Developing a security approach to your cloud and SaaS applications

Developing a security approach to your cloud and SaaS applications



Roughly 47 percent of organizations are using a software-as-a-service (SaaS) applications. These SaaS applications usually contain sensitive data like customer data and sales records. Companies often ...

Roughly 47 percent of organizations are using a software-as-a-service (SaaS) applications. These SaaS applications usually contain sensitive data like customer data and sales records. Companies often ignore the security risk and the compliance and privacy issues that come with using a SaaS application. In this session we will clarify the differences in cloud and SaaS, and then we’ll address some of the misconceptions about security that some SaaS vendors perpetuate. Next we will share some practical guidance on addressing application security whether your applications fall into the cloud or SaaS category. You’ll walk away with a strong understanding of how to address application security in both cloud and SaaS applications.



Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Developing a security approach to your cloud and SaaS applications Developing a security approach to your cloud and SaaS applications Presentation Transcript

  • Developing a security approach to your cloud and SaaS applications Katherine Lam HP SaaS Ryan English HP Professional Services 1 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • Agenda – Introductions – Defining Cloud Security / SaaS / ASP – Security Concerns for Cloud Vendors – What to Ask Your Cloud Provider and Misconceptions – Compliance Issues – Application Security 101 2
  • Defining Cloud/SaaS WHAT IS THE CLOUD? 3
  • Why Companies Are Using the Cloud Outsource Hosted/A In-house Cloud d SP Who manages performance Customer Customer Customer Provider and availability? and Provider and Provider Customer & Who manages security? Customer Provider Provider Provider License and License and Subscription How is software priced? maintenance maintenance Subscription (pay-as you New business value fee fee go) Customer owns license? Yes Yes No No Single Single Single Multi-tenant architecture? Multi-tenant tenant tenant tenant Who has responsibility for operating and maintaining Customer Provider Provider Provider app and infrastructure? Increasing UNCERTAINTY Source: Adapted from Software-as-a-Service Market Update, Liz Herbert, Forrester, March 16, 2008 4
  • View of the Cloud Cloud Customer Site Salesforce SaaS Microsoft Exchange SharePoint Online PaaS Google SAP Amazon RackSpace IaaS Intranet 5
  • The Business of IT Is to Deliver Services That Result in Outcomes That Matter IT organization Business Cloud internal service provider outcomes services Accelerate growth Hosted, Service Service Service managed Lower costs Sourced portfolio Delivered services Mitigate risk Internal services 6 6
  • Security Concerns for the Cloud This is an evolution, not a rip-and replace Characteristics — Benefits Service-centric environment — Measure outcomes that matter Standardized, shared services — Improved cost management Service level agreements — Better quality control Scalable and elastic — Rapid response to business change Automated — Reduce errors and outages Self service, pay per use — Agility and transparency Using internet technologies — Ease of access and maintenance 7 7
  • Traditionally IT Has Delivered Build-to-order Services That Are Expensive to Build and Manage IT Organization Business people data servers Service Web site Delivered service apps network storage data servers Service Blade Delivered provisioni apps ng service data network Sales servers Service storage Forecastin apps Delivered g service network storage 8 8
  • A private/internal cloud is essentially a shared delivery model for existing IT workloads Native Private business services Public business services cloud Systems and software design ―Private cloud‖ Shared Resources shared Resources shared across workloads across workloads 75% Dedicated Resources dedicated Resources dedicated to each workload to each workload On premises Off premises Customer-owned data center Service provider’s data center 9
  • Private/internal Cloud Requires a Service- centric Delivery and Consumption Model IT Organization Business people Service portfolio Blade provisioning Web site service Sales Forecasting service service Services Services Delivered Consumed Business services Application service Platform services Infrastructure service 10 1
  • Getting the Benefit at All 3 Levels 1 Make your services shareable Provisioning time: weeks -> days -> hours Make your services consumable 2 Improve quality of service and better align to business requirements Make your services more valuable 3 Calibrate the value of every service to a business outcome 11 1
  • HP Is Your Partner in Bringing All of the Pieces Together Service portfolio and catalog Sourcing and governance Shares services and service management Utility-based services, metering and reporting Training and professional services Support strategy 12
  • Cloud Computing Security Assessment Description: - Identifies potential exposures and vulnerabilities within an organization’s cloud subscriber infrastructure as well as the security governance of their cloud service providers - Reviews the security of the infrastructure, platforms, and applications comprising an organization’s cloud. - Uses the Cloud Security Alliance's SM Critical Areas of Focus defined within the 15 domains of cloud security emphasis Timeframe: 3 weeks Availability: Initially U.S.; worldwide rollout in 2010 Service Component Service Overview • Interview and review compliance/security personnel, policies, procedures, products,  Cloud Computing Security Assessment and proof using HP’s P5 Model Questionnaire / Survey • Perform on-site review of cloud security controls and practices • Complete sensitive data flow diagram and matrix  Cloud Computing Security Assessment • Complete analysis of the 15 domains of cloud security emphasis Report • Determine cloud security control maturity and compliance state • Research and analyze cloud computing protection technologies and controls.  Cloud Computing Security Findings & Recommendations Briefing • Produce cloud computing security and compliance remediation roadmap. • Conduct management briefing and presentation of findings and recommendations. 13
  • Cloud Assure for Security Description: HP Cloud Assure offers an end-to-end solution for performing security risk assessments to detect and correct security vulnerabilities. It provides common security policy definitions, automated security tests, centralized permissions control, and web access to security information. Availability: Available worldwide Cloud Component Service Overview Cloud Assure for SaaS  Web application scans & penetration testing Applications  Ensure that operating systems on virtual image are Cloud Assure for PaaS hardened  Middleware & Operating system is configured  Web application scans & penetration testing  Network scans Cloud Assure for IaaS  Operating system hardening scans  Web application scans & penetration testing 14
  • Processes What We Test and When Enterprise Application Security Assurance Architecture Plan Requirements Build Test Production & Design TBD ASC AMP/WebInspect Security Threat Analysis Secure Coding QAInspect ASC WebInspect Requirements Training Intro to App Sec Secure Coding and Defect Guidelines/Library Validation CBT/ILT New Hire Training 15
  • Q&A 16
  • To learn more on this topic, and to connect with your peers after the conference, visit the HP Software Solutions Community: 17 ©2010 Hewlett-Packard Development Company, L.P.
  • 18