Aspire Systems, profile picture
Uploaded byAspire Systems
PPTX, PDF1,524 views

Security architecture best practices

This document provides an overview and agenda for a webinar on security architecture best practices for SaaS applications. The webinar will cover the shared responsibility model for security between SaaS providers and infrastructure providers. It will discuss security considerations at different architecture layers, data isolation risks and mitigation plans, and OWASP top security threats. Speakers from Aspire Systems, a global technology services firm, will provide insights on these topics and take participant questions at the end.

Embed presentation

Downloaded 30 times
SecurityArchitecture Best Practices for SaaSApplications 24-March-2014
EII Customers & Project EngagementsAgendaInstructions US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. If you have any questions, please type them in the question tab located at the top We will provide answers during the Q&A session towards the end of the webinar Thanks for your participation and enjoy the session Request all to take part in the survey that pops up In case if you do not receive answers to your question today, you will certainly receive answers via email shortly
EII Customers & Project EngagementsAgendaSpeakers US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Janaki Jayachandran Jothi Rengarajan Cloud Solutions Architect, Aspire Systems Principal Architect – SaaS Solutions, Aspire Systems Global technology services firm with core DNA of software engineering Specific areas of expertise around Software Engineering, Enterprise Solutions, Testing and Infrastructure & Application Support Vertical focus among Independent Software Vendors and Retail, Distribution & Consumer Products 1400+ employees; 100+ active customers ISO 9001:2008 and ISO 27001 : 2005 certified Presence across US, UK, Benelux, Middle East and India Recognized five consecutive times as “Best Place to Work for” by GPW Institute About Aspire
EII Customers & Project Engagements Shared Responsibility Model Infrastructure and network related security risks and solutions Security considerations in each of the architecture layers Data isolation risks and mitigation plans Overview of OWASP Security threats AgendaAgenda US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
“…sometimes risk is compensated with opportunity…”
Why Digitize?EII Customers & Project EngagementsAgendaThe Ever-growing Security Threat US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Unsafe websites detected per week Jan 2007 – Mar 2015
Why Digitize?EII Customers & Project EngagementsAgendaThe Ever-growing Security Threat US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Sites hosting malware detected per week Jan 2007 – Mar 2015
Why Digitize?EII Customers & Project EngagementsAgendaNotorious Nine Cloud Threats US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Source: CSA Notorious Nine Top Threats Data Breaches Data loss Account/Service traffic hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of cloud services Insufficient Due Diligence Shared Technology
Why Digitize?EII Customers & Project EngagementsAgendaMajor Data Breach Incidents on Cloud US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. 2015 • In February 2015, Anthem suffered a data breach of nearly 80 million records. 2014 • In August 2014, nearly 200 photographs of celebrities were posted to the image board website 4chan. • In September 2014, Home Depot suffered a data breach of 56 million credit card numbers. • In October 2014, Staples suffered a data breach of 1.16 million customer payment cards. 2013 • In October 2013, Adobe Systems revealed that their corporate data base was hacked and some 130 million user records were stolen. • In late November to early December 2013, Target Corporation announced that data from around 40 million credit and debit cards was stolen.
Why Digitize?EII Customers & Project EngagementsAgendaShared Responsibility Model US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. SaaS ISVs most commonly use IaaS services to deliver their solution.
Why Digitize?EII Customers & Project EngagementsAgendaShared Responsibility Model US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. • Compliance with customer privacy and data protection laws • Management of passwords/private keys • IDM Management and access control • Application authentication mechanism • Management of OS, Security patches, etc. SaaS Provider - ISV • Physical support of infrastructure • Physical infrastructure security and availability • OS Patch management and hardening procedures • Security platform configuration, maintenance and monitoring • Increased ownership on managed services Cloud/Infra Provider
Why Digitize?EII Customers & Project EngagementsAgendaHow Safe Is Your Data? US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
Why Digitize?EII Customers & Project EngagementsAgendaHow safe is your data? US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. United States United Kingdom Canada Australia Germany Source: Hogan Lovells White Paper on Governmental Access
Why Digitize?EII Customers & Project EngagementsAgendaHardware Level Risks US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Virtualization software used Implement encryption best practices at all layers/services Logically group environments and restrict access within them Leverage Dedicated Tenancy level groupings to minimize risks Define the protocol for accessing keys
Why Digitize?EII Customers & Project EngagementsAgendaOS Security and Access US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Patch management Operating System Anti-Virus and Anti- malware OS Monitoring Penetration testing and vulnerability scanning Data Redundancy
Why Digitize?EII Customers & Project EngagementsAgendaNetwork Security and Access US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Compliance standards – PCI, HIPPA, etc. Network firewall Virtual Private Network Single Sign On Inter region and intra region transfer of data Backup data storage location and access control
