Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Building Multi-tenant Highly Secured 
Applications on .NET for any Cloud - 
Demystified 
26-Jun-2013 
www.techcello.com 
(...
© Techcello www.techcello.com 
Housekeeping Instructions 
 All phones are set to mute. If you have any questions, please ...
© Techcello www.techcello.com 
Techcello Introduction 
 Cloud Ready, SaaS/Multi- 
Tenant Application 
Development Framewo...
© Techcello www.techcello.com 
Speaker Profiles 
 14+ years of experience in architecting cloud and SaaS solutions 
for b...
Security in Multi-Tenancy 
Protection of information. It deals with the prevention and detection of unauthorized 
actions ...
© Techcello www.techcello.com 
Tenant Data Isolation 
 Database 
Routing Based 
On Tenant 
 Application 
Layer Auto 
Ten...
© Techcello www.techcello.com 
Role Based Access Control (RBAC) 
Authentication 
• Kinds of authentication tokens and sour...
© Techcello www.techcello.com 
Role Based Access Control (RBAC) 
Federation servers 
• Oracle Identity Federation Server 
...
Role Based Access Control (RBAC) 
Authorization 
• Use privileges to define roles 
• Privilege based control for actions 
...
© Techcello www.techcello.com 
OWASP – TOP 10 Threats 2013 
 A1 Injection 
 A2 Broken Authentication and Session Managem...
© Techcello www.techcello.com 
OWASP – open web application security project 
Web application top threats 
• Man in middle...
Encryption 
• Preferred Symmetric compared to asymmetric due to performance 
• Use Strong Keys 
• Change Keys Periodically...
© Techcello www.techcello.com 
Data Security – Sample Encryption Decryption Approach
© Techcello www.techcello.com 
Data Security – Data Transit 
Web Server to Application 
server 
• Soap Web Service 
• WS-S...
© Techcello www.techcello.com 
Security Audit 
Event Audit 
• Covers 
• Who does the action? 
• What action is performed? ...
© Techcello www.techcello.com 
Security Audit 
Transaction and Change Audit 
• Transaction Audit 
• Snapshot: Exact copy o...
Cello Stack – At a Glance 
How does it work? 
Administrative 
Tenant 
Licensing Metering Billing Data Backup Modules 
Prov...
© Techcello www.techcello.com 
Contact Details 
Jothi Rengarajan (jothi.r@techcello.com) 
James McGovern (james.mcgovern@h...
Upcoming SlideShare
Loading in …5
×

Techcello hp-arch workshop

233 views

Published on

Building Multi-tenant Highly Secured Applications on .NET for any Cloud - Demystified

