This document discusses security best practices for Software as a Service (SaaS) applications. It recommends adopting a holistic governance framework to manage operational risks, using standards like COBIT 5. Key aspects covered include tenant data isolation, role-based access control, preventing common web attacks, and implementing robust security auditing of events, transactions, and user actions. The goal is to establish trust with customers by providing protection of information, access controls, data security, and audit capabilities.

1. Security Architecture Best Practices
for SaaS Applications
22-May-2014
www.techcello.com

2. © Techcello www.techcello.com
Housekeeping Instructions
 All phones are set to mute. If you have any questions, please type them in the Chat window
located beside the presentation panel.
 We have already received several questions from the registrants, which will be answered by the
speakers during the Q & A session.
 We will continue to collect more questions during the session as we receive and will try to answer
them during today’s session.
 In case if you do not receive answers to your question today, you will certainly receive answers via
email shortly.
 Thanks for your participation and enjoy the session!

3. © Techcello www.techcello.com
TechCello Introduction
 Cloud Ready, SaaS/Multi-
Tenant SaaS Application
Development Framework
 Provides end-end SaaS
Lifecycle Management
Solution
 Redefines the way SaaS
products are built and
managed
 Saves anywhere between
30%-50% of time and cost

4. © Techcello www.techcello.com
Speaker Profiles
Vittal Raj
International VP, ISACA
Founder, Pristine Consulting
 Last two decades into Consulting, Assurance & Training in IS Security, IT
Compliance/Governance, Enterprise Risk Management, Risk based
Internal Audit and Digital Forensics.
 Directed and managed projects in the areas of IS Security
Implementation, Cyber Crime Forensics & Cyber Law Consulting,
Network & Web Application Vulnerability Assessments
 Specialist trainer in IT Risk Management and Information Security
Jothi Rengarajan
Chief Technical Architect
TechCello
 14+ years of experience in architecting cloud and SaaS solutions
for both ISVs and Enterprises
 Chief architect in designing and constructing TechCello
framework
 Plays consultative role with customers in implementing technical
solutions

5. Gartner forecasts on SaaS……
• Saas market set to top $22 b by 2015
• Surge in software spends by 2015, Stratification of Saas
• CRM, ERP and office & productivity SaaS on the lead
• Multi-tenancy way to go supported by innovative tech
• Customers concerns - Continuity, Security & Contractual

6. What’s slowing down SaaS adoption ?
• Application Control & Security Governance
• Contractual Transparency & SLA Assurance
• Business Continuity & Resilience
• Security Management
– Security of Data in a multi-tenancy model
– Risk driven Security management
– Identity and access management (IAM) – Adequacy, Sustainability
• Privacy and Regulatory concerns
– Data location , Privacy Compliance, IAM, Licensing, legal & electronic
discovery
• Customisation & Transitioning out
• Continual Independent Assurance
• Pricing Indemnity 6

7. Framework based approach
driven on Stakeholder Expectations
Goals to Results
Source: COBIT 5®, ITGI

8. Application & Interfaces
Data Security & Information Life Cycle Mngt
Encryption & Key Management
Infrastructure & Virtualisation Security
Data Centre Security
Identify & Access Management
Change Control & Configuration Management
SCM, Transparency & Accountability
Human Resources
Business Continuity & Operational Resilience
Audit, Assurance & Compliance
Governance & Risk Management
Key Control Drivers
Source: CCSA – CCS Matrix

9. Holistic approach for sustainable governance
Source: COBIT 5®, ITGI

10. Managing Operational Risks in SaaS Services
• SaaS Governance Framework -
Client
– Risk Assessment &
Management
– Service Level Management
– Performance Management
(Metrics & Mechanisms)
– Auditability and Audits
• Risk Management & Assurance
• Standards & Certification
• Assurance by CSP
• Insurance
• Contract Governance
10
• Security Management
– Security Framework –
Encryption, Data Exchange
Controls
• Transition Management
• Monitoring Capabilities
• Billing Control
• Litigation Clauses
• Regulatory Compliance

11. International Standards
• COBIT 5 – Controls and Assurance in the Cloud
• CSA Guides
• AICPA Service Organization Control (SOC) 1 Report
• AICPA/CICA Trust Services (SysTrust and WebTrust)
• ISO 2700x— Information security management system (ISMS)
• Cloud Security Matrix—By Cloud Security Alliance
• NIST SP 800-53—The NIST IT security controls standards, Health
Information Trust Alliance (HITRUST)
• BITS—The BITS Shared Assessment Program
– contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon
Procedures (AUP).
• European Network and Information Security Agency (ENISA)
– Cloud Computing—Benefits, Risks and Recommendations for Information Security.
11

12. ‘Trustworthy’ SaaS
key to customer acquisition & loyalty

13. Feel free to contact me with your questions, comments &
feedback:
R Vittal Raj
rvittalraj@gmail.com
Linkedin: rvittalraj

14. © Techcello www.techcello.com
SaaS Customer Concerns
 Data Storage and Segregation
• Is it a dedicated or a shared environment?
• If it a shared environment, how is the data segregated from other shared
environments?
• How is security managed in the shared environment? What controls are in place?
 ACL
• What type of identity management solution is provided?
• Is Single Sign-On (SSO) provided? What types of SSO options are available? SAML,
Open Auth etc?
• What type of user store is available? Can this user store be integrated with Active
Directory or any other user store database?
• What type of user security, authentication and authorization options are available?