Why Digitize?EII Customers & Project EngagementsAgendaInternational Security Standards US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.  COBIT 5 – Controls and Assurance in the Cloud  CSA Guides  AICPA Service Organization Control (SOC) 1 Report  AICPA/CICA Trust Services (SysTrust and WebTrust)  ISO 2700x— Information security management system (ISMS)  Cloud Security Matrix—By Cloud Security Alliance  NIST SP 800-53—The NIST IT security controls standards, Health Information Trust Alliance (HITRUST)  BITS—The BITS Shared Assessment Program  contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP).  European Network and Information Security Agency (ENISA)  Cloud Computing—Benefits, Risks and Recommendations for Information Security.
Poll
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSaaS Security Architecture Goals US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data. SaaS Application Security Areas • Database access control • SaaS application access control • Access control for third party applications/ Mobile layer which are integrated to your SaaS application • Data at transit security • Data at rest security • Audits
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaTenant Data Isolation US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Design for a Hybrid Approach
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaTenant Data Isolation US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. DB Interceptor Service Security Scanner Tenant Based View Filter
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaACL Architecture US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaRole Based Access Control (RBAC) - Authentication US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Custom Username Password Authentication AD Integrated SSO Open ID Authentication Multi factor authentication Hybrid Authentication Support
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaRole Based Access Control (RBAC) US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. ACL For Resources Web Endpoints Rest Endpoints Actions Data Fields Identity Management ACL Metadata/ Definition service Decision Service Enforcement Service
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaREST API Access Control US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Identity • Common identity for an application • Granular User Identity Sources • External Applications • Mobile Applications Mechanisms • Access Keys • OAUTH 2.0
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaOWASP – Top Threats US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5 Security Misconfiguration (was formerly A6) A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) A8 Cross-Site Request Forgery (CSRF) (was formerly A5) A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) A10 Unvalidated Redirects and Forwards
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Testing US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Dynamic Testing Static Testing Security Verification
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaData at Transit and Rest US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Data at Rest • Adopt Symmetric Key encryption • Use Strong Keys • Encrypt Your Encryption key • Use Strong Key Stores • Keep the Key Away From Data Data at Transit • Browser to web. This can be secured via https. • Between web and services. This can also be secured using https in case of rest services • Direct access to application services - secured via https or you could use message encoding. If it is soap based services use ws* security protocol • Application to database – Servers such as oracle and MSSQL server support
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. User Action Audit • Audit all user actions • Capture the entry URL, time, location details, browser details, response status, any exceptions • Provide analysis on the user actions • Can be customized at application layer or can use the webserver logs
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Event Audit • Audit positive events, more importantly audit negative events • Should cover, • Who does the action? • What action is performed? • What is the context in which the operation is performed? • What time is the action performed? • Audit details stored in a separate datastore for better performance • Real-time audit details – audit cache server
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Transaction and Change Audit • Transaction Audit • Snapshot: Exact copy of the row stored in history tables • More suitable if requests to access past data are more • More data growth • Change Audit • Only the delta of the state change captured as part of change tables • More suitable when changes need to be reported and past data are not required much • Used more for Security tracking purposes • Easier to implement by using methods available out of the box in RDBMS such as CDC for SQL server • Asynchronous Mode : For better performance and if we wish that audit should not roll back the transactions it is advisable to audit in a asynchronous thread.
EII Customers & Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaAnti-Patterns US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Let me summarize some of the anti-patterns in security of a SaaS application. Unfortunately we also find it a lot in practice. • Opening the DB access to tenants directly • Depending on the developers to handle tenant isolation • Storing Keys for encryption loosely • Storing connection strings without encryption • Encrypting unnecessary data • Loose physical access policy for the production database • Rigid access control tied to roles instead of privileges • Depending on developers to handle authorization checks • Loose authentication mechanism for rest service calls or other gateways • Lack of access control enforcement at the service layer • Lack of Audits​
Q & A
Thank You

