SlideShare a Scribd company logo

SaaS as a Security Hazard - Google Apps Security Example

Newvewm
Newvewm

As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as salesforce.com for sales automation and monster.com for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.

TechnologyBusiness
1 of 21
Download to read offline
SaaS as a Security Hazard The Google Apps example Ofer Shezaf, Product Manager, Security Solutions HP ArcSight ofr@hp.cm ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
About Myself I live in Kibbutz Yiftah, Israel I create Currently, Product Manager for Security Solutions at HP ArcSight security products Prior to that did security research and product management at Breach Security & at Fortify I am an OWASP leader and founder of the OWASP Israeli chapter application Leads the Web Application Firewall Evaluation Criteria project security veteran Wrote the ModSecurity Core Rule Set I really try to Read my blog at http://www.xiom.com learn what information Be ready to some philosophy of science and cognitive security is psychology
What are Google Apps? Gmail, Calendar, Docs, Sites & Groups Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office. Better at sharing and in a way familiar to users Bottom up push to adapt.
If It Was Only Cloud…
Google Apps Role in the IT Environment Hybrid Delivery Traditional Private Cloud Managed Cloud Public Cloud Non-critical business services will 1 SAAS move to SaaS providers who provide some level of security Some critical business services will be deployed in 2 SAAS private clouds with customized security controls Some work-loads will move to public clouds with SAAS 3 security components provisioned in image Security will be componentized and automatically 4 deployed with work-loads, based on sensitivity of assets customization automated required provisioning Note: future availability of hybrid capabilities 5 HP Enterprise Security – HP Confidential
No, it is not about SQL injection Google is better than your So what is it programmers about? in weeding out SQL injections
Ownership
Cloud Entrance Exam: Question 1 Who Owns The Data? You? Google? Your Employee? Google’s Employee?
Cloud Entrance Exam: Question 2 Do You Compete With Google? No (are you serious?) We do, but not me I don’t know Yes (You Bet!)
Cloud Entrance Exam: Question 3 Who Authorized Access to the Data? Me Google Google, but only if the court asks Google, but only if the Chinese ask
Cloud Entrance Exam: Question 4 What About Illegal Material? I never store such data! … apart from competitive marketing and stolen images in presentations … but Google would not interfere with my data Or would they?
Regulations
It’s All About Geography • National laws Privacy • Limitation of transfer of data • PCI, SOX, So where is the data? Compliance SAS 70, ISO 27K… And who is responsible for it? Ownership • Google or I?
Back To Basics
Where and What do we Manage? Hybrid Delivery Authenticatio n Traditional Private Cloud Managed Cloud Public Cloud SAAS Authorization SAAS SAAS Audit Note: future availability of hybrid capabilities 15 HP Enterprise Security – HP Confidential
Authentication & User Management Password strength is of extreme importance in web based services. • Complexity, length, lifetime • Two factor authentication is preferred. Avoid requiring users to have multiple complex passwords • Sticky note passwords Need to make sure users are created, terminated and transferred on all services. SaaS MUST tie in to enterprise directory.
Users Permissions & Authorization Always a hazard in knowledge Tools both for sharing SaaS and self applications. hosted are not mature. Unique to SaaS solutions is the option to share externally. Both permissions management and permissions audit are crucial
Audit Public Cloud HP ArcSight On/Off-Premise Data Center remote workers
For Further Consideration
Did You Consider? Encryption: SSL Disks Administrator Two factor authentication? Access Control Only from within the organization? Administration Can your administrators access users data if needed? Capabilities Backup and Service Level Agreement (SLA) Restore Service for Accidental Deletes Disaster Recovery Way out
For Further Questions Contact: Ofer Shezaf ofr@hp.com

Recommended

Challenges in Cloud Migration & Solutions
Challenges in Cloud Migration & SolutionsChallenges in Cloud Migration & Solutions
Challenges in Cloud Migration & Solutions
Lavina Pinheiro
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overviewDr. Ramkumar Lakshminarayanan
 
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and IntegrationsCloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrationspaulfallon
 
How to use Microsoft Graph in your applications
How to use Microsoft Graph in your applicationsHow to use Microsoft Graph in your applications
How to use Microsoft Graph in your applications
Mohamed Ashiq Faleel
 
Soa Eai Ver1 0
Soa Eai Ver1 0Soa Eai Ver1 0
Soa Eai Ver1 0
Maganathin Veeraragaloo
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
Rolf Frydenberg
 
What's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMSWhat's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMS
Asaf Nakash
 

Recommended

Challenges in Cloud Migration & Solutions
Challenges in Cloud Migration & SolutionsChallenges in Cloud Migration & Solutions
Challenges in Cloud Migration & Solutions
Lavina Pinheiro
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overviewDr. Ramkumar Lakshminarayanan
 
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and IntegrationsCloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrationspaulfallon
 
How to use Microsoft Graph in your applications
How to use Microsoft Graph in your applicationsHow to use Microsoft Graph in your applications
How to use Microsoft Graph in your applications
Mohamed Ashiq Faleel
 
Soa Eai Ver1 0
Soa Eai Ver1 0Soa Eai Ver1 0
Soa Eai Ver1 0
Maganathin Veeraragaloo
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
Rolf Frydenberg
 
What's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMSWhat's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMS
Asaf Nakash
 
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...Sberbank d.d.
 