15. © Techcello www.techcello.com
SaaS Customer Concerns
 Data Security
• How is the primary data encrypted? What encryption schemes are used? Who
has access to the decryption keys? How often is this tested?
 Audits
• What application & data access audit logs are available? How often can you get
this?
• What type of investigative support is provided in cases of breach?

16. SaaS Security Architecture Goals
Protection of information. It deals with the prevention and detection of unauthorized
actions and ensuring confidentiality, integrity of data.
© Techcello www.techcello.com
 Robust Tenant data isolation
 Flexible RBAC – Prevent unauthorized action
 Proven Data security
 Prevention of Web related top threats as per OWASP
 Strong Security Audit Logs

17. © Techcello www.techcello.com
Tenant Data Isolation
Design for a Hybrid Approach

18. © Techcello www.techcello.com
Tenant Data Isolation
 Database
Routing Based
On Tenant
 Application
Layer Auto
Tenant Filter
 Tenant Based
View Filter

19. © Techcello www.techcello.com
ACL Architecture

20. © Techcello www.techcello.com
Role Based Access Control (RBAC)
Authentication
• Separate Common Identity Provider
• Identity Provider Support Options
• Custom Username Password Authentication
• AD Integrated SSO
• Open ID Authentication
• Multi factor authentication
• Hybrid Authentication Support

21. © Techcello www.techcello.com
Role Based Access Control (RBAC)
Authorization
• ACL Metadata
• Use privileges
• Map with roles
• Roles should be defined by business users
• Role mapped to privileges and user mapped to roles
• Access Check Services
• Control at a URL, Action, Data and Field level
• Configuration based privilege control

22. © Techcello www.techcello.com
Role Based Access Control (RBAC)
Authorization
• Rest API Implementation
• External Application Integration
• Oauth2.0
• HMAC
• Internal Application Integration
• Session Token
• Cookie

23. © Techcello www.techcello.com
OWASP – TOP 10 Threats 2013
A1
Injection
A2
Broken Authentication and
Session Management (was
formerly A3)
A3
Cross-Site Scripting (XSS)
(was formerly A2)
A4
Insecure Direct Object
References
A5
Security Misconfiguration
(was formerly A6)
A6
Sensitive Data Exposure
(merged from former A7
Insecure Cryptographic
Storage and former A9
Insufficient Transport Layer
Protection)
A7
Missing Function Level
Access Control
(renamed/broadened from
former A8 Failure to
Restrict URL Access)
A8
Cross-Site Request Forgery
(CSRF) (was formerly A5)
A9
Using Known Vulnerable
Components (new but was
part of former A6 –
Security Misconfiguration)
A10
Unvalidated Redirects and
Forwards

24. © Techcello www.techcello.com
Security Testing
Dynamic
Testing
Static
Testing
Security
Verification

25. © Techcello www.techcello.com
Security Audit
Event Audit
• Audit positive events, more importantly
audit negative events
• Should cover,
• Who does the action?
• What action is performed?
• What is the context in which the
operation is performed?
• What time is the action performed?
• Audit details stored in a separate datastore
for better performance
• Real-time audit details – audit cache server

26. © Techcello www.techcello.com
Security Audit
Transaction and Change Audit
• Transaction Audit
• Snapshot: Exact copy of the row stored in history tables
• More suitable if requests to access past data are more
• More data growth
• Change Audit
• Only the delta of the state change captured as part of change tables
• More suitable when changes need to be reported and past data are not required
much
• Used more for Security tracking purposes
• Easier to implement by using methods available out of the box in RDBMS such as CDC
for SQL server
• Asynchronous Mode : For better performance and if we wish that audit should not roll
back the transactions it is advisable to audit in a asynchronous thread.

27. © Techcello www.techcello.com
Security Audit
User Action Audit
• Audit all user actions
• Capture the entry url, time, location details, browser details, response status, any
exceptions
• Provide analysis on the user actions
• Can be customized at application layer or can use the webserver logs

28. © Techcello www.techcello.com
Security Audit

29. Cello Stack – At a Glance
How does it work?
Administrative
Tenant
Licensing Metering Billing Data Backup Modules
Provisioning
Security
User
Role/Privilege
Auditing Modules
Management
Mgmt.
Custom Fields Custom LoV
Ad-hoc Builders
Cloud Ready, Multi-Tenant Application Development Framework
Single Sign-on
Dynamic Data
Scope
Business
Rules
Workflow
Dynamic
Forms
Enterprise Engines
Integration Modules
Settings
Template
Events Notification Templates
Query Chart Reports
Code
Productivity Boosters
Templates
Master Data
Mgmt.
Forms
Generation
Application Multi-Tenancy & Tenant Data Isolation
Themes &
Logo
Pre & Post
Processors
Configurability
Modules
Cello Cloud Adapters

30. © Techcello www.techcello.com
Contact Details
Jothi Rengarajan (jothi.r@techcello.com)
Vittal Raj (rvittalraj@gmail.com)
Reference URLs
Web : http://www.techcello.com
ROI Calculator : http://www.techcello.com/techcello-roi-calculator
Demo Videos : http://www.techcello.com/techcello-resources/techcello-product-
demo
SaaS e-Book: http://www.techcello.com/techcello-resources/techcello-resources-
white-papers
Thank You