Enhance Security and Compliance with Saas

Enormous use of cloud on public, private and community networks are making the security and compliance issues to be resolved on the highest priority. According to Gartner survey report in 2015, following graph depict the security concerns for cloud.Users are not aware about who is accessing their data and applications and how much secure, is the CSP provider. On the multitenant services, the data can be hacked and viewed by competitors. SaaS security covers, “application discovery” which will discover all the applications on the single network and provide visibility for risk factors involved. In SaaS, applications are deployed and managed at the CSP provider’s datacenter. These services are paid with subscriptions and are accessible over the net. Customer can get the license for the services on demand for example: Salesforce.com CRM application is a SaaS based app. Virtualization is one of the major component of cloud, having number of different instances running on the same server and isolated from each other, which is the main concern of security. Local users can bypass few specific security restrictions to gain authority over virtualization. Therefore, the CSPs has to revise the scenarios in depth with all the compliance guidelines under SaaS. Following image outlined the security issues in SaaS.

SaaS applications require an architecture, which has security mapping in its core with capabilities of multiple concurrent procedures, resource isolation for data security through isolation of virtual and hypervisor cache. SaaS architecture use, Identity and access management to further synchronize the process for authentication and authorization with application control mechanism. Data isolation and resource localization among the distributed architecture with authentication controls over a secured network is the base for a simplified, secured environment on cloud.

 

Current Solutions available for securing application infrastructure in SaaS:

 

Security Areas	Solutions with SaaS
Authentication and authorization	·Open authorization ·Two Factor Authentication OAUTCH Security in SaaS Connectors (OAuth 1.0 protocol is an international standard authentication method developed by the Open API.) OAuth contains three objects. User/Consumer/Service Provider. User – A personal account to use the Service Provider. Consumer – OAuth Service Provider to access the web site or application Service Provider – Web applications to support access via OAuth.
Availability	·Data Dispersion
Data confidentiality	·Attribute based Proxy Re-Encryption
Virtual Machine Security	• Reconfigurable distributed virtual machine • Survey on Virtual machine Security
Information  Security	• Information Security Risk Management Framework
Network  Security	• Network Security for virtual machines  • Network Security Sandbox
Cloud standards	• IEEE Cloud Computing Standard Study Group • ITU Cloud Computing Focus Group • Cloud Security Alliance (CSA)
Data Access	• Multi-user access policies • Data Access Management
Web application security	• Web Application Scanners
Data breaches
Backup	• Agentless Method for data Backup and Recovery
Identity management and sign-on process	• CSA’s Identity and Access Management Guidance

In SaaS, Microsoft provide an operational and secured infrastructure with multiple host environments including different application layers. Data transaction is secured with network protocols between Microsoft and the customer. User can control and secure data and can identify and configure the set of application controls with the cloud services. Microsoft provide enterprise cloud services with comprehensive tactics, including data and information processing over physical storage and datacenters. Microsoft has clearly defined the customer responsibilities and role in the security management of data and information. Following are some best security models, which can enhance the security and compliance for your applications under SaaS.

• Identity and access management to use across Azure and other services such as Office 365,to process efficiently over distributed farms and environment and to control user access for all the applications.
• Azure Active Directory, provide a controlled access management for data and information over Azure, Office 365 and other application on cloud.
• Multi-Factor Authentication and access monitoring offers heightened security mechanism.
• Azure Key Vault – use of cryptographic keys and other secrets used by cloud apps and services(Microsoft do not use or extract your keys)
• “Third- party” SaaS identity control management – Single sign-on and integration provided by Azure Ad enables a secured access of applications over SaaS, such as Salesforce.
• Perfect Forward Secrecy (PFS) – use different encryption key for each connection, to protect access of system, through hackers.
• Data at rest – SaaS services use encryption at rest to protect your data on Microsoft servers and datacenters.
• Privacy reviews – As a part of process and documentation, privacy reviews are organized to verify that privacy requirements are adequately addressed. It will allow the customer to control the information and data for their application and executing user management for who can access the application to meet all the regulatory security guidelines.
• Customer Data use – Microsoft services do not use the customer data for advertising and provide “No Standing Access policy” to access the customer data by any Microsoft personnel, it can be used for support and operations related and then can be revoked when no longer required.
• Data ownership – All the data including all text, sound, software, or image files, provided by the customer is solely related to the customer.
• Operational Security for Online Services (OSA) – OSA is used as a framework to focus on infrastructure related issues to help and protect “system and operations” throughout the lifecycle of cloud-based services.
• Private connection – All the applications can use “ExpressRoute” to establish a private connection to Azure datacenters, keeping their traffic and access off the Internet.
• Incident management – used, to alleviate the effects of attacks and malicious activities for the system. Procedural incident management is guided among the team for all the communication and recovery, and use of discoverable and predictable interfaces is coherently processed with internal and external customers.