More Related Content

PPTX
Top 5 benefits of transforming your dev environment on cloud
byAspire Systems
 
PPTX
AWS DevFarm: One Click Development Infrastructure
byAspire Systems
 
PPTX
Oracle Cloud upcoming trends
byaspiresystem
 
PPT
Aspire ppt - 01.06.15
byaspiresystem
 
PPT
Aspire ppt - 01.06.15
byaspiresystem
 
PPT
Aspire ppt - 01.06.15
byaspiresystem
 
PPTX
Rapise 7.1: New Functionality and Enhancements
byInflectra
 
PDF
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
byClaudia Ring
 
Top 5 benefits of transforming your dev environment on cloud
byAspire Systems
 
AWS DevFarm: One Click Development Infrastructure
byAspire Systems
 
Oracle Cloud upcoming trends
byaspiresystem
 
Aspire ppt - 01.06.15
byaspiresystem
 
Aspire ppt - 01.06.15
byaspiresystem
 
Aspire ppt - 01.06.15
byaspiresystem
 
Rapise 7.1: New Functionality and Enhancements
byInflectra
 
Hybrid Cloud DevOps with Apprenda and UrbanCode Deploy
byClaudia Ring
 

What's hot

PPTX
Past, Present and Future of DevOps Infrastructure
bySynergetics Learning and Cloud Consulting
 
PPTX
Delivering Applications Continuously to Cloud
byIBM UrbanCode Products
 
PDF
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
bySanjeev Sharma
 
PPTX
DevOps and Cloud
byFernando Honig
 
PPTX
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
byTrevor Hess
 
PDF
Mastering DevOps Automation: Webinar
byClaudia Ring
 
PPTX
Cloud With DevOps Enabling Rapid Business Development
bySam Garforth
 
PDF
DevOps - Applying Lean & Agile Principles to Operations & More
byChris Edwards
 
PDF
Democratizing security
bySanjeev Sharma
 
PPTX
The DevOps Journey in an Enterprise - DOES 2021
byAnders Lundsgård
 
DOCX
The Journey of Test Automation
byopkey
 
PPTX
The 7 Principles of DevOps and Cloud Applications
bySolarWinds
 
PDF
A DevOps adoption playbook- achieving business value at scale
bySanjeev Sharma
 
PDF
Metrics That Matter: How to Measure Digital Transformation Success
byXebiaLabs
 
PDF
How NBCUniversal Adopted DevOps
bySanjeev Sharma
 
PDF
What are the Cool Kids Doing With Continuous Delivery?
byCA Technologies
 
PPTX
Testing Microsoft Dynamics NAV with Rapise
byAdam Sandman
 
PPTX
Urban code - DevOps - cost reduction
byChris Sparshott
 
PPTX
Friends & Foes of Software Test Automation - Test Automation, Demystified | W...
byInflectra
 
Past, Present and Future of DevOps Infrastructure
bySynergetics Learning and Cloud Consulting
 
