developing a security approach to your cloud and saas applications
DESCRIPTION
Roughly 47 percent of organizations are using a software-as-a-service (SaaS) applications. These SaaS applications usually contain sensitive data like customer data and sales records. Companies often ignore the security risk and the compliance and privacy issues that come with using a SaaS application. In this session we will clarify the differences in cloud and SaaS, and then we’ll address some of the misconceptions about security that some SaaS vendors perpetuate. Next we will share some practical guidance on addressing application security whether your applications fall into the cloud or SaaS category. You’ll walk away with a strong understanding of how to address application security in both cloud and SaaS applications.TRANSCRIPT
1 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Developing a security approach to your cloud and SaaS applications
Katherine LamHP SaaS
Ryan EnglishHP Professional Services
2
Agenda
– Introductions
–Defining Cloud Security / SaaS / ASP
–Security Concerns for Cloud Vendors
–What to Ask Your Cloud Provider and
Misconceptions
–Compliance Issues
–Application Security 101
3
Defining Cloud/SaaS
WHAT IS THE CLOUD?
4
Why Companies Are Using the Cloud
In-houseOutsource
dHosted/A
SPCloud
Who manages performance and availability?
Customer ProviderCustomer
and ProviderCustomer
and Provider
Who manages security? Customer Provider ProviderCustomer &
Provider
How is software priced?License and maintenance
fee
License and maintenance
feeSubscription
Subscription (pay-as you
go)
Customer owns license? Yes Yes No No
Multi-tenant architecture?Single tenant
Single tenant
Single tenant
Multi-tenant
Who has responsibility for operating and maintaining app and infrastructure?
Customer Provider Provider Provider
New
busi
ness
valu
e
Increasing UNCERTAINTYSource: Adapted from Software-as-a-Service Market Update, Liz Herbert, Forrester, March 16, 2008
5
View of the Cloud
SharePoint
Customer Site
Intranet
SAP
Cloud
RackSpace
Amazon
MicrosoftExchange
Online
Salesforce
Force.com
PaaS
IaaS
SaaS
6
The Business of IT Is to Deliver Services That Result in Outcomes That Matter
6
IT organizationinternal service providerCloud
services
Internal services
Hosted, managed services
Business outcomes
Accelerate growth
Lower costs
Mitigate risk
Service portfolio
ServiceSourced
Service Delivered
7
Security Concerns for the Cloud
7
This is an evolution, not a rip-and replace
Characteristics — Benefits
Service-centric environment — Measure outcomes that matter
Standardized, shared services — Improved cost management
Service level agreements — Better quality control
Scalable and elastic — Rapid response to business change
Automated — Reduce errors and outages
Self service, pay per use — Agility and transparency
Using internet technologies — Ease of access and maintenance
8
Traditionally IT Has Delivered Build-to-order Services That Are Expensive to Build and Manage
8
IT Organization Business people
Service Delivered
storage
data
Blade provisioning service
network
servers
apps
data
apps
Web site service
storage
servers
network
data
apps
Sales Forecasting service
storage
servers
network
Service Delivered
Service Delivered
9
Public business servicesPrivate business services
Dedicated
Shared
On premisesCustomer-owned data center
Off premisesService provider’s data center
Native cloud
Resources dedicated to each workload
Resources shared across workloads
Resources shared across workloads
Resources dedicated to each workload
A private/internal cloud is essentially a shared delivery model for existing IT workloads
75%
―Private cloud‖
Systems and software design
10
Business people
Private/internal Cloud Requires a Service-centric Delivery and Consumption Model
10
IT OrganizationService portfolio
Platform services
Infrastructure service
Business services
Application service
Blade provisioning service
Web site service Sales Forecasting service
Services Consumed
Services Delivered
11
Getting the Benefit at All 3 Levels
11
1 Make your services shareableProvisioning time: weeks -> days -> hours
2Make your services consumableImprove quality of service and better align to business requirements
3Make your services more valuableCalibrate the value of every service to a business outcome
12
HP Is Your Partner in Bringing All of the Pieces Together
Service portfolio and
catalog
Sourcing
and governance
Shares services and
service management
Utility-based services,
metering and reporting
Training and professional
services
Support strategy
13
Cloud Computing Security AssessmentDescription:
- Identifies potential exposures and vulnerabilities within an organization’s cloud subscriber infrastructure as well as the security governance of their cloud service providers
- Reviews the security of the infrastructure, platforms, and applications comprising an organization’s cloud.
- Uses the Cloud Security Alliance's SM Critical Areas of Focus defined within the 15 domains of cloud security emphasis
Timeframe: 3 weeks
Availability: Initially U.S.; worldwide rollout in 2010
• Research and analyze cloud computing protection technologies and controls.
• Produce cloud computing security and compliance remediation roadmap.
• Conduct management briefing and presentation of findings and recommendations.
Cloud Computing Security Findings & Recommendations Briefing
• Complete sensitive data flow diagram and matrix
• Complete analysis of the 15 domains of cloud security emphasis
• Determine cloud security control maturity and compliance state
Cloud Computing Security Assessment Report
• Interview and review compliance/security personnel, policies, procedures, products, and proof using HP’s P5 Model
• Perform on-site review of cloud security controls and practices
Cloud Computing Security Assessment Questionnaire / Survey
Service OverviewService Component
14
Cloud Assure for SecurityDescription:
HP Cloud Assure offers an end-to-end solution for performing security risk assessments to detect and correct security vulnerabilities. It provides common security policy definitions, automated security tests, centralized permissions control, and web access to security information.
Availability: Available worldwide
Cloud Component Service Overview
Cloud Assure for SaaSApplications
Web application scans & penetration testing
Cloud Assure for PaaS Ensure that operating systems on virtual image are
hardened Middleware & Operating system is configured Web application scans & penetration testing
Cloud Assure for IaaS Network scans Operating system hardening scans Web application scans & penetration testing
15
Processes
What We Test and When
Enterprise Application Security Assurance
Build ProductionTestArchitecture
& DesignRequirementsPlan
TBD
Security Requirements
ASC AMP/WebInspect
Threat Analysis ASC WebInspectQAInspect
Intro to App Sec and Defect
Validation CBT/ILT
Secure Coding Training
Secure Coding Guidelines/Library
New Hire Training
16
Q&A
17 ©2010 Hewlett-Packard Development Company, L.P.
To learn more on this topic, and to connect with your peers after
the conference, visit the HP Software Solutions Community:
www.hp.com/go/swcommunity
18