As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as salesforce.com for sales automation and monster.com for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.

1. SaaS as a Security Hazard
The Google Apps example
Ofer Shezaf,
Product Manager, Security Solutions
HP ArcSight
ofr@hp.cm
©2011 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without
notice

2. About Myself
I live in
Kibbutz
Yiftah, Israel
I create Currently, Product Manager for Security Solutions at HP ArcSight
security
products Prior to that did security research and product management at
Breach Security & at Fortify
I am an OWASP leader and founder of the OWASP Israeli chapter
application
Leads the Web Application Firewall Evaluation Criteria project
security
veteran Wrote the ModSecurity Core Rule Set
I really try to Read my blog at http://www.xiom.com
learn what
information Be ready to some philosophy of science and cognitive
security is psychology

3. What are Google Apps?
Gmail, Calendar, Docs, Sites & Groups
Google alternative to Exchange, SharePoint,
Outlook and to a lesser extent to Office.
Better at sharing and in a way familiar to
users
Bottom up push to adapt.

4. If It Was Only Cloud…

5. Google Apps Role in the IT Environment
Hybrid Delivery
Traditional Private Cloud Managed Cloud Public Cloud
Non-critical business services will
1 SAAS move to SaaS providers who
provide some level of security
Some critical business services will be deployed in
2 SAAS private clouds with customized security controls
Some work-loads will move to public clouds with
SAAS
3 security components provisioned in image
Security will be componentized and automatically
4 deployed with work-loads, based on sensitivity of
assets
customization automated
required provisioning
Note: future availability of hybrid capabilities
5 HP Enterprise Security – HP Confidential

6. No, it is not about SQL injection
Google is
better than
your So what is it
programmers about?
in weeding out
SQL injections

7. Ownership

8. Cloud Entrance Exam: Question 1
Who Owns The Data?
You?
Google?
Your Employee?
Google’s Employee?

9. Cloud Entrance Exam: Question 2
Do You Compete With Google?
No (are you serious?)
We do, but not me
I don’t know
Yes (You Bet!)

10. Cloud Entrance Exam: Question 3
Who Authorized Access to the Data?
Me
Google
Google, but only if the court asks
Google, but only if the Chinese ask

11. Cloud Entrance Exam: Question 4
What About Illegal Material?
I never store such data!
… apart from competitive marketing and
stolen images in presentations
… but Google would not interfere with my
data
Or would they?

12. Regulations

13. It’s All About Geography
• National laws
Privacy • Limitation of
transfer of data
• PCI, SOX,
So where is the data?
Compliance SAS 70, ISO
27K…
And who is responsible for
it?
Ownership • Google or I?

14. Back To Basics

15. Where and What do we Manage?
Hybrid Delivery Authenticatio
n
Traditional Private Cloud Managed Cloud Public Cloud
SAAS
Authorization
SAAS
SAAS
Audit
Note: future availability of hybrid capabilities
15 HP Enterprise Security – HP Confidential

16. Authentication & User Management
Password strength is of extreme importance
in web based services.
• Complexity, length, lifetime
• Two factor authentication is preferred.
Avoid requiring users to have multiple
complex passwords
• Sticky note passwords
Need to make sure users are created,
terminated and transferred on all services.
SaaS MUST tie in to enterprise directory.

17. Users Permissions & Authorization
Always a
hazard in
knowledge
Tools both for sharing
SaaS and self applications.
hosted are not
mature.
Unique to
SaaS
solutions is the
option to share
externally.
Both permissions management
and permissions audit are crucial

18. Audit
Public Cloud
HP ArcSight
On/Off-Premise Data Center
remote
workers

19. For Further Consideration

20. Did You Consider?
Encryption: SSL
Disks
Administrator Two factor authentication?
Access Control
Only from within the organization?
Administration Can your administrators access users data if needed?
Capabilities
Backup and Service Level Agreement (SLA)
Restore
Service for Accidental Deletes
Disaster
Recovery
Way out

21. For Further Questions
Contact:
Ofer Shezaf
ofr@hp.com