saas as a security hazard - wordpress.com...google apps role in the it environment 5 traditional...
TRANSCRIPT
SaaS as a Security Hazard The Google Apps example
Ofer Shezaf,
www.xiom.com
About Myself
I live in Kibbutz Yiftah, Israel
I create security products
Currently, Product Manager for Security Solutions at HP ArcSight
Prior to that did security research and product management at Breach Security & at Fortify
I am an application security veteran
OWASP leader and founder of the OWASP Israeli chapter
Leads the Web Application Firewall Evaluation Criteria project
Wrote the ModSecurity Core Rule Set
I really try to learn what information security is
Read my blog at http://www.xiom.com
Be ready to some philosophy of science and cognitive psychology
What are Google Apps?
Gmail, Calendar, Docs, Sites & Groups
Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office.
Better at sharing and in a way familiar to users
Bottom up push to adapt.
If It Was Only Cloud…
Google Apps Role in the IT Environment
5
Public Cloud Traditional Private Cloud Managed Cloud
Hybrid Delivery
Non-critical business services will
move to SaaS providers who
provide some level of security 1
Some critical business services will be deployed in
private clouds with customized security controls 2
Some work-loads will move to public clouds with
security components provisioned in image 3
Security will be componentized and automatically
deployed with work-loads, based on sensitivity of
assets 4
Note: future availability of hybrid capabilities
SAAS
SAAS
customization required
automated provisioning
SAAS
No, it is not about SQL injection
Google is better than your programmers in
weeding out SQL injections
So what is it about?
Ownership
Cloud Entrance Exam: Question 1
Who Owns The Data?
You?
Google?
Your Employee?
Google’s Employee?
Cloud Entrance Exam: Question 2
Do You Compete With Google?
No (are you serious?)
We do, but not me
I don’t know
Yes (You Bet!)
Cloud Entrance Exam: Question 3
Who Authorized Access to the Data?
Me
Google, but only if the court asks
Google, but only if the Chinese ask
Cloud Entrance Exam: Question 4
What About Illegal Material?
I never store such data!
… apart from competitive marketing and stolen images in presentations
… but Google would not interfere with my data
Or would they?
Regulations
It’s All About Geography
• National laws
• Limitation of transfer of data
Privacy
• PCI, SOX, SAS 70, ISO 27K…
Compliance
• Google or I? Ownership
So where is the data?
And who is responsible for it?
Back To Basics
Where and What do we Manage?
15
Public Cloud Traditional Private Cloud Managed Cloud
Hybrid Delivery
Note: future availability of hybrid capabilities
SAAS
SAAS
SAAS
Authentication
Authorization
Audit
Authentication & User Management
Password strength is of extreme importance in web based services.
• Complexity, length, lifetime
• Two factor authentication is preferred.
Avoid requiring users to have multiple complex passwords
• Sticky note passwords
Need to make sure users are created, terminated and transferred on all services.
SaaS MUST tie in to enterprise directory.
Users Permissions & Authorization
Both permissions management and permissions audit are crucial
Unique to SaaS solutions is the option to
share externally.
Tools both for SaaS and self hosted are not
mature.
Always a hazard in knowledge
sharing applications.
Audit
HP ArcSight
On/Off-Premise Data Center
remote workers
Public Cloud
For Further Consideration
Did You Consider?
Encryption: SSL
Disks
Administrator Access Control
Two factor authentication?
Only from within the organization?
Administration Capabilities
Can your administrators access users data if needed?
Backup and Restore
Service Level Agreement (SLA)
Service for Accidental Deletes
Disaster Recovery
Way out
