Software-as-a-Service Security 173
6.3.16 Vulnerability Assessment
Vulnerability assessment classifies network assets to more efficiently priori-
tize vulnerability-mitigation programs, such as patching and system upgrad-
ing. It measures the effectiveness of risk mitigation by setting goals of
reduced vulnerability exposure and faster mitigation. Vulnerability manage-
ment should be integrated with discovery, patch management, and upgrade
management processes to close vulnerabilities before they can be exploited.
6.3.17 Password Assurance Testing
If the SaaS security team or its customers want to periodically test password
strength by running password “crackers,” they can use cloud computing to
decrease crack time and pay only for what they use. Instead of using a dis-
tributed password cracker to spread the load across nonproduction
machines, you can now put those agents in dedicated compute instances to
alleviate mixing sensitive credentials with other workloads.
12
6.3.18 Logging for Compliance and Security Investigations
When your logs are in the cloud, you can leverage cloud computing to
index those logs in real-time and get the benefit of instant search results. A
true real-time view can be achieved, since the compute instances can be
examined and scaled as needed based on the logging load. Due to concerns
about performance degradation and log size, the use of extended logging
through an operating system C2 audit trail is rarely enabled. If you are will-
ing to pay for enhanced logging, cloud computing provides the option.
6.3.19 Security Images
With cloud computing, you don’t have to do physical operating system
installs that frequently require additional third-party tools, are time-con-
suming to clone, and can add another agent to each endpoint. Virtualiza-
tion-based cloud computing provides the ability to create “Gold image”
VM secure builds and to clone multiple copies.
13
Gold image VMs also pro-
vide the ability to keep security up to date and reduce exposure by patching
offline. Offline VMs can be patched off-network, providing an easier, more
cost-effective, and less production-threatening way to test the impact of
security changes. This is a great way to duplicate a copy of your production
environment, implement a security change, and test the impact at low cost,
12. http://cloudsecurity.org/2008/07/21/assessing-the-security-benefits-of-cloud-computing,
retrieved 15 Feb 2009.
Chap6.fm Page 173 Friday, May 22, 2009 11:27 AM
174 Cloud Computing
with minimal start-up time, and it removes a major barrier to doing security
in a production environment.
14
6.3.20 Data Privacy
A risk assessment and gap analysis of controls and procedures must be
conducted. Based on this data, formal privacy processes and initiatives
must be defined, managed, and sustained. As with security, privacy con-
trols and protection must an element of the secure architecture design.
Depending on the size of the organization and the scale of operations,
either an individual or a team should be assigned and given responsibility
for maintaining privacy.
A member of the security team who is responsible for privacy or a cor-
porate security compliance team should collaborate with the company
legal team to address data privacy issues and concerns. As with security, a
privacy steering committee should also be created to help make decisions
related to data privacy. Typically, the security compliance team, if one even
exists, will not have formalized training on data privacy, which will limit
the ability of the organization to address adequately the data privacy issues
they currently face and will be continually challenged on in the future.
The answer is to hire a consultant in this area, hire a privacy expert, or
have one of your existing team members trained properly. This will ensure
that your organization is prepared to meet the data privacy demands of its
customers and regulators.
13. When companies create a pool of virtualized servers for production use, they also change
their deployment and operational practices. Given the ability to standardize server images
(since there are no hardware dependencies), companies consolidate their server configura-
tions into as few as possible “gold images” which are used as templates for creating com-
mon server configurations. Typical images include baseline operating system images, web
server images, application server images, etc. This standardization introduces an additional
risk factor: monoculture. All the standardized images will share the same weaknesses.
Whereas in a traditional data center there are firewalls and intrusion-prevention devices
between servers, in a virtual environment there are no physical firewalls separating the vir-
tual machines. What used to be a multitier architecture with firewalls separating the tiers
becomes a pool of servers. A single exposed server can lead to a rapidly propagating threat
that can jump from server to server. Standardization of images is like dry tinder to a fire: A
single piece of malware can become a firestorm that engulfs the entire pool of servers. The
potential for loss and vulnerability increases with the size of the pool—in proportion to the
number of virtual guests, each of which brings its own vulnerabilities, creating a higher risk
than in a single-instance virtual server. Moreover, the risk of the sum is greater than the sum
of the risk of the parts, because the vulnerability of each system is itself subject to a “net-
work effect.” Each additional server in the pool multiplies the vulnerability of other servers
in the pool. See http;//www.nemertes.com/issue_papers/virtulatization_risk_analysis.
14. http://cloudsecurity.org/2008/07/21/assessing-the-security-benefits-of-cloud-computing,
retrieved 15 Feb 2009.
Chap6.fm Page 174 Friday, May 22, 2009 11:27 AM
Software-as-a-Service Security 175
For example, customer contractual requirements/agreements for data
privacy must be adhered to, accurate inventories of customer data, where it
is stored, who can access it, and how it is used must be known, and, though
often overlooked, RFI/RFP questions regarding privacy must answered
accurately. This requires special skills, training, and experience that do not
typically exist within a security team.