Delivering Applications Continuously to Cloud
byIBM UrbanCode Products
 
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
bySanjeev Sharma
 
DevOps and Cloud
byFernando Honig
 
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
byTrevor Hess
 
Mastering DevOps Automation: Webinar
byClaudia Ring
 
Cloud With DevOps Enabling Rapid Business Development
bySam Garforth
 
DevOps - Applying Lean & Agile Principles to Operations & More
byChris Edwards
 
Democratizing security
bySanjeev Sharma
 
The DevOps Journey in an Enterprise - DOES 2021
byAnders Lundsgård
 
The Journey of Test Automation
byopkey
 
The 7 Principles of DevOps and Cloud Applications
bySolarWinds
 
A DevOps adoption playbook- achieving business value at scale
bySanjeev Sharma
 
Metrics That Matter: How to Measure Digital Transformation Success
byXebiaLabs
 
How NBCUniversal Adopted DevOps
bySanjeev Sharma
 
What are the Cool Kids Doing With Continuous Delivery?
byCA Technologies
 
Testing Microsoft Dynamics NAV with Rapise
byAdam Sandman
 
Urban code - DevOps - cost reduction
byChris Sparshott
 
Friends & Foes of Software Test Automation - Test Automation, Demystified | W...
byInflectra
 

Similar to Security architecture best practices

PDF
Aspire Systems_CoE_Cloud Service Offerings
byRamani R
 
PDF
Implementing Zero Trust: Best Practices for Microsoft Cloud Environments
byMichael Noel
 
PPTX
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
bySource Conference
 
PPTX
05_09_23_DrivingGrowthwithSecurityManagedServices_M365v561EXT (1).pptx
byashishg44
 
PDF
SYMCAnnual
byfinance40
 
PPTX
Continuous Digital Excellence - Are you doing it right?
byAspire Systems
 
PDF
Cloud Security:Threats & Mitgations
byIndicThreads
 
PDF
“8th National Biennial Conference on Medical Informatics 2012”
byAshu Ash
 
PDF
SYMCInvestorPresentationDec2008II
byfinance40
 
PDF
SYMCInvestorPresentationDec2008II
byfinance40
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PDF
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
byIBM Sverige
 
PDF
Cloud Security: Perception Vs. Reality
byInternap
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
PDF
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
byHyTrust
 
PPTX
Security Architecture Best Practices for SaaS Applications
byTechcello
 
PPT
Dr K Subramanian
byeletseditorial
 
PPTX
Unc charlotte prezo2016
bySanjay R. Gupta
 
PPTX
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
PPTX
On Demand Cloud Services Coury
byArman Sadat Hossain
 
Aspire Systems_CoE_Cloud Service Offerings
byRamani R
 
Implementing Zero Trust: Best Practices for Microsoft Cloud Environments
byMichael Noel
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
bySource Conference
 
05_09_23_DrivingGrowthwithSecurityManagedServices_M365v561EXT (1).pptx
byashishg44
 
SYMCAnnual
byfinance40
 
Continuous Digital Excellence - Are you doing it right?
byAspire Systems
 
Cloud Security:Threats & Mitgations
byIndicThreads
 
“8th National Biennial Conference on Medical Informatics 2012”
byAshu Ash
 
SYMCInvestorPresentationDec2008II
byfinance40
 
SYMCInvestorPresentationDec2008II
byfinance40
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
byIBM Sverige
 
Cloud Security: Perception Vs. Reality
byInternap
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
byHyTrust
 
Security Architecture Best Practices for SaaS Applications
byTechcello
 
Dr K Subramanian
byeletseditorial
 
Unc charlotte prezo2016
bySanjay R. Gupta
 
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
On Demand Cloud Services Coury
byArman Sadat Hossain
 

More from Aspire Systems

PPTX
Enhancing QA Strategy to Achieve Agile Quality Engineering
byAspire Systems
 
PDF
End to End IT infrastructure management and support for a canada based leadin...
byAspire Systems
 
PDF
Increased IT infrastructure effectiveness by 80% with Microsoft system center...
byAspire Systems
 
PDF
Business Application Support and Automation for a Government Organization
byAspire Systems
 
PDF
7 flavours of devops implementation
byAspire Systems
 
PDF
Integrating cognitive services in to your devops strategy
byAspire Systems
 
PDF
Docker implementation on aws cloud for ict solution supplier client
byAspire Systems
 
PDF
Devops implementation for a leading education company
byAspire Systems
 
PDF
Devops led infrastructure transformation for a leading medical imaging soluti...
byAspire Systems
 
