SaaS as a Security Hazard - Google Apps Security Example


Published on

As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as for sales automation and for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SaaS as a Security Hazard - Google Apps Security Example

  1. 1. SaaS as a Security Hazard The Google Apps exampleOfer Shezaf,Product Manager, Security SolutionsHP©2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change withoutnotice
  2. 2. About MyselfI live inKibbutzYiftah, IsraelI create Currently, Product Manager for Security Solutions at HP ArcSightsecurityproducts Prior to that did security research and product management at Breach Security & at FortifyI am an OWASP leader and founder of the OWASP Israeli chapterapplication Leads the Web Application Firewall Evaluation Criteria projectsecurityveteran Wrote the ModSecurity Core Rule SetI really try to Read my blog at http://www.xiom.comlearn whatinformation Be ready to some philosophy of science and cognitivesecurity is psychology
  3. 3. What are Google Apps? Gmail, Calendar, Docs, Sites & Groups Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office. Better at sharing and in a way familiar to users Bottom up push to adapt.
  4. 4. If It Was Only Cloud…
  5. 5. Google Apps Role in the IT Environment Hybrid Delivery Traditional Private Cloud Managed Cloud Public Cloud Non-critical business services will1 SAAS move to SaaS providers who provide some level of security Some critical business services will be deployed in2 SAAS private clouds with customized security controls Some work-loads will move to public clouds with SAAS3 security components provisioned in image Security will be componentized and automatically4 deployed with work-loads, based on sensitivity of assets customization automated required provisioning Note: future availability of hybrid capabilities5 HP Enterprise Security – HP Confidential
  6. 6. No, it is not about SQL injection Google is better than your So what is it programmers about? in weeding out SQL injections
  7. 7. Ownership
  8. 8. Cloud Entrance Exam: Question 1Who Owns The Data? You? Google? Your Employee? Google’s Employee?
  9. 9. Cloud Entrance Exam: Question 2Do You Compete With Google? No (are you serious?) We do, but not me I don’t know Yes (You Bet!)
  10. 10. Cloud Entrance Exam: Question 3Who Authorized Access to the Data? Me Google Google, but only if the court asks Google, but only if the Chinese ask
  11. 11. Cloud Entrance Exam: Question 4What About Illegal Material? I never store such data! … apart from competitive marketing and stolen images in presentations … but Google would not interfere with my data Or would they?
  12. 12. Regulations
  13. 13. It’s All About Geography • National laws Privacy • Limitation of transfer of data • PCI, SOX, So where is the data?Compliance SAS 70, ISO 27K… And who is responsible for it?Ownership • Google or I?
  14. 14. Back To Basics
  15. 15. Where and What do we Manage? Hybrid Delivery Authenticatio n Traditional Private Cloud Managed Cloud Public Cloud SAAS Authorization SAAS SAAS Audit Note: future availability of hybrid capabilities15 HP Enterprise Security – HP Confidential
  16. 16. Authentication & User ManagementPassword strength is of extreme importancein web based services.• Complexity, length, lifetime• Two factor authentication is preferred.Avoid requiring users to have multiplecomplex passwords• Sticky note passwordsNeed to make sure users are created,terminated and transferred on all services.SaaS MUST tie in to enterprise directory.
  17. 17. Users Permissions & Authorization Always a hazard in knowledge Tools both for sharing SaaS and self applications. hosted are not mature. Unique to SaaS solutions is the option to share externally. Both permissions management and permissions audit are crucial
  18. 18. Audit Public Cloud HP ArcSight On/Off-Premise Data Center remote workers
  19. 19. For Further Consideration
  20. 20. Did You Consider?Encryption: SSL DisksAdministrator Two factor authentication?Access Control Only from within the organization?Administration Can your administrators access users data if needed?CapabilitiesBackup and Service Level Agreement (SLA)Restore Service for Accidental DeletesDisasterRecoveryWay out
  21. 21. For Further QuestionsContact:Ofer