Security that works with, not against, your SaaS business

Security that works with, not
against, your SaaS business
Dave Shackleford, Lead Faculty, IANS
Rand Wacker, VP Products, CloudPassage
10/2/2013

Who We Are
Dave Shackleford
Lead Faculty at IANS
Copyright © 2013 IANS. All rights reserved. 2
Rand Wacker
VP of Products at
CloudPassage

Virtualization: First step to Cloud
• Security is in
upheaval
• We must adapt to
cloud disruption
• Check out Dave’s
Cloud Security
classes with SANS

Overview for Today
• Business imperatives for SaaS
• Cloud-based delivery architecture
• Security complexity in agile cloud environments
• Customer case studies with Halo Enterprise
• Q&A

© 2013 CloudPassage Inc.
Two Sides of the SaaS Coin
What Custs Fear
– Loss of data / I.P.
– Their brand being caught
up in a compromise
– Failing their own audits
– Having to migrate to
another provider later…
What You Want
– Recurring revenue
– Organic incremental sales
– Nothing to ship, one
codebase to support
– Higher profit margins at
scale…
Data protection is often a new business
challenge for software providers.

SaaS Adoption and Fear Trends
SaaS is the primary cloud investment
• 82% of companies use SaaS providers
• 50% use SaaS for business-critical apps
Source: North Bridge Capital “Future of the Cloud” survey (June 2012)
Security, compliance still top concerns
• 55% consider security a major issue
• 38% view compliance as show-stopper

SaaS Adoption and Fear Trends
SaaS is the primary cloud investment
• 82% of companies use SaaS providers
• 50% use SaaS for business-critical apps
Source: North Bridge Capital “Future of the Cloud” survey (June 2012)
Security, compliance still top concerns
• 55% consider security a major issue
• 38% view compliance as show-stopper
Companies want to use SaaS
but fear security issues.
SaaS providers who get
security right are at a massive
advantage over competitors.

What SaaS Customers Demand
2700
2
Maintaining compliance is more complex in
dynamic cloud-based environments.

Cloud Accelerates SaaS Dev
• SaaS feature development
must stay ahead of
competition
• DevOps and cloud
architectures enable agile
development
• Accelerates time-to-
market, but complicates
security…

Poll: SaaS Challenges
• What are your biggest challenges in
building/transitioning to a SaaS business
model? (Select all that apply)
– Organizational expertise in building SaaS offerings
– Security of service/customer data
– Transitioning customers from perpetual to subscription
– Cannibalization of existing revenue streams
– Other

Cloud Security Challenges
• There are many security challenges in cloud computing
• Some are more technical
– Tracking data migration from abc (mobility)
– Data/customer segmentation (Multi-tenancy)
– Identity and Access Management
– Incident response in multitenant environments
• Some are more “macro” level issues:
– Policy and Risk Assessment
– Governance
– Audit requirements
– Compliance
“If you’re a large
enterprise, somebody in
your organization is using
cloud computing, but
they’re not telling you.”
--James Staten, principal
analyst at Forrester
Research

The Role of Virtualization in the Cloud
• Virtualization is a cloud enabler
– Pooled resources
– Abstracted components and applications
– Shared infrastructure
– Resource and data migration and replication
• Virtualization technologies have security issues, too:
– More complexity, more moving parts
– New configuration controls
– Segmentation and separation
– Monitoring

Multi-tenancy: Security Issues
• One physical platform may host numerous
distinct entities’ data and services
• Critical needs arise for:
– Segmentation & Isolation
– Policy boundaries
– Monitoring (availability/security)
– Management
• Needs may differ for private vs. public cloud
types

Visibility
• Visibility is a challenge in cloud
environments – why?
– Customers do not have visibility into the
internal security controls in place at a cloud
provider facility
– Cloud providers need controls that are
flexible and dynamic across different
environments

Gaining Additional Visibility
• SaaS environments will employ IaaS principles
and infrastructure to host VMs and application
instances
• Monitoring these instances can be a challenge
as they migrate and balance across clusters
• Traditional tools for monitoring (IDS, for
example) may have difficulty “following” systems
or gaining visibility into virtual environments
• Monitoring at the individual VM level makes
more sense in a cloud infrastructure

Change Management in the Cloud
• Change management is one of the most important
operational aspects of the cloud
• Cloud computing is built on a foundation of
consistency and uniformity
– Changes can affect this dramatically
• Issues:
– Virtualized infrastructure increases the rate of change due
to dynamic nature
– Virtualization and multi-tenancy add new levels of
complexity
• App Virtual OS Virtual Hardware Storage
Hypervisor Platform Physical Hardware

Automation and DevOps
• In many SaaS cloud environments today, numerous
small/rapid code pushes are becoming necessary
– Automating this process with proper test and risk
assessment is key
• DevOps strives for a number of goals and focal
areas:
– Automated provisioning
– No-downtime deployments
– Monitoring
– “Fail fast and often”
– Automated builds and testing

