  • 2. About MyselfI live inKibbutzYiftah, IsraelI create Currently, Product Manager for Security Solutions at HP ArcSightsecurityproducts Prior to that did security research and product management at Breach Security & at FortifyI am an OWASP leader and founder of the OWASP Israeli chapterapplication Leads the Web Application Firewall Evaluation Criteria projectsecurityveteran Wrote the ModSecurity Core Rule SetI really try to Read my blog at http://www.xiom.comlearn whatinformation Be ready to some philosophy of science and cognitivesecurity is psychology
  • 3. What are Google Apps? Gmail, Calendar, Docs, Sites & Groups Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office. Better at sharing and in a way familiar to users Bottom up push to adapt.
  • 4. If It Was Only Cloud…
  • 5. Google Apps Role in the IT Environment Hybrid Delivery Traditional Private Cloud Managed Cloud Public Cloud Non-critical business services will1 SAAS move to SaaS providers who provide some level of security Some critical business services will be deployed in2 SAAS private clouds with customized security controls Some work-loads will move to public clouds with SAAS3 security components provisioned in image Security will be componentized and automatically4 deployed with work-loads, based on sensitivity of assets customization automated required provisioning Note: future availability of hybrid capabilities5 HP Enterprise Security – HP Confidential
  • 6. No, it is not about SQL injection Google is better than your So what is it programmers about? in weeding out SQL injections
  • 7. Ownership
  • 8. Cloud Entrance Exam: Question 1Who Owns The Data? You? Google? Your Employee? Google’s Employee?
  • 9. Cloud Entrance Exam: Question 2Do You Compete With Google? No (are you serious?) We do, but not me I don’t know Yes (You Bet!)
  • 10. Cloud Entrance Exam: Question 3Who Authorized Access to the Data? Me Google Google, but only if the court asks Google, but only if the Chinese ask
  • 11. Cloud Entrance Exam: Question 4What About Illegal Material? I never store such data! … apart from competitive marketing and stolen images in presentations … but Google would not interfere with my data Or would they?
  • 12. Regulations
  • 13. It’s All About Geography • National laws Privacy • Limitation of transfer of data • PCI, SOX, So where is the data?Compliance SAS 70, ISO 27K… And who is responsible for it?Ownership • Google or I?
  • 14. Back To Basics
  • 15. Where and What do we Manage? Hybrid Delivery Authenticatio n Traditional Private Cloud Managed Cloud Public Cloud SAAS Authorization SAAS SAAS Audit Note: future availability of hybrid capabilities15 HP Enterprise Security – HP Confidential
  • 16. Authentication & User ManagementPassword strength is of extreme importancein web based services.• Complexity, length, lifetime• Two factor authentication is preferred.Avoid requiring users to have multiplecomplex passwords• Sticky note passwordsNeed to make sure users are created,terminated and transferred on all services.SaaS MUST tie in to enterprise directory.
  • 17. Users Permissions & Authorization Always a hazard in knowledge Tools both for sharing SaaS and self applications. hosted are not mature. Unique to SaaS solutions is the option to share externally. Both permissions management and permissions audit are crucial
  • 18. Audit Public Cloud HP ArcSight On/Off-Premise Data Center remote workers
  • 19. For Further Consideration
  • 20. Did You Consider?Encryption: SSL DisksAdministrator Two factor authentication?Access Control Only from within the organization?Administration Can your administrators access users data if needed?CapabilitiesBackup and Service Level Agreement (SLA)Restore Service for Accidental DeletesDisasterRecoveryWay out
  • 21. For Further QuestionsContact:Ofer Shezafofr@hp.com

×