1. Securing Information Assets in SaaS
Clouds
Deb Banerjee
Technical Director, Symantec
@banerjeesec
Dreamforce 2012 1

2. Shared Responsibility for Security in SaaS Clouds
SAAS
Enterprise
Responsibility
PAAS
IAAS
Dreamforce 2012 2

3. Dreamforce 2012 3

4. Shared Security Model: Enterprise Responsibilities
Dreamforce 2012 4

5. ASSETS
Dreamforce 2012 5

6. Sensitive Information Assets
•Applications
-Standard
•Documents -Custom
• Database Tables
Asset Discovery is a Foundational Capability.
Dreamforce 2012 6

7. SaaS Information Asset Classification
• PII
• PCI
Data Classification
Force.com Apex agents
• Context-based: DLP-Lite
• Content Inspection: Traditional DLP
Dreamforce 2012 7

8. SaaS Information Asset Classification: Context-
Based
Identifies data owners based on activity streams
Enables Data Classification based on sensitivity of owner roles
Dreamforce 2012 8

9. Polling Question
Which sensitive data do you have in the Cloud?
•PCI – Credit card data
•PII/EU DP privacy-related
•HIPAA – Health Care
•FERPA - Education
•Other Company Sensitive
Dreamforce 2012 9

10. VULNERABILITIES
Dreamforce 2012 1

11. Configuration Vulnerability: External Service
Integrations
External Service Integration
Dreamforce 2012 1

12. Configuration Vulnerability: Application Permissions
Application Permissions
Presentation Identifier Goes Here 1

13. SaaS Asset Configuration Assessment: Sharing
Rules
Dreamforce 2012 1

14. SaaS Asset Configuration Assessment: User
Permissions
Dreamforce 2012 1

15. SaaS Asset Configuration Assessment: User
Permissions
Presentation Identifier Goes Here 1

16. PLAYING DEFENSE
Best Practices/Solutions
Presentation Identifier Goes Here 1

17. Data Classification
Content-Based Classification
Context-based Classification
Multiple Deployment Models
 Agents as Salesforce Apps
 Activity Monitoring
 Cloud Security Brokers
Presentation Identifier Goes Here 1

18. User Management
User Provisioning/De-Provisioning
Access Control
 Context-aware e.g. location-based, data sensitvity-aware
 Strong Authentication
Presentation Identifier Goes Here 1

19. Configuration Assessment
Permissions
 Applications, Users, Roles/Profiles
Configuration Change Assessments
 Did someone’s permission to sensitive data increase “unusually”?
Applications
 Which apps, What data, What users, What external services?
Presentation Identifier Goes Here 1

20. Encryption/Tokenization
Geo-Residency and Privacy Requirements
Defense in Depth
Encryption
 Key Management
 Impact on hosted application
Network Deployment Model
 Cloud Security Brokers
Dreamforce 2012 2

21. SaaS Activity Monitoring for Insider Threat Detection
Activity Logs:
Activity Logs:
Dreamforce 2012 2

22. Solution Architecture: Extending Out From The Security Ops
Cloud
Enterprise Security
End User
Brokers
Control Asset Compliance
Assessment View
SFDC Config
Checks
Information
DLP Classification View Security &
Remediation DLP Agent Content & Compliance
Agent(APEX) (APEX) Context Admin
SFDC SFDC
API API
Activity-based
Remediation Asset Feed Asset Metadata FeedActivity Feed SIEM/DI Threat detection
SFDC Security Ops
Asset Asset Activity Asset Feeds Collector
Remediation
Discovery Classification Log
API Orchestration
Dreamforce 2012 2

23. Polling Question
Which Security Solutions are you using today?
•Data Classification
•User Provisioning and Access Management
•Encryption/Tokenization
•Configuration Assessment
•Activity Monitoring
Dreamforce 2012 2

24. Deb Banerjee
Technical Director
@banerjeesec