As companies move away from a service model under which they do
not store customer data to one under which they do store customer data,
the data privacy concerns of customers increase exponentially. This new ser-
vice model pushes companies into the cloud computing space, where many
companies do not have sufficient experience in dealing with customer pri-
vacy concerns, permanence of customer data throughout its globally distrib-
uted systems, cross-border data sharing, and compliance with regulatory or
lawful intercept requirements.
6.3.21 Data Governance
A formal data governance framework that defines a system of decision rights
and accountability for information-related processes should be developed.
This framework should describe who can take what actions with what infor-
mation, and when, under what circumstances, and using what methods.
The data governance framework should include:
Data inventory
Data classification
Data analysis (business intelligence)
Data protection
Data privacy
Data retention/recovery/discovery
Data destruction
6.3.22 Data Security
The ultimate challenge in cloud computing is data-level security, and sensi-
tive data is the domain of the enterprise, not the cloud computing pro-
vider. Security will need to move to the data level so that enterprises can be
sure their data is protected wherever it goes. For example, with data-level
security, the enterprise can specify that this data is not allowed to go out-
side of the United States. It can also force encryption of certain types of
Chap6.fm Page 175 Friday, May 22, 2009 11:27 AM
176 Cloud Computing
data, and permit only specified users to access the data. It can provide com-
pliance with the Payment Card Industry Data Security Standard (PCI
DSS). True unified end-to-end security in the cloud will likely requires an
ecosystem of partners.
6.3.23 Application Security
Application security is one of the critical success factors for a world-class
SaaS company. This is where the security features and requirements are
defined and application security test results are reviewed. Application secu-
rity processes, secure coding guidelines, training, and testing scripts and
tools are typically a collaborative effort between the security and the devel-
opment teams. Although product engineering will likely focus on the appli-
cation layer, the security design of the application itself, and the
infrastructure layers interacting with the application, the security team
should provide the security requirements for the product development engi-
neers to implement. This should be a collaborative effort between the secu-
rity and product development team. External penetration testers are used
for application source code reviews, and attack and penetration tests provide
an objective review of the security of the application as well as assurance to
customers that attack and penetration tests are performed regularly. Frag-
mented and undefined collaboration on application security can result in
lower-quality design, coding efforts, and testing results.
Since many connections between companies and their SaaS providers
are through the web, providers should secure their web applications by fol-
lowing Open Web Application Security Project (OWASP)
15
guidelines for
secure application development (mirroring Requirement 6.5 of the PCI
DSS, which mandates compliance with OWASP coding practices) and lock-
ing down ports and unnecessary commands on Linux, Apache, MySQL,
and PHP (LAMP) stacks in the cloud, just as you would on-premises.
LAMP is an open-source web development platform, also called a web
stack, that uses Linux as the operating system, Apache as the web server,
MySQL as the relational database management system RDBMS, and PHP
as the object-oriented scripting language. Perl or Python is often substituted
for PHP.
16
15. http://www.owasp.org/index.php/Main_Page, retrieved 15 Feb 2009.
16. http://www.webopedia.com/TERM/L/LAMP.html, retrieved 15 Feb 2009.
Chap6.fm Page 176 Friday, May 22, 2009 11:27 AM
Software-as-a-Service Security 177
6.3.24 Virtual Machine Security
In the cloud environment, physical servers are consolidated to multiple vir-
tual machine instances on virtualized servers. Not only can data center
security teams replicate typical security controls for the data center at large
to secure the virtual machines, they can also advise their customers on how
to prepare these machines for migration to a cloud environment when
appropriate.
Firewalls, intrusion detection and prevention, integrity monitoring,
and log inspection can all be deployed as software on virtual machines to
increase protection and maintain compliance integrity of servers and appli-
cations as virtual resources move from on-premises to public cloud environ-
ments. By deploying this traditional line of defense to the virtual machine
itself, you can enable critical applications and data to be moved to the cloud
securely. To facilitate the centralized management of a server firewall policy,
the security software loaded onto a virtual machine should include a bi-
directional stateful firewall that enables virtual machine isolation and loca-
tion awareness, thereby enabling a tightened policy and the flexibility to
move the virtual machine from on-premises to cloud resources. Integrity
monitoring and log inspection software must be applied at the virtual
machine level.
This approach to virtual machine security, which connects the machine
back to the mother ship, has some advantages in that the security software
can be put into a single software agent that provides for consistent control
and management throughout the cloud while integrating seamlessly back
into existing security infrastructure investments, providing economies of
scale, deployment, and cost savings for both the service provider and the
enterprise.
6.3.25 Identity Access Management (IAM)
As discussed in Chapter 5, identity and access management is a critical
function for every organization, and a fundamental expectation of SaaS
customers is that the principle of least privilege is granted to their data.
The principle of least privilege states that only the minimum access neces-
sary to perform an operation should be granted, and that access should be
granted only for the minimum amount of time necessary.
17
However,
business and IT groups will need and expect access to systems and applica-
17. http://web.mit.edu/Saltzer/www/publications/protection/Basic.html, retrieved 15 Feb 2009.
Chap6.fm Page 177 Friday, May 22, 2009 11:27 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.