PDF
Dynamic environment provisioning portal for a US based insurance solutions pr...
byAspire Systems
 
PDF
Support offering for a California based products and services provider
byAspire Systems
 
PDF
DevOps implementation for a leading global consulting Company
byAspire Systems
 
PDF
How CAF aided in saving cost and signing a billion dollar contract for a BFS ...
byAspire Systems
 
PPTX
The Rise of NeoBanks with the Power of Technology
byAspire Systems
 
PPTX
Incremental test automation for Retailers to save money
byAspire Systems
 
PPTX
Embedding Quality Engineering in DevOps pipeline
byAspire Systems
 
PPTX
Role of AI in Banking’s  “Red Queen Race”
byAspire Systems
 
PDF
Test Automation in the Cloud - Key to Accelerated Development
byAspire Systems
 
PPTX
Aligning Software Testing With Modern Age Development Practices
byAspire Systems
 
PPTX
Digital Banking Case Study for Asian Millennials – Financial Advice for Mille...
byAspire Systems
 
Enhancing QA Strategy to Achieve Agile Quality Engineering
byAspire Systems
 
End to End IT infrastructure management and support for a canada based leadin...
byAspire Systems
 
Increased IT infrastructure effectiveness by 80% with Microsoft system center...
byAspire Systems
 
Business Application Support and Automation for a Government Organization
byAspire Systems
 
7 flavours of devops implementation
byAspire Systems
 
Integrating cognitive services in to your devops strategy
byAspire Systems
 
Docker implementation on aws cloud for ict solution supplier client
byAspire Systems
 
Devops implementation for a leading education company
byAspire Systems
 
Devops led infrastructure transformation for a leading medical imaging soluti...
byAspire Systems
 
Dynamic environment provisioning portal for a US based insurance solutions pr...
byAspire Systems
 
Support offering for a California based products and services provider
byAspire Systems
 
DevOps implementation for a leading global consulting Company
byAspire Systems
 
How CAF aided in saving cost and signing a billion dollar contract for a BFS ...
byAspire Systems
 
The Rise of NeoBanks with the Power of Technology
byAspire Systems
 
Incremental test automation for Retailers to save money
byAspire Systems
 
Embedding Quality Engineering in DevOps pipeline
byAspire Systems
 
Role of AI in Banking’s  “Red Queen Race”
byAspire Systems
 
Test Automation in the Cloud - Key to Accelerated Development
byAspire Systems
 
Aligning Software Testing With Modern Age Development Practices
byAspire Systems
 
Digital Banking Case Study for Asian Millennials – Financial Advice for Mille...
byAspire Systems
 

Recently uploaded

PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
SAP WalkMe Overview.pdf SAP WalkMe Overview.pdf
byMurniatiSimbolon2
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PDF
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
PPTX
How Blockchain Application Development Enables Trustless Digital Ecosystems.pptx
byLisa ward
 
PPTX
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PPT
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
SAP WalkMe Overview.pdf SAP WalkMe Overview.pdf
byMurniatiSimbolon2
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
How Blockchain Application Development Enables Trustless Digital Ecosystems.pptx
byLisa ward
 