Traditional Security Breaks Cloud Ops
• Many traditional security tools and controls are
not well-suited to dynamic cloud operational
environments
• In general, many network-focused and larger
architectural controls can be slow to
change/adapt
– Orchestration tools can help, but API support is
required

Host-Based Security in Cloud Environments
• For truly dynamic SaaS deployments, security
architecture will be a balance of network and
host controls
– Many are leaning more toward local system security
controls, though
• Some of the challenges include:
– Resource utilization
– Integration with virtualization platforms
– Testing with SaaS application instances
– Manageability

Host-based Security Agents
• The biggest issue with host-based security
agents is resource consumption
– Too much RAM, CPU, etc.
– This is a serious issue in virtualized environments
• A lightweight, specially-adapted agent is needed
• Tight integration with the OS kernel and
components is also key
– Local scans and monitoring need to be as low-impact
as possible
– Scalability and centralized control are critical

Introducing
Halo Enterprise

Halo Enterprise automates
security for large, complex
private, public & hybrid clouds
• Visibility & control across any infrastructure
• Less time demanded from DevOps & Security
• More competitive SaaS offerings
• Meet compliance needs, remove sales
barriers

Confidential NDA material. Do not distribute.
Security and Compliance Automation
Protect servers and applications in any private,
public, or hybrid cloud environment
Server Account
Managements
Security Event
Alerting
File Integrity
Monitoring
REST API
Integrations
Broad set of security controls, critical for
securing cloud-hosted applications
Firewall Automation
System & Application
Config Security
Multi-Factor
Authentication
Vulnerability &
Patch Scanning

Private cloud &
SDDC
Virtualized & bare-metal
datacenterPublic cloud IaaS
Halo security
analytics engine
Halo administration
web portal
Halo REST
API gateway
HALO SECURITY MODULES
• Firewall policy orchestration
• Multi-factor authentication
• File integrity monitoring
• Configuration security monitoring
• Software vulnerability scanning
• System access management

Workload VM Instance
Operating System
Application Code
System Administration Services
Application
Engine
App Storage
Volume
System Storage
Volume
Halo Daemon
1
Halo activates firewall on boot, applies latest
policies, and orchestrates ongoing policy updates.
1
2
Halo secures privileged access via dynamic firewall
rules triggered by multi-factor user authentication.
2
4
Application configurations are scanned for
vulnerabilities and are continuously monitored.
4
5
Cryptographic integrity monitoring ensures app
code and binaries are not compromised.
5
6
Halo monitors system binary and config files for
correct ACLs, file integrity, and vulnerabilities.
6
Halo scans O.S. configurations for vulnerabilities
and continuously monitors O.S. state and activity.
3
3
7
Application data stores are monitored for access;
outbound firewall rules prevent data extrusion.
7

Solving Cloud Security Challenges
Cloud Complications
Virtualization and multi-
tenancy
Maintaining visibility
Taming change
management
Supporting automation &
DevOps
CloudPassage
Approach
Build security into cloud
stack
Design for
automation, portability, an
d scalability
Broad range of security
controls
Simplify compliance
management

Cloud Security
Case Studies

Poll: SaaS Offerings
• Today, what percentage of your
business is from a SaaS offering (vs
boxed product or other?)
– All
– More than half
– Less than half
– None
– Not applicable to our organization

Case Study: Enabling SaaSification
• Top 10 Fortune’s software list
• Corporate imperative move
boxed product to SaaS
• Security is paramount;
customers demand
SOC2, HIPAA, etc
• Running across mix of
AWS, VMware, and others

Case Study: Enabling SaaSification
Product
Line 1
Product
Line 2
Product
Line 3
SaaS
Product 1
SaaS
Product 2
SaaS
Product 3
Halo automates security
and compliance for each
BU running in cloud
Halo security
platform
Halo Benefits
• Enable fast and agile
DevOps model
• Security built into stack
for portability
• Ensures consistency of
servers, visibility, and
enables rapid response

Case Study: Securing Acquisitions
• B2B SaaS pioneer
• Core product in virtualized
datacenters, traditional
security practices
• 20+ acquisitions for growth:
most built in public cloud
• Must extend security and
compliance across any
infrastructure

Case Study: Securing Acquisitions
Core Product Datacenter
& IT Security Operations
Halo provides security
and compliance across
all environments
Acquisitions built in public &
private clouds
Halo Benefits
• Easily installs into any
cloud architecture
• No disruption to
development pace
• Extends existing
security operations to
cloud

Summary
• SaaS businesses require strong security
• Cloud-based development complicates
traditional security
• Security and compliance must enhance, not
slow down, agile SaaS development
• Focus security architecture on automation,
portability, and visibility

Q&A and Additional Information
Dave Shackleford
Lead Faculty, IANS
@ians_security
cloudpassage.com/saas
Rand Wacker
VP, Producs
@cloudpassage
Securing SaaS whitepaper
Request a Halo demo or free trial

Security that works with, not against, your SaaS business

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Security that works with, not against, your SaaS business (20)

More from CloudPassage (20)

Recently uploaded (20)

Security that works with, not against, your SaaS business