What do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft AzureWhat do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft Azure
Asaf Nakash
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloads
Asaf Nakash
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions Architects
Roy Kim
 
Saas security
Saas securitySaas security
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Azure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and complianceAzure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and compliance
Asaf Nakash
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
Modernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft AzureModernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft Azure
David J Rosenthal
 
Dropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That WorkDropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That Work
Chris Patterson
 
Ead pertemuan-12
Ead pertemuan-12Ead pertemuan-12
Ead pertemuan-12Yudha Arif Budiman
 
Windows Azure in Qatar
Windows Azure in QatarWindows Azure in Qatar
Windows Azure in Qatar
guestb9112
 
Azure Hybrid Integration Options
Azure Hybrid Integration OptionsAzure Hybrid Integration Options
Azure Hybrid Integration Options
Alessandro Moura
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanChris Phillips
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven Architecture
Chris Patterson
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
David Chou
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Morgan Simonsen
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
dkaya
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
Azure Group
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
Alistair Croll
 

More Related Content

What's hot

XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...Sberbank d.d.
 
What do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft AzureWhat do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft Azure
Asaf Nakash
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloads
Asaf Nakash
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions Architects
Roy Kim
 
Azure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and complianceAzure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and compliance
Asaf Nakash
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
Modernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft AzureModernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft Azure
David J Rosenthal
 
Dropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That WorkDropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That Work
Chris Patterson
 
Windows Azure in Qatar
Windows Azure in QatarWindows Azure in Qatar
Windows Azure in Qatar
guestb9112
 
Azure Hybrid Integration Options
Azure Hybrid Integration OptionsAzure Hybrid Integration Options
Azure Hybrid Integration Options
Alessandro Moura
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanChris Phillips
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven Architecture
Chris Patterson
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
David Chou
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Morgan Simonsen
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
dkaya
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
Azure Group
 

What's hot (20)

XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
 
What do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft AzureWhat do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft Azure
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloads
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions Architects
 
Saas security
Saas securitySaas security
Saas security
 
Azure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and complianceAzure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and compliance
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
 
Modernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft AzureModernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft Azure
 
Dropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That WorkDropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That Work
 
Ead pertemuan-12
Ead pertemuan-12Ead pertemuan-12
Ead pertemuan-12
 
Windows Azure in Qatar
Windows Azure in QatarWindows Azure in Qatar
Windows Azure in Qatar
 
Azure Hybrid Integration Options
Azure Hybrid Integration OptionsAzure Hybrid Integration Options
Azure Hybrid Integration Options
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming Strawman
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven Architecture
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 

Viewers also liked

Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
Alistair Croll
 
Why Software as a Service (SaaS) requires a new approach to Application Manag...
Why Software as a Service (SaaS) requires a new approach to Application Manag...Why Software as a Service (SaaS) requires a new approach to Application Manag...
Why Software as a Service (SaaS) requires a new approach to Application Manag...
Accenture Technology
 
9 Worst Practices in SaaS Metrics
9 Worst Practices in SaaS Metrics9 Worst Practices in SaaS Metrics
9 Worst Practices in SaaS Metrics
Christoph Janz
 
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Accel Partners India
 
Best Practices for Managing SaaS Applications
Best Practices for Managing SaaS ApplicationsBest Practices for Managing SaaS Applications
Best Practices for Managing SaaS Applications
Correlsense
 

Viewers also liked (6)

Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
 
Why Software as a Service (SaaS) requires a new approach to Application Manag...
Why Software as a Service (SaaS) requires a new approach to Application Manag...Why Software as a Service (SaaS) requires a new approach to Application Manag...
Why Software as a Service (SaaS) requires a new approach to Application Manag...
 