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 

Security architecture best practices

  • 1.
  • 2.
    EII Customers &Project EngagementsAgendaInstructions US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. If you have any questions, please type them in the question tab located at the top We will provide answers during the Q&A session towards the end of the webinar Thanks for your participation and enjoy the session Request all to take part in the survey that pops up In case if you do not receive answers to your question today, you will certainly receive answers via email shortly
  • 3.
    EII Customers &Project EngagementsAgendaSpeakers US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Janaki Jayachandran Jothi Rengarajan Cloud Solutions Architect, Aspire Systems Principal Architect – SaaS Solutions, Aspire Systems Global technology services firm with core DNA of software engineering Specific areas of expertise around Software Engineering, Enterprise Solutions, Testing and Infrastructure & Application Support Vertical focus among Independent Software Vendors and Retail, Distribution & Consumer Products 1400+ employees; 100+ active customers ISO 9001:2008 and ISO 27001 : 2005 certified Presence across US, UK, Benelux, Middle East and India Recognized five consecutive times as “Best Place to Work for” by GPW Institute About Aspire
  • 4.
    EII Customers &Project Engagements Shared Responsibility Model Infrastructure and network related security risks and solutions Security considerations in each of the architecture layers Data isolation risks and mitigation plans Overview of OWASP Security threats AgendaAgenda US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
  • 5.
    “…sometimes risk iscompensated with opportunity…”
  • 6.
    Why Digitize?EII Customers& Project EngagementsAgendaThe Ever-growing Security Threat US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Unsafe websites detected per week Jan 2007 – Mar 2015
  • 7.
    Why Digitize?EII Customers& Project EngagementsAgendaThe Ever-growing Security Threat US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Sites hosting malware detected per week Jan 2007 – Mar 2015
  • 8.
    Why Digitize?EII Customers& Project EngagementsAgendaNotorious Nine Cloud Threats US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Source: CSA Notorious Nine Top Threats Data Breaches Data loss Account/Service traffic hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of cloud services Insufficient Due Diligence Shared Technology
  • 9.
    Why Digitize?EII Customers& Project EngagementsAgendaMajor Data Breach Incidents on Cloud US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. 2015 • In February 2015, Anthem suffered a data breach of nearly 80 million records. 2014 • In August 2014, nearly 200 photographs of celebrities were posted to the image board website 4chan. • In September 2014, Home Depot suffered a data breach of 56 million credit card numbers. • In October 2014, Staples suffered a data breach of 1.16 million customer payment cards. 2013 • In October 2013, Adobe Systems revealed that their corporate data base was hacked and some 130 million user records were stolen. • In late November to early December 2013, Target Corporation announced that data from around 40 million credit and debit cards was stolen.
  • 10.
    Why Digitize?EII Customers& Project EngagementsAgendaShared Responsibility Model US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. SaaS ISVs most commonly use IaaS services to deliver their solution.
  • 11.
    Why Digitize?EII Customers& Project EngagementsAgendaShared Responsibility Model US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. • Compliance with customer privacy and data protection laws • Management of passwords/private keys • IDM Management and access control • Application authentication mechanism • Management of OS, Security patches, etc. SaaS Provider - ISV • Physical support of infrastructure • Physical infrastructure security and availability • OS Patch management and hardening procedures • Security platform configuration, maintenance and monitoring • Increased ownership on managed services Cloud/Infra Provider
  • 12.
    Why Digitize?EII Customers& Project EngagementsAgendaHow Safe Is Your Data? US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
  • 13.
    Why Digitize?EII Customers& Project EngagementsAgendaHow safe is your data? US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. United States United Kingdom Canada Australia Germany Source: Hogan Lovells White Paper on Governmental Access
  • 14.
    Why Digitize?EII Customers& Project EngagementsAgendaHardware Level Risks US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Virtualization software used Implement encryption best practices at all layers/services Logically group environments and restrict access within them Leverage Dedicated Tenancy level groupings to minimize risks Define the protocol for accessing keys
  • 15.
    Why Digitize?EII Customers& Project EngagementsAgendaOS Security and Access US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Patch management Operating System Anti-Virus and Anti- malware OS Monitoring Penetration testing and vulnerability scanning Data Redundancy
  • 16.
    Why Digitize?EII Customers& Project EngagementsAgendaNetwork Security and Access US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Compliance standards – PCI, HIPPA, etc. Network firewall Virtual Private Network Single Sign On Inter region and intra region transfer of data Backup data storage location and access control
  • 17.
    Why Digitize?EII Customers& Project EngagementsAgendaInternational Security Standards US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.  COBIT 5 – Controls and Assurance in the Cloud  CSA Guides  AICPA Service Organization Control (SOC) 1 Report  AICPA/CICA Trust Services (SysTrust and WebTrust)  ISO 2700x— Information security management system (ISMS)  Cloud Security Matrix—By Cloud Security Alliance  NIST SP 800-53—The NIST IT security controls standards, Health Information Trust Alliance (HITRUST)  BITS—The BITS Shared Assessment Program  contains the Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP).  European Network and Information Security Agency (ENISA)  Cloud Computing—Benefits, Risks and Recommendations for Information Security.
