The advantages and disadvantages of security SaaS service. IBM SaaS security solution. Securing Cloud Security from CROC
Cloud computing covers a wide range of different computing resources and services used by users over the Internet. Such solutions allow you to build information systems for management without the acquisition of "boxed" products.
This enables consumers to solve the problems of unauthorized use of software, as well as reduce a large percentage of the cost of building data centers. Cloud technologies have the ability to instantly respond to an increase in demand for computing power, which allows to solve issues related to the long time of construction and commissioning of large IT infrastructure facilities.
SaaS has ubiquitous access, it can be used in any place where there is Internet access. Access to software is provided remotely via network channels. This can be a web interface, terminal access or thin clients. The software is deployed in the data center as a single software core. Ease of implementation, the ability to make a full test of the system before purchasing, low cost and the ability to access the system from anywhere, are the main advantages of SaaS.
However, SaaS has not only advantages. The biggest disadvantage of the service is the issue of the security of stored customer data . Many Russian companies are not used to storing their projects and client databases on foreign servers for fear of data confidentiality.
In their opinion, the staff of its own qualified information security specialists will protect common bases much more reliably than a company providing a service and having a very remote idea of ​​information security. In addition, users are addicted to the Internet. In case of loss of Internet access, access to SaaS is lost. The user does not manage servers, operating systems, networks, data storage, and even some application capabilities, with the result that the primary responsibility for ensuring information security lies almost entirely with providers of cloud computing services.
Cloud service providers do not always want to complicate their platform with integration with the identity management system. There are several technologies that allow you to expand access control based on roles in the cloud, for example, through single sign-on (SSO) technology. But overall, this area is still at an early stage of development. At the moment, each of the major players in the SaaS market is seeking to create its own technology of relationship with the client. Google has a Secure Data Connector, which forms an encrypted connection between customer data and Google’s business applications and allows the customer to control which employees can access Google Apps resources and which ones cannot. CRM Salesforce provides similar functionality implemented on its own technology. When customers contact many different SaaS applications, the number of security tools used is growing, which can lead to sluggishness and poor scalability of such a model. There are several third-party products that, at least, suggest the possibility of using them when connecting to many types of SaaS applications, but at the moment they are not yet sufficiently tested by providers. Therefore, identity management and access control for enterprise applications, according to Digital Design experts, remains one of the main challenges facing IT today.
The ISO 27001 standard describes information security requirements. This is a fairly comprehensive standard covering many aspects of security that may disturb customers. For providers and customers, ISO 27002 may be interesting, which describes practical rules for managing information security. This standard can be used when building a SaaS cloud, but in any case it is necessary to develop a special standard for cloud computing.
Currently, very few large IT companies offer a SaaS services security solution. Consider the most effective security solution Saas from IBM, and also consider the solution to protect the "cloud" from the Russian company CROC.
SaaS Application Security Requirements
')
1. The system should provide security and access control for functions based on permissions.
2. User data can be placed in the information environment within the enterprise. The system should provide user authentication mechanisms using data hosted in the internal information environment and authorization using access control data provided on demand.
3. Due to the tenant's strict data isolation and regulatory requirements, user data can be placed in a dedicated database provided to each of the tenants on demand. The system should provide a mechanism for authenticating and authorizing users in an isolated database area that is configured specifically for the tenant who owns the users.
4. User data can be placed in the public database:
5. In an environment that provides data on demand, but the database schemas may be different. The system must provide an authentication and authorization mechanism in the public database, with different database schemas configured for a particular tenant to which the users belong.
6. In the general scheme in the environment provided on demand. The system should provide a mechanism for authenticating and authorizing users using the public database and the general scheme used for all tenants.
7. User data can be placed in a public database.
8. The system should provide a mechanism that allows the administrator of each tenant to create, modify and delete user accounts of this tenant in the user account catalog.
To meet the security requirements of SaaS applications, the architecture must comply with the requirements for authentication and authorization.
1. Database of user accounts in the environment provided on demand.
In this scenario, the architecture should provide specialized security services for authenticating and authorizing users using a centralized user account database with joint tenancy, as well as a specialized tenant database. The architecture should also provide an interface that allows tenants to create, modify, and delete user accounts belonging to the tenant in the user account catalog. This approach is recommended in case the presence of a single sign-on is not important for consumers of the service. For example, it can be used to serve customers.
2. The user account database is located within the enterprise.
In this scenario, the tenant deploys the federation server, which interacts with its own user directory service. When the end user accesses the application, the tenant federation server performs local user authentication and negotiates with the SaaS federation server to provide the user with a signed access token. The access token provided by the tenant federation server is used by the SaaS provider for authorization. This approach is recommended if single sign-on is important for service consumers. It can also be used for business users.
Hosting a database of user accounts within the enterprise
A SaaS provider can use a ready-made commercial federation server to securely transfer a federation token between applications located in different security domains. A SaaS provider needs a federation server that interacts with other SSO solutions used by corporate users in the services environment on demand. The federation server within the enterprise must have a trusting relationship with the corresponding federation server of the SaaS provider network.