9 Worst Practices in SaaS Metrics
9 Worst Practices in SaaS Metrics9 Worst Practices in SaaS Metrics
9 Worst Practices in SaaS Metrics
 
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
 
Best Practices for Managing SaaS Applications
Best Practices for Managing SaaS ApplicationsBest Practices for Managing SaaS Applications
Best Practices for Managing SaaS Applications
 

Similar to SaaS as a Security Hazard - Google Apps Security Example

A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
Novell
 
Securing Your Cloud Applications with Novell Cloud Security Service
Securing Your Cloud Applications with Novell Cloud Security ServiceSecuring Your Cloud Applications with Novell Cloud Security Service
Securing Your Cloud Applications with Novell Cloud Security Service
Novell
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
ProductCamp Boston
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy Architecture
Bob Rhubart
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud
José Ferreiro
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
CloudPassage
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
n|u - The Open Security Community
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
Govind Maheswaran
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs Elite
Jon G. Hall
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
Web2Present
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case StudyGartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case Study
CA API Management
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summary
Brandon Dunlap
 
Cloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with CloudCloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with Cloud
Blazeclan Technologies Private Limited
 
SaaS Testing Overview - Foundation
SaaS Testing Overview - FoundationSaaS Testing Overview - Foundation
SaaS Testing Overview - Foundation
Ram Garg
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
Risk Crew
 
NIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudNIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudKristian Nese
 
Securing and Governing Cloud APIs
Securing and Governing Cloud APIsSecuring and Governing Cloud APIs
Securing and Governing Cloud APIs
CA API Management
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage OverviewCloudPassage
 

Similar to SaaS as a Security Hazard - Google Apps Security Example (20)

A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
 
Securing Your Cloud Applications with Novell Cloud Security Service
Securing Your Cloud Applications with Novell Cloud Security ServiceSecuring Your Cloud Applications with Novell Cloud Security Service
Securing Your Cloud Applications with Novell Cloud Security Service
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
 
17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy Architecture
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud
 
Enterprise Applications on AWS
Enterprise Applications on AWSEnterprise Applications on AWS
Enterprise Applications on AWS
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs Elite
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case StudyGartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case Study
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summary
 
Cloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with CloudCloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with Cloud
 
SaaS Testing Overview - Foundation
SaaS Testing Overview - FoundationSaaS Testing Overview - Foundation
SaaS Testing Overview - Foundation
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
NIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudNIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private Cloud
 
Securing and Governing Cloud APIs
Securing and Governing Cloud APIsSecuring and Governing Cloud APIs
Securing and Governing Cloud APIs
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 

More from Newvewm

Entrepreneur un slideshow v6
Entrepreneur un slideshow v6Entrepreneur un slideshow v6
Entrepreneur un slideshow v6
Newvewm
 
The Inevitable Cloud Outage
The Inevitable Cloud OutageThe Inevitable Cloud Outage
The Inevitable Cloud Outage
Newvewm
 
Newvem's Utilization Heat Map
Newvem's Utilization Heat MapNewvem's Utilization Heat Map
Newvem's Utilization Heat Map
Newvewm
 
Hitting Your Cloud’s Usage Sweet Spot
Hitting Your Cloud’s Usage Sweet SpotHitting Your Cloud’s Usage Sweet Spot
Hitting Your Cloud’s Usage Sweet Spot
Newvewm
 
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud AdoptionCloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Newvewm
 
Onavo aws summit 2012
Onavo aws summit 2012Onavo aws summit 2012
Onavo aws summit 2012
Newvewm
 
ClickSoftware AWS Customer Case
ClickSoftware AWS Customer CaseClickSoftware AWS Customer Case
ClickSoftware AWS Customer Case
Newvewm
 
Cloud security management by newvem
Cloud security management by newvemCloud security management by newvem
Cloud security management by newvem
Newvewm
 
Hadoop & MapReduce
Hadoop & MapReduceHadoop & MapReduce
Hadoop & MapReduce
Newvewm
 
Monitoring Your AWS Cloud Infrastructure
Monitoring Your AWS Cloud InfrastructureMonitoring Your AWS Cloud Infrastructure
Monitoring Your AWS Cloud Infrastructure
Newvewm
 
OneHourTranslation - AWS Cloud Case Study
OneHourTranslation - AWS Cloud Case StudyOneHourTranslation - AWS Cloud Case Study
OneHourTranslation - AWS Cloud Case Study
Newvewm
 
Secure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorSecure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by Porticor
Newvewm
 

More from Newvewm (12)

Entrepreneur un slideshow v6
Entrepreneur un slideshow v6Entrepreneur un slideshow v6
Entrepreneur un slideshow v6
 
The Inevitable Cloud Outage
The Inevitable Cloud OutageThe Inevitable Cloud Outage
The Inevitable Cloud Outage
 
Newvem's Utilization Heat Map
Newvem's Utilization Heat MapNewvem's Utilization Heat Map
Newvem's Utilization Heat Map
 
Hitting Your Cloud’s Usage Sweet Spot
Hitting Your Cloud’s Usage Sweet SpotHitting Your Cloud’s Usage Sweet Spot
Hitting Your Cloud’s Usage Sweet Spot
 
