This document discusses security issues with Software as a Service (SaaS) and potential solutions. It outlines key security concerns like data integrity, authentication, authorization and security of data transmission. The document also mentions common vulnerabilities like injection attacks, cross-site scripting, broken authentication. Researchers are pointed out to test SaaS applications for security loopholes and help vendors strengthen mechanisms to address vulnerabilities before exploitation. Overall, while SaaS provides benefits, security must be embedded throughout architecture, applications, networks and user access to fully protect from threats.

1. A Review Of Security of SaaS

2. »
»
»
»
»
»
Introduction
Background Knowledge
Key Security Attribute
Problems with SaaS Security
Contribution of Researchers
Conclusion

3. »
»
»
»
»
»
Introduction
Cloud Computing Components
SaaS
Security Key Elements
Security Concerns
Conclusion

4. » Cloud Computing:
Cloud computing refers to both the applications
delivered as services over the Internet and the
hardware and systems software in the data
centres that provide those services.
» Cloud Computing includes
 SaaS
 PaaS
 IaaS

5. • Software
• Applications
• Infrastructure
SaaS
TaaS
• Testing of:
• Software
• Applications
IaaS
PaaS
• Platform

6. » Software as a Service (SaaS) refers to “the
ability to ‘rent’ the use of software hosted by a
third party so you don’t need to buy additional
hardware or software to support it”

7. •
•
•
•
Saas Vender •
•
SaaS User
Development
Testing
Release
Register
Maintain
Upgrade
• Subscribe
• Use

8. » Security
SaaS requires more care around security than any
of other available delivery models. SaaS
application utilize network to facilitate its
customers.
» Hackers sitting on Network can cause SaaS
Applications and users at the same time
» Security should be embedded on SaaS
architecture, Database Servers, SaaS servers,
applications, Network layers and on user side

10. » In the SaaS model, the enterprise data is stored
outside the enterprise boundary, at the SaaS
vendor end. Consequently, the SaaS vendor
must adopt additional security checks to ensure
data security .This involves the use of strong
encryption techniques for data security and
fine-grained authorization to control access to
data.

11. » In a SaaS deployment model, sensitive data is
obtained from the enterprises, processed by
the SaaS application and stored at the SaaS
vendor end. All data flow over the network
needs to be secured in order to prevent leakage
of sensitive information. This involves the use
of strong network traffic encryption techniques
such as Secure Socket Layer (SSL) and the
Transport Layer Security (TLS) for security.

12. » In a SaaS model of a cloud environment, the
consumers use the applications provided by the
SaaS and process their business data. But in this
scenario, the customer does not know where
the data is getting stored. In many a cases, this
can be an issue.

13. » Data integrity is one of the most critical
elements in any system. Data integrity is easily
achieved in a standalone system with a single
database. Data integrity in such a system is
maintained via database constraints and
transactions. Transactions should follow ACID
(atomicity, consistency, isolation and durability)
properties to ensure data integrity.

14. » In SaaS, multiple users can store their data
using the applications provided by SaaS. In such
a situation, data of various users will reside at
the same location. Intrusion of data of one user
by another becomes possible in this
environment. This intrusion can be done either
by hacking through the loop holes in the
application or by injecting client code into the
SaaS system.

15. » Data access issue is mainly related to security
policies provided to the users while accessing
the data. The security policies may entitle some
considerations wherein some of the employees
are not given access to certain amount of data.

16. » Authentication
Only Register can get access into the system. This
is accomplish by assigning usernames and
passwords to registered and trusted users.

17. » Authorization
User can access only that components or
application for which they are authorized.

18. » The SaaS application needs to ensure that
enterprises are provided with service around
the clock. This involves making architectural
changes at the application and infrastructural
levels to add scalability and high availability.
Request Service
Available

19. » Identity management (IdM) or ID management
is a broad administrative area that deals with
identifying individuals in a system (such as a
country, a network or an organization) and
controlling the access to the resources in that
system by placing restrictions on the
established identities.

20. » SaaS suffers From several security risk as it uses
internet for data transmission
» In SaaS, the client has to depend on the
provider for proper security measures. The
provider must do the work to keep multiple
users’ from seeing each other’s data. So it
becomes difficult to the user to ensure that
right security measures are in place and also
difficult to get assurance that the application
will be available when needed

21. » Injection
» Cross Site Scripting
» Broken Authentication and Session
Management
» Insecure Direct Reference Objects
» Cross Site Request Forgery
» Insecure Cryptography
» Invalid Redirects and
Forwards

22. » Any query send to the interpreter containing
unsecure data is what an injection is. The
injection caused application to execute
commands which will in turn allow hacker to
access sensitive data of the application.

23. » Improper validation of data sent to the
application from untrusted source and is
uploaded on the application cause cross
scripting Site. Due to insufficient validation of
data, attacker can miss use users information
when users session is active. Attackers access to
users session can cause hijacking of users
session,

24. Hacker

25. Access Server
Hacker

26. Access Server
Hacker

27. Access Server
Hacker
Hacker

28. Access Granted
Access Server
Hacker
Hacker tends
to be
registered user

29. Hacker using
Application
Access Granted
Access Server
Hacker
Hacker tends
to be
registered user

30. » Broken Sessions and Session management point
out the problem when session ids of users are
visible. Data Sent and received in not traveling
on SSL/TSL which can cause insecure data
transmission

31. » In this kind of attacks hackers queries insist and
force users browser to submit requests as per
hackers desire. Application receiving queries
from victims system assumes that request is
from authenticated user. Hacker can process
any command on the behalf of the victim as
application is unable to recognized hackers
activity

32. » Whenever data is sent or received over
web/Internet, it is encrypted to secure actual
content and to protect sensitive information
from stealers. When sensitive data is
notproperly
encrypted
using
efficient
encryption techniques or week encryption and
hashing is implemented, there is a chance of
hackers attack and it may lead to risk of
information lose, hacked or misused.

33. Public Key infrastructure

34. » Hashing

35. » Researchers Identify cloud computing as the
emerging and beneficial IT Invention
» SaaS is Cost Effective and Reduce efforts of user
» Researchers point out security concerns in SaaS
applications and enforce SaaS vender to apply
high security mechanisms on SaaS.
» Security Tests implication to figure out
vulnerabilities and repair before hacker
penetrate into thy system

36. » SaaS is Software-as-a-Service
» SaaS unable business organization to sell their
software and applications to users over internet
on subscription or pay-as-you-go bases.
» SaaS along with all its benefit, suffers from
uncertainty due to security concerns
» Security Issues can be resolved by emphasizing
on security configuration management