1. Develop a servlet filter to extract usernames authenticated using a federation server from HTTP headers and create valid principal / subject pairs.
2. Use a specialized JAAS (Java Authentication and Authorization Service) based security service to satisfy the SaaS requirements for authorization with a joint lease.
3. Call the security service API from the servlet filter to authenticate the user.
4. Configure the servlet filter using the Controller Servlet of Presentation Framework based on the model-view-controller design pattern (model-view-controller - MVC) to ensure that incoming requests meet security requirements.
1. Means integrated within the virtual cloud platform.
2. Superimposed protection to ensure cloud perimeter protection.
As a rule, protection technologies that involve integration at the virtual platform level include solutions that allow for the separation of user and administrator access to cloud resources, as well as implement mechanisms for protecting the virtual IT infrastructure (for example, anti-virus protection, firewalling).
The choice of specific protection tools that are integrated within the "cloud" depends on the characteristics of the virtual platform and is carried out taking into account its specificity.
Security technologies used at the cloud perimeter level include firewalling, traffic encryption, intrusion prevention, etc.
When providing resources to your virtual data center, services are used that provide protection against standard (information leakage, network attacks) and specific cloud threats (dependence on the provider, failure to comply with regulatory requirements).
1. Firewall
2. Intrusion Prevention (IDS / IPS)
3. Creating secure communication channels (VPN / SSL VPN)
4. Protection against denial of service attacks (DoS / DDoS)
5. Anti-virus protection
6. Antispam protection
Security services are implemented on the basis of a specialized protection node that also performs the security functions of the “cloud” itself. The architecture assumes the use of protection mechanisms built into the Virtual Data Center, which allow differentiating client resources from one another, as well as security services provided to clients to protect resources located in the cloud.
The solution proposed by IBM is one of the most effective at present. Many of the largest oil holdings use this solution for their tasks. It is also worth noting that system integrators are also actively promoting cloud computing security solutions, which suggests that the protection of SaaS services is a hot topic at the moment.
But do not forget, many developers often use Western platforms for developing and hosting their applications, which leads to the fact that data is actually stored outside of Russia. This situation increases geopolitical risks. In addition, Saas has been repeatedly criticized by IT specialists. For example, the founder of the movement of capable software, the GNU project, Richard Stallman, described this technology as “the equivalent of universal spyware and a big“ black door ” (gives the server operator undue power over the user).
This enables consumers to solve the problems of unauthorized use of software, as well as reduce a large percentage of the cost of building data centers. Cloud technologies have the ability to instantly respond to an increase in demand for computing power, which allows to solve issues related to the long time of construction and commissioning of large IT infrastructure facilities.
In this article, we will look at the advantages and disadvantages of a SaaS service security.
SaaS has ubiquitous access, it can be used in any place where there is Internet access. Access to software is provided remotely via network channels. This can be a web interface, terminal access or thin clients. The software is deployed in the data center as a single software core. Ease of implementation, the ability to make a full test of the system before purchasing, low cost and the ability to access the system from anywhere, are the main advantages of SaaS.
However, SaaS has not only advantages. The biggest disadvantage of the service is the issue of the security of stored customer data . Many Russian companies are not used to storing their projects and client databases on foreign servers for fear of data confidentiality.
In their opinion, the staff of its own qualified information security specialists will protect common bases much more reliably than a company providing a service and having a very remote idea of ​​information security. In addition, users are addicted to the Internet. In case of loss of Internet access, access to SaaS is lost. The user does not manage servers, operating systems, networks, data storage, and even some application capabilities, with the result that the primary responsibility for ensuring information security lies almost entirely with providers of cloud computing services.
Cloud service providers do not always want to complicate their platform with integration with the identity management system. There are several technologies that allow you to expand access control based on roles in the cloud, for example, through single sign-on (SSO) technology. But overall, this area is still at an early stage of development. At the moment, each of the major players in the SaaS market is seeking to create its own technology of relationship with the client. Google has a Secure Data Connector, which forms an encrypted connection between customer data and Google’s business applications and allows the customer to control which employees can access Google Apps resources and which ones cannot. CRM Salesforce provides similar functionality implemented on its own technology. When customers contact many different SaaS applications, the number of security tools used is growing, which can lead to sluggishness and poor scalability of such a model. There are several third-party products that, at least, suggest the possibility of using them when connecting to many types of SaaS applications, but at the moment they are not yet sufficiently tested by providers. Therefore, identity management and access control for enterprise applications, according to Digital Design experts, remains one of the main challenges facing IT today.
The ISO 27001 standard describes information security requirements. This is a fairly comprehensive standard covering many aspects of security that may disturb customers. For providers and customers, ISO 27002 may be interesting, which describes practical rules for managing information security. This standard can be used when building a SaaS cloud, but in any case it is necessary to develop a special standard for cloud computing.
Currently, very few large IT companies offer a SaaS services security solution. Consider the most effective security solution Saas from IBM, and also consider the solution to protect the "cloud" from the Russian company CROC.
