Software-as-a-Service Security 163
cloud computing are creating not only new technologies and business
operational processes but also new security requirements and challenges as
described previously. As the most recent evolutionary step in the cloud ser-
vice model (see Figure 6.2), SaaS will likely remain the dominant cloud
service model for the foreseeable future and the area where the most critical
need for security practices and oversight will reside.
Just as with an managed service provider, corporations or end users will
need to research vendors’ policies on data security before using vendor ser-
vices to avoid losing or not being able to access their data. The technology
analyst and consulting firm Gartner lists seven security issues which one
should discuss with a cloud-computing vendor:
1.
Privileged user access
—Inquire about who has specialized access
to data, and about the hiring and management of such adminis-
trators.
2.
Regulatory compliance
—Make sure that the vendor is willing
to undergo external audits and/or security certifications.
3.
Data location
—Does the provider allow for any control over the
location of data?
4.
Data segregation
—Make sure that encryption is available at all
stages, and that these encryption schemes were designed and
tested by experienced professionals.
Figure 6.2 The evolution of cloud services.
Chap6.fm Page 163 Friday, May 22, 2009 11:27 AM
164 Cloud Computing
5.
Recovery
—Find out what will happen to data in the case of a
disaster. Do they offer complete restoration? If so, how long
would that take?
6.
Investigative support
—Does the vendor have the ability to
investigate any inappropriate or illegal activity?
7.
Long-term viability
—What will happen to data if the com-
pany goes out of business? How will data be returned, and in
what format?
6
Determining data security is harder today, so data security functions
have become more critical than they have been in the past. A tactic not cov-
ered by Gartner is to encrypt the data yourself. If you encrypt the data using
a trusted algorithm, then regardless of the service provider’s security and
encryption policies, the data will only be accessible with the decryption
keys. Of course, this leads to a follow-on problem: How do you manage pri-
vate keys in a pay-on-demand computing infrastructure?
7
To address the security issues listed above along with others mentioned
earlier in the chapter, SaaS providers will need to incorporate and enhance
security practices used by the managed service providers and develop new
ones as the cloud computing environment evolves. The baseline security
practices for the SaaS environment as currently formulated are discussed in
the following sections.
6.3.1 Security Management (People)
One of the most important actions for a security team is to develop a formal
charter for the security organization and program. This will foster a shared
vision among the team of what security leadership is driving toward and
expects, and will also foster “ownership” in the success of the collective
team. The charter should be aligned with the strategic plan of the organiza-
tion or company the security team works for. Lack of clearly defined roles
and responsibilities, and agreement on expectations, can result in a general
feeling of loss and confusion among the security team about what is
expected of them, how their skills and experienced can be leveraged, and
6. http://www.infoworld.com/article/08/07/02/
Gartner_Seven_cloudcomputing_security_risks_1.html, retrieved 20 Feb 2009.
7. http://en.wikipedia.org/wiki/Cloud_service#Cloud_storage, retrieved 15 Feb 2009.
Chap6.fm Page 164 Friday, May 22, 2009 11:27 AM
Software-as-a-Service Security 165
meeting their performance goals. Morale among the team and pride in the
team is lowered, and security suffers as a result.
6.3.2 Security Governance
A security steering committee should be developed whose objective is to
focus on providing guidance about security initiatives and alignment with
business and IT strategies. A charter for the security team is typically one of
the first deliverables from the steering committee. This charter must clearly
define the roles and responsibilities of the security team and other groups
involved in performing information security functions. Lack of a formalized
strategy can lead to an unsustainable operating model and security level as it
evolves. In addition, lack of attention to security governance can result in
key needs of the business not being met, including but not limited to, risk
management, security monitoring, application security, and sales support.
Lack of proper governance and management of duties can also result in
potential security risks being left unaddressed and opportunities to improve
the business being missed because the security team is not focused on the
key security functions and activities that are critical to the business.
6.3.3 Risk Management
Effective risk management entails identification of technology assets; identi-
fication of data and its links to business processes, applications, and data
stores; and assignment of ownership and custodial responsibilities. Actions
should also include maintaining a repository of information assets. Owners
have authority and accountability for information assets including protec-
tion requirements, and custodians implement confidentiality, integrity,
availability, and privacy controls. A formal risk assessment process should be
created that allocates security resources linked to business continuity.
