Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Architecture Best Practices for SaaS Applications


Published on

Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few …

Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few years (almost 71% of enterprises use SaaS solutions).

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Custom Store
    Password encryption/ hashing
    Password change policy externalization
    Active Directory Integration
    Identity Federation
  • Custom Store
    Password encryption/ hashing
    Password change policy externalization
    Active Directory Integration
    Identity Federation
  • Transcript

    • 1. Security Architecture Best Practices for SaaS Applications 22-May-2014
    • 2. © Techcello Housekeeping Instructions  All phones are set to mute. If you have any questions, please type them in the Chat window located beside the presentation panel.  We have already received several questions from the registrants, which will be answered by the speakers during the Q & A session.  We will continue to collect more questions during the session as we receive and will try to answer them during today’s session.  In case if you do not receive answers to your question today, you will certainly receive answers via email shortly.  Thanks for your participation and enjoy the session!
    • 3. © Techcello TechCello Introduction  Cloud Ready, SaaS/Multi- Tenant SaaS Application Development Framework  Provides end-end SaaS Lifecycle Management Solution  Redefines the way SaaS products are built and managed  Saves anywhere between 30%-50% of time and cost
    • 4. © Techcello Speaker Profiles Vittal Raj International VP, ISACA Founder, Pristine Consulting  Last two decades into Consulting, Assurance & Training in IS Security, IT Compliance/Governance, Enterprise Risk Management, Risk based Internal Audit and Digital Forensics.  Directed and managed projects in the areas of IS Security Implementation, Cyber Crime Forensics & Cyber Law Consulting, Network & Web Application Vulnerability Assessments  Specialist trainer in IT Risk Management and Information Security Jothi Rengarajan Chief Technical Architect TechCello  14+ years of experience in architecting cloud and SaaS solutions for both ISVs and Enterprises  Chief architect in designing and constructing TechCello framework  Plays consultative role with customers in implementing technical solutions
    • 5. • Saas market set to top $22 b by 2015 • Surge in software spends by 2015, Stratification of Saas • CRM, ERP and office & productivity SaaS on the lead • Multi-tenancy way to go supported by innovative tech • Customers concerns - Continuity, Security & Contractual Gartner forecasts on SaaS……
    • 6. What’s slowing down SaaS adoption ? • Application Control & Security Governance • Contractual Transparency & SLA Assurance • Business Continuity & Resilience • Security Management – Security of Data in a multi-tenancy model – Risk driven Security management – Identity and access management (IAM) – Adequacy, Sustainability • Privacy and Regulatory concerns – Data location , Privacy Compliance, IAM, Licensing, legal & electronic discovery • Customisation & Transitioning out • Continual Independent Assurance • Pricing Indemnity 6
    • 7. Goals to Results Framework based approach driven on Stakeholder Expectations Source: COBIT 5®, ITGI
    • 8. Application & Interfaces Business Continuity & Operational Resilience Change Control & Configuration Management Data Security & Information Life Cycle Mngt Data Centre Security Encryption & Key Management Governance & Risk Management Identify & Access Management Infrastructure & Virtualisation Security SCM, Transparency & Accountability Human Resources Audit, Assurance & Compliance KeyControlDrivers Source: CCSA – CCS Matrix
    • 9. Holistic approach for sustainable governance Source: COBIT 5®, ITGI
    • 10. Managing Operational Risks in SaaS Services • SaaS Governance Framework - Client – Risk Assessment & Management – Service Level Management – Performance Management (Metrics & Mechanisms) – Auditability and Audits • Risk Management & Assurance • Standards & Certification • Assurance by CSP • Insurance • Contract Governance 10 • Security Management – Security Framework – Encryption, Data Exchange Controls • Transition Management • Monitoring Capabilities • Billing Control • Litigation Clauses • Regulatory Compliance
    • 11. International Standards • COBIT 5 – Controls and Assurance in the Cloud • CSA Guides • AICPA Service Organization Control (SOC) 1 Report • AICPA/CICA Trust Services (SysTrust and WebTrust) • ISO 2700x— Information security management system (ISMS) • Cloud Security Matrix—By Cloud Security Alliance • NIST SP 800-53—The NIST IT security controls standards, Health Information Trust Alliance (HITRUST) • BITS—The BITS Shared Assessment Program – contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP). • European Network and Information Security Agency (ENISA) – Cloud Computing—Benefits, Risks and Recommendations for Information Security. 11
    • 12. ‘Trustworthy’ SaaS key to customer acquisition & loyalty
