experiences from a provider point of view saas data security nestor zwyhun [email protected]
TRANSCRIPT
• ASP?– Not Really
• SOA, Web Service, On-Demand?– Answer should be yes to all of above
• Big differences from ASP:– “Shared Tenant” database– Single codebase, yet configurable
• Release schedule dictated by provider
• Sometimes daily patch cycles
– Some Examples:• Salesforce.com, NetSuite, TradeCard
• Ebay, Amazon
What is SaaS?
What is TradeCard?
Automated Pre/ Post Export - Early Payment Programs: Buyer/Third Party FundedFinancing
Payment Protection – Electronic Letter of Credit - Factoring – L/C ApplicationCoverage
Fulfillment Procurement Settlement
Purchase Order - Order Amendment –
Negotiation
Buyer Payment Consolidation - Single
Debit, Multi-Party Credits
Goods Receipt
Reconcile Pre/Post Payment - Invoice Matching - Data Compliance -
Link to Adjustments
Adjustments
Std. Reason Codes - Negotiation - Charge
Storage - Auto Allocate to next Payment
Invoice/Packing List - Customs Invoice - Proof of Delivery - Data Compliance
Event Management & Notification:• Workflow •Event Notifications• Task Flow• Reporting
Customization: • Data Compliance Templates• Document Validations• Document Print Versions
Connectivity:• EDI Integration• Customer mapping
Add-on features: • Pre-Compliance Checks• Line Item Data storage & population
Event Tracking Vendor Desktop Business Intelligence & Analytics
New for 2006:
Some TradeCard Statistics
Docs Processed: 236881 Compliance: 38956 Msgs Processed: 84676 STP Msg %97 DB Size: 899 GB
Thousands of Docs Thousands of Compliances Thousands of Msgs Percent of Msgs Billions of Bytes
PROCESSING VOLUME OVERVIEW
0100200300
305
6 9 12 306
0204060
305
6 9 12 306
0
50
100
305
6 9 12 306
80859095
100
305
6 9 12 306
0
500
1000
305
6 9 12 306
GLOBAL PERFORMANCE - commerce.tradecard.com / commerce.tradecard.cn (Beijing only)
Beijing - 11975ms Hong Kong - 6643ms Seoul - 6154ms Taipei - 6094ms Brussels - 3692ms
milliSeconds milliSeconds milliSeconds milliSeconds milliSeconds
0
5000
10000
305
6 9 12 306
0
5000
10000
305
6 9 12 306
0
5000
10000
305
6 9 12 306
0200040006000
305
6 9 12 306
010000200003000040000
305
6 9 12 306
– $4B Processed in 2005, $7B forecast for 2006
– 99.981% 2005 Availability - 24/7
– 18th Release (since Nov 1999)
– 40 Countries (120 buyers, 1600 factories, 150 service providers)
• Sarbanes Oxley Act - Section 404– In order for management to make its annual assertion on the
effectiveness of its internal control, management will be required to document and evaluate all controls that are deemed significant to the financial reporting process. If the organization uses a service provider to process transactions, host data, or other significant services, management will look to the service organization for information on the design and operating effectiveness of the service organization's controls.
• Audit Types:– AICPA (American Institute of Certified Public Accountants)
• SAS-70 Type II (www.sas70.com)• WebTrust (www.webtrust.org)
• Penetration Tests• Social Engineering Tests
Third Party Audits
• Security– The system is protected against unauthorized access (both physical and
logical)
• Availability– The system is available for operation and use as committed or agreed
• Processing Integrity– System processing is complete, accurate, timely, and authorized
• Privacy – Information is collected, used, retained, and disclosed in conformity with the
commitments in the entity’s privacy notice and with the AICPA/CICA Trust Services Privacy Criteria
• Confidentiality– Information designated as confidential is protected as committed or agreed
WebTrust Controls
• Physical– Primary Data Center location (away from HQ)– DR (~100 miles away from primary datacenter)– SAS-70 Type II audits for all data centers– Security “air lock”, cameras, access logs– Locked cages– Offsite backup storage
• Logical– Data model level separation– Authentication: two factor– Passwords, Two-factor schemes– Firewalls, Routers, IDS– Full time Internet Security Director– Internal scanning tools
Security
• Data Center– Load balancers (F5)– Stateless sessionless architecture– HA (high availability) hardware, N+1– Business Continuity, Disaster Recovery, CERT Teams– Regular Drills
• Internet– Great Firewall of China– IP accelerator services (Internap, Akamai)– Keynote Systems– DDOS resistance
• Organized extortion rings (Big deal for name companies)• ISP assistance
Availability
• Who’s to Stop Whomever From Fiddling With Your Data?– Use digital signatures– Assign all users/systems keypairs
• Validate Signature Upon All Document Accesses– XML Signed Documents– Don’t trust the DBA
• Certificate Management– Server based key storage for usability– Smartcard / browser based cert issues (complexity)
• User Level Audit• Versioning / History
Processing Integrity
• Browser– Simple (128 bit SSL)
• The Back Door– Messaging
• AS2, S-FTP
– FTP, Email weakness
• Privacy Policy– Dissemination of information– Data aggregation
Privacy
• Confidentiality– Information designated as confidential is protected as committed or
agreed
• Information is not just data– Paper Files– Overheard voice
• Is customer information protected from employees who have no reason to see it?
• Is customer data provided to any other sources, or used for any other purposes within the registering company?
Confidentiality
• Remember One Word: PAINful• Privacy
– 128 bit SSL (Browser)– AS2, S-FTP (Secure File Xfer Protocol)
• Authentication, Authorization– Two-Factor is best
• Integrity– Digital Signatures on Stored Data
• = Non-Repudiation– Legal Framework
Conclusion: Simple SaaS Rule of Thumb
