experiences from a provider point of view saas data security nestor zwyhun [email protected]

13
Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun [email protected]

Upload: shanon-oliver

Post on 30-Dec-2015

215 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

Experiences From a Provider Point of View

SaaS Data Security

Nestor Zwyhun [email protected]

Page 2: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• ASP?– Not Really

• SOA, Web Service, On-Demand?– Answer should be yes to all of above

• Big differences from ASP:– “Shared Tenant” database– Single codebase, yet configurable

• Release schedule dictated by provider

• Sometimes daily patch cycles

– Some Examples:• Salesforce.com, NetSuite, TradeCard

• Ebay, Amazon

What is SaaS?

Page 3: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

What is TradeCard?

Automated Pre/ Post Export - Early Payment Programs: Buyer/Third Party FundedFinancing

Payment Protection – Electronic Letter of Credit - Factoring – L/C ApplicationCoverage

Fulfillment Procurement Settlement

Purchase Order - Order Amendment –

Negotiation

Buyer Payment Consolidation - Single

Debit, Multi-Party Credits

Goods Receipt

Reconcile Pre/Post Payment - Invoice Matching - Data Compliance -

Link to Adjustments

Adjustments

Std. Reason Codes - Negotiation - Charge

Storage - Auto Allocate to next Payment

Invoice/Packing List - Customs Invoice - Proof of Delivery - Data Compliance

Event Management & Notification:• Workflow •Event Notifications• Task Flow• Reporting

Customization: • Data Compliance Templates• Document Validations• Document Print Versions

Connectivity:• EDI Integration• Customer mapping

Add-on features: • Pre-Compliance Checks• Line Item Data storage & population

Event Tracking Vendor Desktop Business Intelligence & Analytics

New for 2006:

Page 4: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

Some TradeCard Statistics

Docs Processed: 236881 Compliance: 38956 Msgs Processed: 84676 STP Msg %97 DB Size: 899 GB

Thousands of Docs Thousands of Compliances Thousands of Msgs Percent of Msgs Billions of Bytes

PROCESSING VOLUME OVERVIEW

0100200300

305

6 9 12 306

0204060

305

6 9 12 306

0

50

100

305

6 9 12 306

80859095

100

305

6 9 12 306

0

500

1000

305

6 9 12 306

GLOBAL PERFORMANCE - commerce.tradecard.com / commerce.tradecard.cn (Beijing only)

Beijing - 11975ms Hong Kong - 6643ms Seoul - 6154ms Taipei - 6094ms Brussels - 3692ms

milliSeconds milliSeconds milliSeconds milliSeconds milliSeconds

0

5000

10000

305

6 9 12 306

0

5000

10000

305

6 9 12 306

0

5000

10000

305

6 9 12 306

0200040006000

305

6 9 12 306

010000200003000040000

305

6 9 12 306

– $4B Processed in 2005, $7B forecast for 2006

– 99.981% 2005 Availability - 24/7

– 18th Release (since Nov 1999)

– 40 Countries (120 buyers, 1600 factories, 150 service providers)

Page 5: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Sarbanes Oxley Act - Section 404– In order for management to make its annual assertion on the

effectiveness of its internal control, management will be required to document and evaluate all controls that are deemed significant to the financial reporting process.  If the organization uses a service provider to process transactions, host data, or other significant services, management will look to the service organization for information on the design and operating effectiveness of the service organization's controls.

• Audit Types:– AICPA (American Institute of Certified Public Accountants)

• SAS-70 Type II (www.sas70.com)• WebTrust (www.webtrust.org)

• Penetration Tests• Social Engineering Tests

Third Party Audits

Page 6: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Security– The system is protected against unauthorized access (both physical and

logical)

• Availability– The system is available for operation and use as committed or agreed

• Processing Integrity– System processing is complete, accurate, timely, and authorized

• Privacy – Information is collected, used, retained, and disclosed in conformity with the

commitments in the entity’s privacy notice and with the AICPA/CICA Trust Services Privacy Criteria

• Confidentiality– Information designated as confidential is protected as committed or agreed

WebTrust Controls

Page 7: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Physical– Primary Data Center location (away from HQ)– DR (~100 miles away from primary datacenter)– SAS-70 Type II audits for all data centers– Security “air lock”, cameras, access logs– Locked cages– Offsite backup storage

• Logical– Data model level separation– Authentication: two factor– Passwords, Two-factor schemes– Firewalls, Routers, IDS– Full time Internet Security Director– Internal scanning tools

Security

Page 8: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Data Center– Load balancers (F5)– Stateless sessionless architecture– HA (high availability) hardware, N+1– Business Continuity, Disaster Recovery, CERT Teams– Regular Drills

• Internet– Great Firewall of China– IP accelerator services (Internap, Akamai)– Keynote Systems– DDOS resistance

• Organized extortion rings (Big deal for name companies)• ISP assistance

Availability

Page 9: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Who’s to Stop Whomever From Fiddling With Your Data?– Use digital signatures– Assign all users/systems keypairs

• Validate Signature Upon All Document Accesses– XML Signed Documents– Don’t trust the DBA

• Certificate Management– Server based key storage for usability– Smartcard / browser based cert issues (complexity)

• User Level Audit• Versioning / History

Processing Integrity

Page 10: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Browser– Simple (128 bit SSL)

• The Back Door– Messaging

• AS2, S-FTP

– FTP, Email weakness

• Privacy Policy– Dissemination of information– Data aggregation

Privacy

Page 11: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Confidentiality– Information designated as confidential is protected as committed or

agreed

• Information is not just data– Paper Files– Overheard voice

• Is customer information protected from employees who have no reason to see it?

• Is customer data provided to any other sources, or used for any other purposes within the registering company?

Confidentiality

Page 12: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

• Remember One Word: PAINful• Privacy

– 128 bit SSL (Browser)– AS2, S-FTP (Secure File Xfer Protocol)

• Authentication, Authorization– Two-Factor is best

• Integrity– Digital Signatures on Stored Data

• = Non-Repudiation– Legal Framework

Conclusion: Simple SaaS Rule of Thumb

Page 13: Experiences From a Provider Point of View SaaS Data Security Nestor Zwyhun nzwyhun@tradecard.com

[email protected]

The End