As
cloud computing technologies and offerings mature and evolves in its
services to customers, one common consumer use will be that of the
Software as a Service (SaaS) model.
Earlier
articles by this author have touched on the various models, risks,
security and forensics at several levels. There also a plethora of
resources available now that end users can educate themselves with that
are freely available online.
This
article will focus on aspects of security that impact the SaaS
environment as developed, presented or augmented by the author for
several Cloud Computing projects.
Before
we proceed in the subject matter, a brief clarification of what this
author refers to as the cloud follows. Keep in mind that this term
“cloud computing” is now being used to describe a broad range of
services to include product descriptors that sits outside the common
definition of the cloud.
For
ease of reference I will refer to the National Institute of Standards
and Technology (NIST) [1] definition of which the following is a part. “Cloud
computing is a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction.”
Over
the years since the concept of Cloud Computing evolved we have seen an
accepted concept of the “Cloud Computing Stack”, with its three distinct
categories: Software as a Service, Platform as a Service and
Infrastructure as a Service; where the IaaS Is the platform upon which
PaaS rests and which is turn has SaaS rests moving up from IaaS to SaaS.
It
is important to keep this basic stack in mind as the building blocks of
the Cloud Computing system and not get distracted by all the “as a
Service” spring up across markets as we proceed with this article.
As
we move more and more services into the Cloud ecosystem, there will
always be concerns regarding security. However a prescriptive
combination of both preventive and detective controls at those data
centers housing the IaaS ecosystem is on the path to security compliance
and event mitigation. These controls, as a step toward better cloud
computing security should be assessed and assured to meet industry
tested security controls, as well as regulatory and policy requirements.
The same format can be modified and applied up the stack to the PaaS
segment.
However
it is at the SaaS layer that we can perceive additional challenges with
cloud security. One critical area of concern stems from the potential
risk that a client’s data can be exposed to as it is stored within the
storage system of its SaaS provider. This risk can potentially increase
in the event of the SaaS provider in turn utilizing the services of a
third party IaaS provider.
Whilst
effective data center security controls are good for inside a data
center, web-services or applications outside this area are a growing
target for application layer type attacks. This can lead to the loss of
critical to sensitive customer data as well as intellectual property and
other corporate data.
A
challenge for the IT security professional here is how to implement a
level of protection that meets IT Security control requirements as well
as ensures compliance with information security regulations, E.g.
PCI-DSS in the case of transactions via web services.
In
both the traditional environments and cloud services infrastructure
environments, we have firewalls tweaked and configured with rulebase
automation as a best practice. However in the dynamic cloud environment I
believe that having to manage firewall signatures for example, amongst
other issues could be challenging and counter-productive.
Essentially
we would need to implement security in a layered approach which should
include the network, servers, databases and coding, augmented by a
system that should have a defined security process based on the SaaS
environment and its functionality. This should be an additive measure to
augment other monitoring and logging systems deployed to secure this
environment.
This
system should also have the ability to implement tools that will be
able to dynamically learn the behavior of an application supported by an
automated mechanism, thus removing the need for signatures in the case
of firewall systems as mentioned earlier.
Within
the SaaS environment we need to ensure adequate security in input
validation by SaaS end users, effective user authentication and
authorization, proper data segregation with security encapsulation for
data in motion using SSL (3.0 or above) or TLS (1.0 above), effective
software patching policies and procedures by the SaaS provider working
with its software vendors as well as a key generation strategy.
(While
SSL/TLS is encryption for data in motion between a Web Server and a
browser is a good practice, administrators should disable weak
algorithms and ciphers residing on the Web Server).
There
must also be assurance for uptime or availability that is formalized in
a Service Level Agreement (SLA). Impact on environments supporting the
SaaS ecosystem can be attacks impacting Network Security as well as the
process for Backup and Recovery.
Researchers Bhadauria and Sanyal [1] stated “Two
types of servers are used by SaaS: the Main Consistence Server (MCS)
and Domain Consistence Server (DCS). Cache coherence is achieved by the
cooperation between MCS and DCS. In SaaS, if the MCS is damaged, or
compromised, the control over the cloud environment is lost. Hence
securing the MCS is of great importance.”
Another
concern within this ecosystem is that of cross site scripting attacks
that targets Asynchronous JavaScript and XML- AJAX [2].A best practice
here would be to have a policy that ensures that all calls are verified
with the Web Server and Service to ensure proper authentication and
authorization before allowing the request.
Moving
away a bit from the technology of security in this environment, Cloud
Computing and SaaS on a whole was in its infancy and in some circles
denounced as a viable IT service (no names called here, but a tech
company leader specializing in databases and now cloud products comes to
mind).
In
terms of regulations that impact web services and by extension SaaS, we
can reference the Gramm-Leach-Bliley Act (GLBA) passed in 1999,
Sarbanes-Oxley Act (SOX) in 2002, and the Health Insurance Portability
and Accountability Act (HIPAA) Privacy Rule and Security Rule of
2003. All three of these regulations, although important in their
relative environments (e.g. Customer Relationship Management (CRM),
Enterprise Resource Planning (ERP), Intellectual Property systems (IPS)
and Human Resources Systems), were not crafted to include elements of a
SaaS environment then.
As
a result there needs to be finite and focused addendums or improvement
to these acts as was in the case of SAS 70 to SSAE 16 to meet this
technological evolution.
Of
importance is that, despite the security measures and attestations
provided by a SaaS provider to assure a client of their security
controls or compensating controls and compliance processes in place to
meet regulatory and security standards; it is still the responsibility
of a data owner to maintain industry regulated requirements to comply
with confidentiality, integrity, non-repudiation and security control
over sensitive to critical information.
So
the challenge here is to ensure that a cloud client requirement
(Security Policy, Strategy, Data Provenance, Operational and End-User
Security) is part of the discussion with the cloud provider and most if
not all requirements mirror.
The
designation of data classification is part of another topic and should
be the influenced by the result of risk impact and gap analysis.
As
a closing point the value of vulnerability assessments and penetration
tests within the SaaS environment is an important tool for an
independent set of eyes to present information that a potential attacker
will find and use against the SaaS. This is not only related to
technology as is well known due to the rise of social engineering.
References
[1] A
Survey on Security Issues in Cloud Computing www.ijcaonline.org ›
Archives › Volume 47 › Number 18, Rohit Bhadauria; Sugata Sanyal, 2012
[2] Jesse James Garrett (18 February 2005). "Ajax: A New Approach to Web Applications". AdaptivePath.com.
No comments:
Post a Comment