In Software as a Service (SaaS) model, the client needs to be dependent of SaaS platform for proper security measures of the systems. The SaaS platform must ensure that their multiple users don‘t get to see each other‘s private data. So, it becomes important to the user to ensure that right security measures are in place and also difficult to get an assurance that the application shall be available when needed. The SaaS platform providers need to provide some solution to solve the common security challenges that traditional communication systems face. At the same time, they also have to deal with other issues inherently introduced by the cloud computing paradigm itself. Below are the challenges:
- Physical Security
- Infrastructure Security (Systems, Hosts and Network)
- Application Security
- DB Security
- Cloud Security
- Security and Compliance
- 21 CFR Part 11
- Information Security
- Software Security
- Security Operation and Management
Solutions to the problems
Security framework for Software-as-a-Service Model (S-a-a-S) includes security design, deployment, implementation and integration, monitoring and security event management at different layers namely physical, application, transport and network from multiple security threats originating from intranet and internet. Below security components are anticipated as a part of layered security approach for the services.
- Physical Security: Implement physical access controls at all check points
- Infrastructure Security (Systems, Hosts and Network): Implement Infrastructure access controls at all check points
- Application Security: Implement SSA, SDLC, SAST, DAST, Mobile testing VAPT
- DB Security: Implement Access management and data segregation, encryption
- Cloud Security: Implement appropriate security controls at all levels
- Security and Compliance: Implement appropriate security controls at all levels
- 21 CFR Part 11: Implement appropriate security controls at all levels
- Software Security: Implement appropriate security controls at all levels
- Security Operation and Management: Implement appropriate security controls at all levels
Below security controls are recommended to be used:
- Segregation of Networks: For example, divide components in MZ, DMZ zones.
- Management and Monitoring Services: For example, secure management and monitoring access to systems through dedicated communications paths.
- Access and Policy Services: For example, Firewalls, VPN services, Network Admissions Control services and so on.
- Secure Interconnect Services:. For example, high-risk protocols, secure protocols, and methods of restriction or enforcement (secure VPN’s: SSL, IPsec, firewall services and so on).
- Internal Server farms: This includes creation of server environments and security controls commensurate with the value of the systems to the solution
- External Connectivity Services: This covers all forms of external connectivity to solution infrastructure.
- Manage File Transfer: Controls movement of files internally and externally with appropriate controls to maintain the Confidentiality, Integrity, and Availability (CIA) of the data.
- Zoning solutions: For example, Firewalls, VPN’s and so on.
- Security Event Detection: This includes the consideration of reactive event detection and pro-active threat and vulnerability detection/assessment.
- Network Infrastructure Service: For Example, DHCP, DNS, NTP, Routing changes and the provision for any new managed network
- Infrastructure Hardening: Use hardening as per Vendor’s MBSS/recommendations.
- The infrastructure security will be layered, comprising of a layer of the firewall with suitable rules along with Intrusion Detection /Prevention System.
- The proposed solution caters for a De-Militarized Zone (DMZ) to make sure that at no time shall any request directly enter the enterprise’s internal network.
- Access and Policy Services include provision of policy settings to infrastructure components and end devices as these settings have an impact on the security of the shared network service
There shall be the provision of anti-virus software for all the internal servers. Antivirus Solution shall be used for the virtual environment. Antivirus used should be updated.
Transport Layer Security
All data transfer between the delivery center and the Primary or Secondary Sites shall be using a secured channel with a minimum of 2048 bit encryption. (sftp and SOAP over https).
Non-Repudiation: SOAP message payloads shall be encrypted using PKI ba sed DSC’s for ensuring Confidentiality, Integrity, and Non-repudiation. Signing shall be validated using Symantec Verisign DC.
Host Based Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
Host-based IDS/IPS solution shall be implemented on need basis for ensuring server level control.
Servers like Web Server, Application Server and Database Server security hardening will also be ensured as per the policies and requirements.
Key Management tool shall be used on need basis for ensuring Key Life Cycle management policies.
Business Continuity Plan/DR Site
Fail over mechanism must be present at infrastructure level as well as application layer or as per the business requirement.
Locations should provide the site level outage as well as city level.
Web Application Firewall (WAF)
Web Application firewall shall be used to protect the applications against variety of layer 7 (OSI model) attacks. The firewall will support both white listing as well as black listing.
Syslog shall be used to allow separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. This permits the consolidation of logging data from different types of systems in a central repository.
Appropriate Identity and Access management solution shall be used.
Access control is a way of limiting access to a system or to physical or virtual resources. In computing, access control is a process by which users are granted access and certain privileges to systems, resources or information. Authorization shall be on the basis of RBAC.
Privacy and Data Security
Privacy and data security safeguards help to build end-user trust towards Application system. Data security is the means of ensuring that data is kept safe from corruption, unauthorized access and disclosure and thus helps ensure privacy. Appropriate security controls shall be used.
Audit and Monitoring
Logging is a fundamental part of Application. A well designed application log system is a good utility for developers and application support team to isolate the production issues and identify the root cause. For Monitoring, we can have separate products which are specifically created for Monitoring. We should have perform separate monitoring for Servers as well as Network devices.
DAST, SAST, App VAPT, Infra VAPT shall be conducted to ensure overall security.
Application Security Assurance
To ensure robustness of the system against malicious or unintentional attacks, teams shall follow the OWASP and Software Security Assurance (SSA) process to ensure security and privacy is integrated into SDLC. SSA helps in ensuring that the required security controls are built into the design as per security principles, implemented as per secure programming practices, and verified against application requirements and industry best practices.
Threat modeling shall be used for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
Depending upon the project need we can use any model like STRIDE model or DREAD model.
Vulnerability Assessment (VA)
Vulnerability assessment shall be used to define, identify, and classify the security holes in a computer, network, or communications infrastructure. Vulnerability assessment tool shall be used for Vulnerability Assessment.
Web Services Security
All web service calls shall be HTTPS based. HTTPS shall be applied on all API calls.
Security Operation Center (SOC)
A security operation center shall be used as a centralized unit that deals with security issues on an organizational and technical level.
Security Incident and Event Management (SIEM)
Audit and monitoring related tasks including incident reviews, log reviews, configuration assessments, incident investigation support and audit support requires SIEM solution at enterprise level. Manual review and monitoring of all the logs in application system IT environment is a time-consuming task. SIEM solutions should be able to run application system log correlation type activities. Security event detection analysis shall be compensated by SIEM.
Data encryption shall be used to prevent data visibility in the event of its unauthorized access or theft and to protect data in motion and increasingly promoted for protecting data at rest / in motion.
Although there are numerous advantages in using a cloud-based SaaS system, there are still many practical issues which have to be solved particularly related to privacy and security, service level agreements (SLA), and power efficiency etc. As described above, currently security has lot of issues which scares away several potential users. Until a proper security module is not in place, potential users will not be able to leverage the true benefits of this technology. This security module should cater to all the issues arising from all directions of the SaaS model, where there are heterogeneous systems having a variation in their asset value, a single security system shall be too costly for certain applications and if there is less security then the vulnerability factor of SaaS model will shoot up. On the other side, if the SaaS provider has a common security methodology in place, it shall be a high value asset target for hackers because of the fact that hacking the security system will make the entire SaaS model vulnerable to attack.
Authored By - Anilkumar Dubey
TCS Cyber Security Practice