Security SaaS Applications from IBM
SaaS Application Security Requirements
')
Several requirements are imposed on the security system of efficient SaaS applications with joint rentals.
1. The system should provide security and access control for functions based on permissions.
2. User data can be placed in the information environment within the enterprise. The system should provide user authentication mechanisms using data hosted in the internal information environment and authorization using access control data provided on demand.
3. Due to the tenant's strict data isolation and regulatory requirements, user data can be placed in a dedicated database provided to each of the tenants on demand. The system should provide a mechanism for authenticating and authorizing users in an isolated database area that is configured specifically for the tenant who owns the users.
4. User data can be placed in the public database:
5. In an environment that provides data on demand, but the database schemas may be different. The system must provide an authentication and authorization mechanism in the public database, with different database schemas configured for a particular tenant to which the users belong.
6. In the general scheme in the environment provided on demand. The system should provide a mechanism for authenticating and authorizing users using the public database and the general scheme used for all tenants.
7. User data can be placed in a public database.
8. The system should provide a mechanism that allows the administrator of each tenant to create, modify and delete user accounts of this tenant in the user account catalog.
To meet the security requirements of SaaS applications, the architecture must comply with the requirements for authentication and authorization.
This article covers two scenarios.
1. Database of user accounts in the environment provided on demand.
In this scenario, the architecture should provide specialized security services for authenticating and authorizing users using a centralized user account database with joint tenancy, as well as a specialized tenant database. The architecture should also provide an interface that allows tenants to create, modify, and delete user accounts belonging to the tenant in the user account catalog. This approach is recommended in case the presence of a single sign-on is not important for consumers of the service. For example, it can be used to serve customers.
2. The user account database is located within the enterprise.
In this scenario, the tenant deploys the federation server, which interacts with its own user directory service. When the end user accesses the application, the tenant federation server performs local user authentication and negotiates with the SaaS federation server to provide the user with a signed access token. The access token provided by the tenant federation server is used by the SaaS provider for authorization. This approach is recommended if single sign-on is important for service consumers. It can also be used for business users.
Hosting a database of user accounts within the enterprise
A SaaS provider can use a ready-made commercial federation server to securely transfer a federation token between applications located in different security domains. A SaaS provider needs a federation server that interacts with other SSO solutions used by corporate users in the services environment on demand. The federation server within the enterprise must have a trusting relationship with the corresponding federation server of the SaaS provider network.
When hosting a database of user accounts in the customer’s enterprise, it is also necessary
1. Develop a servlet filter to extract usernames authenticated using a federation server from HTTP headers and create valid principal / subject pairs.
2. Use a specialized JAAS (Java Authentication and Authorization Service) based security service to satisfy the SaaS requirements for authorization with a joint lease.
3. Call the security service API from the servlet filter to authenticate the user.
4. Configure the servlet filter using the Controller Servlet of Presentation Framework based on the model-view-controller design pattern (model-view-controller - MVC) to ensure that incoming requests meet security requirements.
Cloud Security Solutions from CROC
CROC offers two types of protective equipment.
1. Means integrated within the virtual cloud platform.
2. Superimposed protection to ensure cloud perimeter protection.
As a rule, protection technologies that involve integration at the virtual platform level include solutions that allow for the separation of user and administrator access to cloud resources, as well as implement mechanisms for protecting the virtual IT infrastructure (for example, anti-virus protection, firewalling).
The choice of specific protection tools that are integrated within the "cloud" depends on the characteristics of the virtual platform and is carried out taking into account its specificity.
Security technologies used at the cloud perimeter level include firewalling, traffic encryption, intrusion prevention, etc.
When providing resources to your virtual data center, services are used that provide protection against standard (information leakage, network attacks) and specific cloud threats (dependence on the provider, failure to comply with regulatory requirements).
Cloud Security Services
1. Firewall
2. Intrusion Prevention (IDS / IPS)
3. Creating secure communication channels (VPN / SSL VPN)
4. Protection against denial of service attacks (DoS / DDoS)
5. Anti-virus protection
6. Antispam protection
Security services are implemented on the basis of a specialized protection node that also performs the security functions of the “cloud” itself. The architecture assumes the use of protection mechanisms built into the Virtual Data Center, which allow differentiating client resources from one another, as well as security services provided to clients to protect resources located in the cloud.
Conclusion
The solution proposed by IBM is one of the most effective at present. Many of the largest oil holdings use this solution for their tasks. It is also worth noting that system integrators are also actively promoting cloud computing security solutions, which suggests that the protection of SaaS services is a hot topic at the moment.
But do not forget, many developers often use Western platforms for developing and hosting their applications, which leads to the fact that data is actually stored outside of Russia. This situation increases geopolitical risks. In addition, Saas has been repeatedly criticized by IT specialists. For example, the founder of the movement of capable software, the GNU project, Richard Stallman, described this technology as “the equivalent of universal spyware and a big“ black door ” (gives the server operator undue power over the user).
Source: https://habr.com/ru/post/183300/
All Articles