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud AdoptionCloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
 
Onavo aws summit 2012
Onavo aws summit 2012Onavo aws summit 2012
Onavo aws summit 2012
 
ClickSoftware AWS Customer Case
ClickSoftware AWS Customer CaseClickSoftware AWS Customer Case
ClickSoftware AWS Customer Case
 
Cloud security management by newvem
Cloud security management by newvemCloud security management by newvem
Cloud security management by newvem
 
Hadoop & MapReduce
Hadoop & MapReduceHadoop & MapReduce
Hadoop & MapReduce
 
Monitoring Your AWS Cloud Infrastructure
Monitoring Your AWS Cloud InfrastructureMonitoring Your AWS Cloud Infrastructure
Monitoring Your AWS Cloud Infrastructure
 
OneHourTranslation - AWS Cloud Case Study
OneHourTranslation - AWS Cloud Case StudyOneHourTranslation - AWS Cloud Case Study
OneHourTranslation - AWS Cloud Case Study
 
Secure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorSecure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by Porticor
 

Recently uploaded

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

SaaS as a Security Hazard - Google Apps Security Example

  • 1. SaaS as a Security Hazard The Google Apps example Ofer Shezaf, Product Manager, Security Solutions HP ArcSight ofr@hp.cm ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 2. About Myself I live in Kibbutz Yiftah, Israel I create Currently, Product Manager for Security Solutions at HP ArcSight security products Prior to that did security research and product management at Breach Security & at Fortify I am an OWASP leader and founder of the OWASP Israeli chapter application Leads the Web Application Firewall Evaluation Criteria project security veteran Wrote the ModSecurity Core Rule Set I really try to Read my blog at http://www.xiom.com learn what information Be ready to some philosophy of science and cognitive security is psychology
  • 3. What are Google Apps? Gmail, Calendar, Docs, Sites & Groups Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office. Better at sharing and in a way familiar to users Bottom up push to adapt.
  • 4. If It Was Only Cloud…
  • 5. Google Apps Role in the IT Environment Hybrid Delivery Traditional Private Cloud Managed Cloud Public Cloud Non-critical business services will 1 SAAS move to SaaS providers who provide some level of security Some critical business services will be deployed in 2 SAAS private clouds with customized security controls Some work-loads will move to public clouds with SAAS 3 security components provisioned in image Security will be componentized and automatically 4 deployed with work-loads, based on sensitivity of assets customization automated required provisioning Note: future availability of hybrid capabilities 5 HP Enterprise Security – HP Confidential
  • 6. No, it is not about SQL injection Google is better than your So what is it programmers about? in weeding out SQL injections
  • 8. Cloud Entrance Exam: Question 1 Who Owns The Data? You? Google? Your Employee? Google’s Employee?
  • 9. Cloud Entrance Exam: Question 2 Do You Compete With Google? No (are you serious?) We do, but not me I don’t know Yes (You Bet!)
  • 10. Cloud Entrance Exam: Question 3 Who Authorized Access to the Data? Me Google Google, but only if the court asks Google, but only if the Chinese ask
  • 11. Cloud Entrance Exam: Question 4 What About Illegal Material? I never store such data! … apart from competitive marketing and stolen images in presentations … but Google would not interfere with my data Or would they?
  • 13. It’s All About Geography • National laws Privacy • Limitation of transfer of data • PCI, SOX, So where is the data? Compliance SAS 70, ISO 27K… And who is responsible for it? Ownership • Google or I?
  • 15. Where and What do we Manage? Hybrid Delivery Authenticatio n Traditional Private Cloud Managed Cloud Public Cloud SAAS Authorization SAAS SAAS Audit Note: future availability of hybrid capabilities 15 HP Enterprise Security – HP Confidential
  • 16. Authentication & User Management Password strength is of extreme importance in web based services. • Complexity, length, lifetime • Two factor authentication is preferred. Avoid requiring users to have multiple complex passwords • Sticky note passwords Need to make sure users are created, terminated and transferred on all services. SaaS MUST tie in to enterprise directory.
  • 17. Users Permissions & Authorization Always a hazard in knowledge Tools both for sharing SaaS and self applications. hosted are not mature. Unique to SaaS solutions is the option to share externally. Both permissions management and permissions audit are crucial
  • 18. Audit Public Cloud HP ArcSight On/Off-Premise Data Center remote workers
  • 20. Did You Consider? Encryption: SSL Disks Administrator Two factor authentication? Access Control Only from within the organization? Administration Can your administrators access users data if needed? Capabilities Backup and Service Level Agreement (SLA) Restore Service for Accidental Deletes Disaster Recovery Way out