SaaS Security – Solution
One of the most prevailing cloud service models i.e. Software as a Service is growing at a large scale with multiple corporations adopting SaaS. Customers are executing business applications from the cloud service provider on a subscription basis, with no software license, and limited operational control. Along with such incrementing adoption of SaaS, organizations preview of cloud security concerns are also incrementing.
SaaS is interesting primarily due to the following reasons:
- The application in itself owned, delivered, and managed remotely by one or more providers and
- The service provider or vendor is responsible for providing remote, outsourced access to the application, as well as maintenance and upgrade services. Infrastructure and IT operations supporting the applications are also handled by the service provider.
From a security perspective within the responsibility of the customer, it is required to understand that SaaS applications are moderated by multiple sets of common code and data definitions which are defined and consumed by customers for their business.
Security breaches in this sect of service model primarily occur (from a customer perspective) due to a lack of understanding of how SaaS models are provisioned and the corresponding security elements of SaaS.The key security challenges in SaaS include:
- Handling sensitive data
- Lack of federated identity management
- Lack of strong service level agreements (SLAs) and contracts that hold people accountable should something happen.
- Lack of interoperability among vendors (Vendor Lock-in)
- Web Application and Infrastructure Vulnerabilities
For mitigating all the risks relevant to SaaS ecosystem, we primarily emphasize on the following WSA security services:
- SaaS architecture and design review
- SaaS Vulnerability Management and Penetration Testing (across multiple cloud service providers)
- Security Compliance and Audit
- Secure Software Development Lifecycle (SSDLC)
- Security Operations Center
SaaS Security, primarily is majorly about protecting data, not data centers – and this is largely a product of cloud ecosystem. When considering data security, we principally examine both the security of the service the data lives in and the security of the devices that have access to the data. Some cloud services have security capabilities that far surpasses most corporate data centers. However, with multiple cloud services available today, there is a large variation in the security capabilities existing and deployed. The good news is that an increasing number of cloud services are investing in security, but a larger number of organizations still are not aware of how the security elements have to be modeled and implemented.
Figure 1WSA SaaS Security Framework
From an overarching perspective we focus on primarily satisfying thefollowing key security requirements for SaaS:
- SaaS security concepts, architecture principles &data handling guidelines
- Leading practices in securing SaaS containers
- Incorporation of applicable regulations & standards mandating data and application security requirements
- Common application vulnerabilities, root-causes, threats and countermeasures
- 23*7*365 monitoring of SaaS applications from a security standpoint with SaaS specific security use cases
SaaS security design and architecture review
We primarily achieve this via SaaS Secure architecture review. Our standards focus on designing or deploying SaaS securely from project initiation to avoid design flaws that are difficult and expensive to correct later. The Architecture review focus on identifying a potential weakness in the design. Areas covered in the Secure Architecture Standards and Review include
- Authentication & Authorization
- Session management
- Secure communications
- Sensitive data management (Privacy of information)
- Parameter validation
- Configuration management
- Database access management
- Exception management
- Audit Log management
- Cache Management, Pooling, and Reuse
- System Calls
Security Compliance and Audit
WSA's SaaS security controls based maturity model is used in conjunction with a customized capability matrix for clients (designed and contained as per the individual applications), to define the current state of the client SaaS security program and supporting governance capabilities.
Using this defined model allows the assessment process to produce a comparable output. All assessment and compliance / audit reviews considered the people, processes, and technologies for each capability area with SaaS service areas.
Vulnerability and Penetration Testing
Consists of a controlled security test of the SaaS application environment to identify potential external exposures, including Web Services. SaaSapplication testing includes the following:
- Black-box (un-credentialed), grey-box (credentialed) testing
- Insecure configuration Testing (e.g. improper file or directory permissions, default accounts, excessive services, unnecessary coding files, sensitive data exposure etc.)
- Manipulation testing (e.g., Injection flaws, privilege escalation, insecure direct object reference, cross-site scripting, forceful browsing pertaining to client specific business operations via their data model)
- Iteration Testing (e.g., “brute force” techniques can be used for timing attacks or to bypass session/state management (if configurable by client))
The security assessments measure the security strength of an application from the perspective of an attack agent:
- who has little knowledge and authorization to the application
- with some knowledge and authorization for the application
- with comprehensive insider knowledge of the application code and business logics
During this phase, our objective is to identify potential vulnerabilities which might be used by attackers to compromise SaaS based applications, the data within the application, or supporting infrastructure. Depending on the application’s accessibility, SaaS application security testing is conducted remotely from several of our delivery centers, or onsite at client locations.
The assessment of security controls for systems is an investigative process. As such WSA does not believe that a single tool or technique will meet client’s requirements. Tools simply accelerate the identification of potential vulnerabilities. We believe in multiple forms of testing to gain more awareness of the potential security issue. Many vulnerabilities are manually reviewed to reduce false positives and identify issues when used in combination with other vulnerabilities. This is something an automated tool cannot perform.
With web app and network security assessments, actual exploitation of vulnerabilities identified is often executed to validate vulnerability. We have comprehensive assessment approach to review the inscope SaaS applications and systems.
Without existing SaaS application / system access or user credentials we attempt to identify security weaknesses in the application layer.
Key activities include:
- Automated testing of the applications using commercial, open source, and proprietary application scanning tools, including web application scanners, to identify known vulnerabilities.
- Review of visible application source code, including decompiling plugin code for Java Applets etc., to identify Web page and application source code vulnerabilities or information disclosure.
- Perform manual testing of the applications, through the use of browser proxy tools, to discover and exploit application weaknesses via methods such as fuzzing and injection attacks, input, cookie, query string and header tampering, session and authentication attacks, etc.
- Perform a review of information leakage from error messages and error pages
- To the extent agreed with the trusted agents, testing of the authentication mechanisms for the web application, including testing for common and default usernames and passwords.
We focus on identifyingpotential SaaS security issues, detect abnormal user behavior and prevent threats via 24x7x365 monitoring of the SaaS environment with business specific security use cases. The maturity of an organization's SaaS security monitoring is dependent on building security processes, effectively leveraging existing technologies, and building an experienced team to manage it. This is where WSA looks forward to derive the value to theclient via:
- Implementing SIEM Enterprise Security Solution: This primarily accelerates monitoring and provides organization pre-built security dashboards, alerts and searches relevant to SaaS
- Integrate intelligence feed: We focus on enhancing the capabilities of the SIEM via Threat Intelligence – feed integration and use case implementation to detect and mitigate threats across SaaS platforms
- Define SaaS based process frameworks for triage and response: Establishing documented processes for core alert triage and incident response activities corresponding to business SaaS applications
- Monitoring 24 x 7: From an operations perspective, we lay emphasis on performingreal time SIEM alert triage and analysis on a 24 x 7 x 365 basis, identify false positives, and escalate potential SaaS based incidents to incident responders. Leveraging operations run books to support SaaS security operations is of prime importance and we consider it crucial to be integrated with the operations and implementations across all tiers.