  • 18.
  • 19.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSaaS Security Architecture Goals US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Protection of information. It deals with the prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data. SaaS Application Security Areas • Database access control • SaaS application access control • Access control for third party applications/ Mobile layer which are integrated to your SaaS application • Data at transit security • Data at rest security • Audits
  • 20.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaTenant Data Isolation US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Design for a Hybrid Approach
  • 21.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaTenant Data Isolation US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. DB Interceptor Service Security Scanner Tenant Based View Filter
  • 22.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaACL Architecture US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
  • 23.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaRole Based Access Control (RBAC) - Authentication US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Custom Username Password Authentication AD Integrated SSO Open ID Authentication Multi factor authentication Hybrid Authentication Support
  • 24.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaRole Based Access Control (RBAC) US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. ACL For Resources Web Endpoints Rest Endpoints Actions Data Fields Identity Management ACL Metadata/ Definition service Decision Service Enforcement Service
  • 25.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaREST API Access Control US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Identity • Common identity for an application • Granular User Identity Sources • External Applications • Mobile Applications Mechanisms • Access Keys • OAUTH 2.0
  • 26.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaOWASP – Top Threats US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. A1 Injection A2 Broken Authentication and Session Management (was formerly A3) A3 Cross-Site Scripting (XSS) (was formerly A2) A4 Insecure Direct Object References A5 Security Misconfiguration (was formerly A6) A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) A8 Cross-Site Request Forgery (CSRF) (was formerly A5) A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) A10 Unvalidated Redirects and Forwards
  • 27.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Testing US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Dynamic Testing Static Testing Security Verification
  • 28.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaData at Transit and Rest US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Data at Rest • Adopt Symmetric Key encryption • Use Strong Keys • Encrypt Your Encryption key • Use Strong Key Stores • Keep the Key Away From Data Data at Transit • Browser to web. This can be secured via https. • Between web and services. This can also be secured using https in case of rest services • Direct access to application services - secured via https or you could use message encoding. If it is soap based services use ws* security protocol • Application to database – Servers such as oracle and MSSQL server support
  • 29.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. User Action Audit • Audit all user actions • Capture the entry URL, time, location details, browser details, response status, any exceptions • Provide analysis on the user actions • Can be customized at application layer or can use the webserver logs
  • 30.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc.
  • 31.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Event Audit • Audit positive events, more importantly audit negative events • Should cover, • Who does the action? • What action is performed? • What is the context in which the operation is performed? • What time is the action performed? • Audit details stored in a separate datastore for better performance • Real-time audit details – audit cache server
  • 32.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaSecurity Audit US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Transaction and Change Audit • Transaction Audit • Snapshot: Exact copy of the row stored in history tables • More suitable if requests to access past data are more • More data growth • Change Audit • Only the delta of the state change captured as part of change tables • More suitable when changes need to be reported and past data are not required much • Used more for Security tracking purposes • Easier to implement by using methods available out of the box in RDBMS such as CDC for SQL server • Asynchronous Mode : For better performance and if we wish that audit should not roll back the transactions it is advisable to audit in a asynchronous thread.
  • 33.
    EII Customers &Project EngagementsEssential Elements of an Ideal Digital strategyWhy Digitize?EII Customers & Project EngagementsAgendaAnti-Patterns US | UK | BENELUX | ME | IND©1996-2015 Aspire Systems, Inc. Let me summarize some of the anti-patterns in security of a SaaS application. Unfortunately we also find it a lot in practice. • Opening the DB access to tenants directly • Depending on the developers to handle tenant isolation • Storing Keys for encryption loosely • Storing connection strings without encryption • Encrypting unnecessary data • Loose physical access policy for the production database • Rigid access control tied to roles instead of privileges • Depending on developers to handle authorization checks • Loose authentication mechanism for rest service calls or other gateways • Lack of access control enforcement at the service layer • Lack of Audits​
  • 34.
  • 35.