Steps to Understanding Your IT Before Moving to the Cloud

To understand your IT before moving to the cloud is an essential strategy to be developed by the On-Premises owners, in – order to best use the cloud services and products. According to National Institute of Standards and Technology (NIST), “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that Can be rapidly provisioned and released with minimal management effort or service provider interaction”. Therefore, the strategy must include the service methodologies, and the approach to reach the objectives aligned with service-level agreements (SLAs) and other guidelines for IaaS/PaaS/SaaS.

Analyze the following requirements:

• The On-Premise applications might require optimizing the solutions automatically for server time, networking storage and system operations.
• Infrastructure might require Broad network bandwidth with secured network protocols and standard solutions to access services for their full utilization.
• The requirements for thick and thin client platforms such as for Smart cellular phones and gadgets must be fulfilled with best performance scenarios and data accessibility.
• Specifying any location at higher level of categorization such as for country, state or datacenters as the CSP might be providing resource pooling with multi tenancy at different levels for physical and virtual allocation.
• Provisioning of system capabilities must be proportionate and flexible with that on cloud to be adopted quickly with adequate performances.
• Identification of resource usability in terms of storage, processing, bandwidth and active user sessions per account. Cloud will monitor and control each service with transparency, either for consumer or for provider.
• Understanding the SaaS model, will enable the consumer on how to use the provider’s application on cloud. Consumer will no more have the control or could limit the authorization or authentication for user specific configurational settings with respect to storage, networking, servers and operating systems. The application on cloud will be accessible through various client interface such as web browsers, desktop or mobile interfaces.
• In PaaS, the consumer can provide privileges for the application- hosted environment but do not have to manage the complete infrastructure and will be supported by tools and services by the provider.
• Under IaaS, the consumer is free to control over the operating systems, storage and networking and could limit and protect the system with different options available such as firewall hosting and the cloud management services will be delivered by the provider.
• On a private cloud, the On-Premise application will be provisioned to be extensively and exclusively used for a single organization with multiple consumers or business domains. The services might be owned and managed by the organization itself or by a third party and may exist on or off premises.
• Identify, if your organization require a “Community Cloud” for system and application to be accessed by a specific community of consumers for shared resources and concerns such as mission, security issues, policy and compliance requirements. System under these can be operated and owned by any one organization within the community or by a third party and may exist on or off premises.
• The application of On-Premises will now be accessible openly by the public and may be owned and managed by any of the organization (academic / Government).The system infrastructure will be deployed on the premises of cloud provider.
• For the Hybrid cloud, the private or public clouds can be merged with unique identification for each but are combined together with standard or registered technology that enables data and application movability such as cloud bursting for load balancing in cloud systems.
• While migrating to cloud, the application architecture must be analyzed for application management, security, environment compatibility and database compatibility.
• All the system architectural patterns with respect to distributed computing are equally applicable for applications developed for on-premises or cloud deployment.
• Operations on cloud require data to use and make effective decisions. The scenarios include service-level agreements, capacity planning, customer billing, auditing, monitoring and analyzing traffic and effectively manage costs associated with each service. Exact estimations must be done before deployment of any application on cloud and for best performances; these must be analyzed before the system is developed.
• Consumers need to analyze the data sources of the application (User entry or database or any other application), the integration mechanism with other components, the standardization of process and the exact resources of development of any product. Through this, one can determine the application readiness for cloud migration with minimized resources for physical and virtual space on cloud.