    • 13. Feel free to contact me with your questions, comments & feedback: R Vittal Raj Linkedin: rvittalraj
    • 14. © Techcello  Data Storage and Segregation • Is it a dedicated or a shared environment? • If it a shared environment, how is the data segregated from other shared environments? • How is security managed in the shared environment? What controls are in place?  ACL • What type of identity management solution is provided? • Is Single Sign-On (SSO) provided? What types of SSO options are available? SAML, Open Auth etc? • What type of user store is available? Can this user store be integrated with Active Directory or any other user store database? • What type of user security, authentication and authorization options are available? SaaS Customer Concerns
    • 15. © Techcello  Data Security • How is the primary data encrypted? What encryption schemes are used? Who has access to the decryption keys? How often is this tested?  Audits • What application & data access audit logs are available? How often can you get this? • What type of investigative support is provided in cases of breach? SaaS Customer Concerns
    • 16. © Techcello Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data.  Robust Tenant data isolation  Flexible RBAC – Prevent unauthorized action  Proven Data security  Prevention of Web related top threats as per OWASP  Strong Security Audit Logs SaaS Security Architecture Goals
    • 17. © Techcello Tenant Data Isolation Design for a Hybrid Approach
    • 18. © Techcello Tenant Data Isolation  Database Routing Based On Tenant  Application Layer Auto Tenant Filter  Tenant Based View Filter
    • 19. © Techcello ACL Architecture
    • 20. © Techcello Authentication • Separate Common Identity Provider • Identity Provider Support Options • Custom Username Password Authentication • AD Integrated SSO • Open ID Authentication • Multi factor authentication • Hybrid Authentication Support Role Based Access Control (RBAC)
    • 21. © Techcello Role Based Access Control (RBAC) Authorization • ACL Metadata • Use privileges • Map with roles • Roles should be defined by business users • Role mapped to privileges and user mapped to roles • Access Check Services • Control at a URL, Action, Data and Field level • Configuration based privilege control
    • 22. © Techcello Role Based Access Control (RBAC) Authorization • Rest API Implementation • External Application Integration • Oauth2.0 • HMAC • Internal Application Integration • Session Token • Cookie
    • 23. © Techcello OWASP – TOP 10 Threats 2013 A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5 Security Misconfiguration (was formerly A6) A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) A8 Cross-Site Request Forgery (CSRF) (was formerly A5) A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) A10 Unvalidated Redirects and Forwards
    • 24. © Techcello Security Testing Dynamic Testing Static Testing Security Verification
    • 25. © Techcello Event Audit • Audit positive events, more importantly audit negative events • Should cover, • Who does the action? • What action is performed? • What is the context in which the operation is performed? • What time is the action performed? • Audit details stored in a separate datastore for better performance • Real-time audit details – audit cache server Security Audit
    • 26. © Techcello Transaction and Change Audit • Transaction Audit • Snapshot: Exact copy of the row stored in history tables • More suitable if requests to access past data are more • More data growth • Change Audit • Only the delta of the state change captured as part of change tables • More suitable when changes need to be reported and past data are not required much • Used more for Security tracking purposes • Easier to implement by using methods available out of the box in RDBMS such as CDC for SQL server • Asynchronous Mode : For better performance and if we wish that audit should not roll back the transactions it is advisable to audit in a asynchronous thread. Security Audit
    • 27. © Techcello User Action Audit • Audit all user actions • Capture the entry url, time, location details, browser details, response status, any exceptions • Provide analysis on the user actions • Can be customized at application layer or can use the webserver logs Security Audit
    • 28. © Techcello Security Audit
    • 29. How does it work? Cloud Ready, Multi-Tenant Application Development Framework Tenant Provisioning Licensing Metering Billing Data Backup Administrative Modules User Management Role/Privilege Mgmt. Single Sign-on Dynamic Data Scope Auditing Security Modules Business Rules Workflow Dynamic Forms Enterprise Engines Events Notification Templates Integration Modules Query Chart Reports Ad-hoc Builders Code Templates Master Data Mgmt. Forms Generation Productivity Boosters Application Multi-Tenancy & Tenant Data Isolation Custom Fields Custom LoV Settings Template Themes & Logo Pre & Post Processors Configurability Modules Cello Cloud Adapters Cello Stack – At a Glance
    • 30. © Techcello Contact Details Jothi Rengarajan ( Vittal Raj ( Reference URLs Web : ROI Calculator : Demo Videos : product-demo SaaS e-Book: resources-white-papers Thank You