6.3.4 Risk Assessment
Security risk assessment is critical to helping the information security orga-
nization make informed decisions when balancing the dueling priorities of
business utility and protection of assets. Lack of attention to completing
formalized risk assessments can contribute to an increase in information
security audit findings, can jeopardize certification goals, and can lead to
inefficient and ineffective selection of security controls that may not ade-
quately mitigate information security risks to an acceptable level. A formal
information security risk management process should proactively assess
information security risks as well as plan and manage them on a periodic or
Chap6.fm Page 165 Friday, May 22, 2009 11:27 AM
166 Cloud Computing
as-needed basis. More detailed and technical security risk assessments in
the form of threat modeling should also be applied to applications and
infrastructure. Doing so can help the product management and engineer-
ing groups to be more proactive in designing and testing the security of
applications and systems and to collaborate more closely with the internal
security team. Threat modeling requires both IT and business process
knowledge, as well as technical knowledge of how the applications or sys-
tems under review work.
6.3.5 Security Portfolio Management
Given the fast pace and collaborative nature of cloud computing, security
portfolio management is a fundamental component of ensuring efficient
and effective operation of any information security program and organiza-
tion. Lack of portfolio and project management discipline can lead to
projects never being completed or never realizing their expected return;
unsustainable and unrealistic workloads and expectations because projects
are not prioritized according to strategy, goals, and resource capacity; and
degradation of the system or processes due to the lack of supporting mainte-
nance and sustaining organization planning. For every new project that a
security team undertakes, the team should ensure that a project plan and
project manager with appropriate training and experience is in place so that
the project can be seen through to completion. Portfolio and project man-
agement capabilities can be enhanced by developing methodology, tools,
and processes to support the expected complexity of projects that include
both traditional business practices and cloud computing practices.
6.3.6 Security Awareness
People will remain the weakest link for security. Knowledge and culture are
among the few effective tools to manage risks related to people. Not provid-
ing proper awareness and training to the people who may need them can
expose the company to a variety of security risks for which people, rather
than system or application vulnerabilities, are the threats and points of
entry. Social engineering attacks, lower reporting of and slower responses to
potential security incidents, and inadvertent customer data leaks are all pos-
sible and probable risks that may be triggered by lack of an effective security
awareness program. The one-size-fits-all approach to security awareness is
not necessarily the right approach for SaaS organizations; it is more impor-
tant to have an information security awareness and training program that
tailors the information and training according the individual’s role in the
Chap6.fm Page 166 Friday, May 22, 2009 11:27 AM
Software-as-a-Service Security 167
organization. For example, security awareness can be provided to develop-
ment engineers in the form of secure code and testing training, while cus-
tomer service representatives can be provided data privacy and security
certification awareness training. Ideally, both a generic approach and an
individual-role approach should be used.
6.3.7 Education and Training
Programs should be developed that provide a baseline for providing funda-
mental security and risk management skills and knowledge to the security
team and their internal partners. This entails a formal process to assess and
align skill sets to the needs of the security team and to provide adequate
training and mentorship—providing a broad base of fundamental security,
inclusive of data privacy, and risk management knowledge. As the cloud
computing business model and its associated services change, the security
challenges facing an organization will also change. Without adequate, cur-
rent training and mentorship programs in place, the security team may not
be prepared to address the needs of the business.
6.3.8 Policies, Standards, and Guidelines
Many resources and templates are available to aid in the development of
information security policies, standards, and guidelines. A cloud computing
security team should first identify the information security and business
requirements unique to cloud computing, SaaS, and collaborative software
application security. Policies should be developed, documented, and imple-
mented, along with documentation for supporting standards and guide-
lines. To maintain relevancy, these policies, standards, and guidelines should
be reviewed at regular intervals (at least annually) or when significant
changes occur in the business or IT environment. Outdated policies, stan-
dards, and guidelines can result in inadvertent disclosure of information as a
cloud computing organizational business model changes. It is important to
maintain the accuracy and relevance of information security policies, stan-
dards, and guidelines as business initiatives, the business environment, and
the risk landscape change. Such policies, standards, and guidelines also pro-
vide the building blocks with which an organization can ensure consistency
of performance and maintain continuity of knowledge during times of
resource turnover.
Chap6.fm Page 167 Friday, May 22, 2009 11:27 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.