Advantages and disadvantages of SaaS service security. Security solution SaaS service from IBM. CROC Cloud Security

    Cloud computing covers a wide range of different computing resources and services used by users over the Internet. Such solutions allow you to build information systems for management without the purchase of "boxed" products.
    This enables consumers to solve the problems of unauthorized use of software, as well as reduce a large percentage of the cost of building data centers. Cloud technologies have the ability to instantly respond to increased demand for computing power, which allows us to solve issues related to the long time it takes to build and commission large IT infrastructure facilities.

    In this article we will consider the advantages and disadvantages of SaaS service security.

    SaaS has universal access, it can be used anywhere where there is Internet access. Access to the software is provided remotely via network channels. This can be a web interface, terminal access, or thin clients. The software is deployed in the data center as a single software core. Ease of implementation, the ability to do full-fledged testing of the system before purchase, low cost and the ability to access the system from anywhere are the main advantages of SaaS.
    However, SaaS has not only advantages. The biggest drawback of the service is the issue of security of customer data stored . Many Russian companies are not used to storing their projects and client bases on other people's servers because of fear of data privacy.
    In their opinion, the staff of their own qualified information security specialists will protect common databases much more reliably than a company providing a service and having a very distant idea of ​​information security. In addition, users are addicted to the Internet. In the event of loss of Internet access, access to SaaS is lost. The user does not manage servers, operating systems, network, data storage and even some of the application features, as a result of which the main responsibility for ensuring information security lies almost entirely with providers that provide cloud computing services.
    Cloud service providers do not always seek to complicate their platform by integrating with an identity management system. There are several technologies that allow you to expand role-based access control in the cloud, for example through single sign-on (SSO) technology. But overall, this area is still at an early stage of development. Currently, each of the major players in the SaaS market is striving to create its own customer relationship technology. Google has a Secure Data Connector that forms an encrypted connection between customer data and Google’s business applications and allows the customer to control which employees can access Google Apps resources and which cannot. CRM Salesforce provides similar functionality, implemented on its own technology. When clients turn to many different SaaS applications, the number of security tools used increases, which can lead to the slowness and poor scalability of such a model. There are several third-party products that, at least, suggest the possibility of their use when connecting to many types of SaaS applications, but at the moment they have not been tested enough by providers. Therefore, identity management and access control for enterprise applications, according to Digital Design experts, remains one of the main challenges facing IT today. suggest the possibility of their use when connecting to many types of SaaS applications, but at the moment they are not yet sufficiently tested by providers. Therefore, identity management and access control for enterprise applications, according to Digital Design experts, remains one of the main challenges facing IT today. suggest the possibility of their use when connecting to many types of SaaS applications, but at the moment they are not yet sufficiently tested by providers. Therefore, identity management and access control for enterprise applications, according to Digital Design experts, remains one of the main challenges facing IT today.

    The ISO 27001 standard describes information security requirements. This is a fairly comprehensive standard, covering many aspects of security that may bother customers. For providers and customers, ISO 27002, which describes the practical rules for managing information security, may be of interest. This standard can be used when building a SaaS cloud, but in any case, the development of a special standard for cloud computing is necessary.
    Currently, very few large IT companies offer a solution for the security of SaaS services. Consider the most effective Saas security solution from IBM, and also consider a solution to protect the cloud from the Russian company CROC.

    IBM SaaS Application Security Solutions

    Security Requirements for SaaS Applications

    There are several requirements for the security system of efficient SaaS applications with joint lease

    1. The system should provide security and access control for authority-based functions.
    2. User data can be placed in the information environment inside the enterprise. The system should provide authentication mechanisms for users using data located in the internal information environment, and authorization using access control data provided on demand.
    3. Due to the strict requirements of tenants to isolate data and comply with regulatory requirements, user data can be placed in a dedicated database provided to each of the tenants upon request. The system should provide a mechanism for authentication and authorization of users in an isolated area of ​​the database, configured specifically for the tenant to which the users belong.
    4. User data can be placed in a public database:
    5. In an environment that provides data on demand, but database schemas can be different. The system must provide an authentication and authorization mechanism in a public database, with various database schemas configured for the specific tenant to which the users belong.
    6. In the general scheme in the environment provided on demand. The system should provide a mechanism for authenticating and authorizing users using a public database and a common scheme used by all tenants.
    7. User data may be placed in a public database.
    8. The system should provide a mechanism that allows the administrator of each tenant to create, modify and delete user accounts of this tenant in the user accounts directory.