Published in: Business
  • Be the first to comment

  • Be the first to like this

Techcello hp-arch workshop

  1. 1. Building Multi-tenant Highly Secured Applications on .NET for any Cloud - Demystified 26-Jun-2013 www.techcello.com (A Division of Asteor Software Inc)
  2. 2. © Techcello www.techcello.com Housekeeping Instructions  All phones are set to mute. If you have any questions, please type them in the Chat window located beside the presentation panel.  We have already received several questions from the registrants, which will be answered by the speakers during the Q & A session.  We will continue to collect more questions during the session as we receive and will try to answer them during today’s session.  In case if you do not receive answers to your question today, you will certainly receive answers via email shortly.  Thanks for your participation and enjoy the session!
  3. 3. © Techcello www.techcello.com Techcello Introduction  Cloud Ready, SaaS/Multi- Tenant Application Development Framework  Provides end-end SaaS Lifecycle Management Solution  Redefines the way enterprise softwares are built and managed  Saves anywhere between 30- 50% of time and cost
  4. 4. © Techcello www.techcello.com Speaker Profiles  14+ years of experience in architecting cloud and SaaS solutions for both ISVs and Enterprises  Chief architect in designing and constructing CelloSaaS framework  Plays consultative role with customers in implementing technical solutions Jothi Rengarajan Senior Technical Architect TechCello James McGovern Chief Architect Hewlett-Packard  One of the top 10 enterprise technologists in the world  Has authored more than 6 books on computing and dozens of published articles  Twenty years experience in developing, managing and deploying large scale technology systems, business processes, and strategies
  5. 5. Security in Multi-Tenancy Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data. © Techcello www.techcello.com  Tenant data isolation  RBAC – Prevent unauthorized action  Data security  Web related top threats as per OWASP  Security Audit trail
  6. 6. © Techcello www.techcello.com Tenant Data Isolation  Database Routing Based On Tenant  Application Layer Auto Tenant Filter  Tenant Based View Filter
  7. 7. © Techcello www.techcello.com Role Based Access Control (RBAC) Authentication • Kinds of authentication tokens and source • Username Password • Multi factor authentication • Claims based Authentication • User identification information • Encrypted cookie • Session Identity store • Custom Store • Password encryption/ hashing • Password change policy externalization • Active Directory Integration • Identity Federation
  8. 8. © Techcello www.techcello.com Role Based Access Control (RBAC) Federation servers • Oracle Identity Federation Server • ADFS • Azure Access control service
  9. 9. Role Based Access Control (RBAC) Authorization • Use privileges to define roles • Privilege based control for actions • Privilege based access for data • Role mapped to privileges and user mapped to roles • Code demands necessary privileges • Roles should be defined by business users • Configuration based privilege control © Techcello www.techcello.com
  10. 10. © Techcello www.techcello.com OWASP – TOP 10 Threats 2013  A1 Injection  A2 Broken Authentication and Session Management (was formerly A3)  A3 Cross-Site Scripting (XSS) (was formerly A2)  A4 Insecure Direct Object References  A5 Security Misconfiguration (was formerly A6)  A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)  A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)  A8 Cross-Site Request Forgery (CSRF) (was formerly A5)  A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)  A10 Unvalidated Redirects and Forwards
  11. 11. © Techcello www.techcello.com OWASP – open web application security project Web application top threats • Man in middle attack • Use secure channel - https • SQL Injection • Use parameterized queries • Malicious script injection and Cross Site Scripting • Validate input if it is a safe HTML • URL escape, Html escape and Javascript escape untrusted data • Cross site request • Challenge-Response such as CAPTCHA • Synchronizer Token • Origin header
  12. 12. Encryption • Preferred Symmetric compared to asymmetric due to performance • Use Strong Keys • Change Keys Periodically Key storage • Store in Key Vault and store away from encrypted data • Double encryption • Dual key storage Database encryption • Watch for Performance implications • Encrypt only necessary columns © Techcello www.techcello.com Data Security – Data Storage
  13. 13. © Techcello www.techcello.com Data Security – Sample Encryption Decryption Approach
  14. 14. © Techcello www.techcello.com Data Security – Data Transit Web Server to Application server • Soap Web Service • WS-Security • message security • transport security -https • client authentication - username, certificate, claims federation • Rest • Https • Custom asymmetric encryption • custom authentication End user browser to web server • Https • Custom encryption Application to Database • Transport Security
  15. 15. © Techcello www.techcello.com Security Audit Event Audit • Covers • Who does the action? • What action is performed? • What is the context in which the operation is performed? • What time is the action performed? • Event audit information – subject, target, context, user, datetime • Audit details stored in a separate datastore for better performance • Realtime audit details – audit cache server
  16. 16. © Techcello www.techcello.com Security Audit Transaction and Change Audit • Transaction Audit • Snapshot: Exact copy of the row stored in history tables • More suitable if requests to access past data are more • More data growth • Change Audit • Only the delta of the state change captured as part of change tables • More suitable when changes need to be reported and past data are not required much • Used more for Security tracking purposes • Easier to implement by using methods available out of the box in RDBMS such as CDC for SQL server • Asynchronous Mode : For better performance and if we wish that audit should not roll back the transactions it is advisable to audit in a asynchronous thread.
  17. 17. Cello Stack – At a Glance How does it work? Administrative Tenant Licensing Metering Billing Data Backup Modules Provisioning Security User Role/Privilege Auditing Modules Management Mgmt. Custom Fields Custom LoV Ad-hoc Builders Cloud Ready, Multi-Tenant Application Development Framework Single Sign-on Dynamic Data Scope Business Rules Workflow Dynamic Forms Enterprise Engines Integration Modules Settings Template Events Notification Templates Query Chart Reports Code Productivity Boosters Templates Master Data Mgmt. Forms Generation Application Multi-Tenancy & Tenant Data Isolation Themes & Logo Pre & Post Processors Configurability Modules Cello Cloud Adapters
  18. 18. © Techcello www.techcello.com Contact Details Jothi Rengarajan (jothi.r@techcello.com) James McGovern (james.mcgovern@hp.com) Reference URLs Web : http://www.techcello.com ROI Calculator : http://www.techcello.com/techcello-roi-calculator Demo Videos : http://www.techcello.com/techcello-resources/techcello-product- demo SaaS e-Book: http://www.techcello.com/techcello-resources/techcello-resources- white-papers Thank You

×