    To meet the security requirements of SaaS applications, the architecture must meet the requirements for authentication and authorization.

    This article discusses two scenarios.

    1. Database of user accounts in the environment provided on demand.
    In this scenario, the architecture should provide specialized security services for authentication and authorization of users using a centralized database of user accounts with joint lease, as well as a specialized database of the tenant. The architecture should also provide an interface that allows tenants to create, modify, and delete user accounts belonging to that tenant in the user accounts directory. This approach is recommended if it is not important for service consumers to have a single sign-on. For example, it can be used to serve customers.
    2. The user account database is hosted internally.
    In this scenario, the tenant deploys a federation server that interacts with its own user directory service. When the end user accesses the application, the tenant's federation server performs local user authentication and negotiates with the SaaS federation server to provide the user with a signed access token. The access token provided by the tenant's federation server is used by the SaaS provider for authorization. This approach is recommended if single sign-on is important for service consumers. It can also be used for business users.
    Hosting a user account database within an enterprise
    The SaaS provider can use a ready-made commercial federation server to securely transfer the federation token between applications located in different security domains. The SaaS provider needs a federation server that interacts with other SSO solutions used by corporate users in the on-demand service environment. The federated server within the enterprise must have a trust relationship with the corresponding federated server of the SaaS provider network.

    When placing a database of user accounts at the customer’s enterprise, it is also necessary

    1. Develop a servlet filter to extract user names authenticated using the federated server from the HTTP headers and create valid principal / subject pairs.
    2. Use a specialized security service based on JAAS (Java Authentication and Authorization Service), which allows you to meet the requirements of SaaS regarding authorization for joint leases.
    3. Call the security service API from the servlet filter to authorize the user.
    4. Configure the servlet filter using the Controller Servlet of Presentation Framework based on the model-view-controller (MVC) design pattern to ensure that incoming requests meet security requirements.

    CROC Cloud Security Solutions

    CROC offers two types of protective equipment

    1. Tools integrated within the virtual cloud platform.
    2. Superimposed security features that protect the cloud perimeter.
    As a rule, protection technologies involving integration at the virtual platform level include solutions that allow for differentiation of users and administrators' access to cloud resources, as well as implement mechanisms for protecting virtual IT infrastructure (for example, anti-virus protection, firewalling).
    The choice of specific security features that are integrated within the "cloud" depends on the features of the virtual platform and is carried out taking into account its specifics.
    Security technologies used at the cloud perimeter level include firewalling, traffic encryption, intrusion prevention, etc.
    When providing the resources of its virtual data center, services are used that provide protection against standard (information leakage, network attacks) and specific cloud threats (provider dependency, non-compliance with regulatory requirements).

    Cloud Security Services

    1. Firewall
    2. Intrusion Prevention (IDS / IPS)
    3. Creation of secure communication channels (VPN / SSL VPN)
    4. Protection against denial of service attacks (DoS / DDoS)
    5. Anti-virus protection
    6. Anti-spam protection

    Security services are implemented on the basis of a specialized protection node that also performs the protection functions of the “cloud” itself. The architecture involves the use of security mechanisms built into the Virtual Data Center, which allows to distinguish between customer resources among themselves, as well as security services provided to customers to protect resources hosted in the "cloud".

    Conclusion

    The solution proposed by IBM is one of the most effective at present. Many of the largest oil holdings use this solution for their tasks. It is also worth noting that system integrators are also actively promoting cloud security solutions, which suggests that protecting SaaS services is a hot topic right now.
    But do not forget, many developers often use Western platforms to develop and host their applications, which leads to the fact that the data is actually stored outside of Russia. This situation increases geopolitical risks. In addition, Saas has been repeatedly criticized by IT professionals. For example, the founder of the capable software movement, the GNU project, Richard Stallman described the technology as“The equivalent of universal spyware and a large black door (gives the server operator unlawful power over the user).

    Also popular now: