Cloud Computing: How to Ensure Security of Applications Deployed in Cloud
By Dipankar Das, Gaea News NetworkSaturday, May 1, 2010
IT services and computing has become widespread in an Enterprise.Today, enterprise considers data and business processes are very crucial and guard them from access control and compliance policies. In the SaaS model, enterprise data is stored at the site of the provider. The cloud provider replicate the data at different location for quick availability. So, there is a strong concern about data breaches, application vulnerabilities and availability that may lead to financial and legal issues. This article highlights on security issues for SaaS based cloud service.
- SaaS deployment model: The SaaS security challenges depends upon the deployment model that is used by the vendor. SaaS vendors may choose to deploy the application either by using a public cloud vendor or host it by themselves. Public cloud provider like Amazon provides secure infrastructure services and that is associated with use of firewalls, intrusion detection systems, etc. The vendor builds these services and assess them for security loopholes in a self-hosted SaaS deployment.
- Data Security: In a self-hosted deployment model, since the data resides within the boundary of the enterprise, physical, logical and personnel security and access control are enforced by the organizations. On the contrary, since, the data resides at the site of the provider in SaaS model, they must adopt policy for data security and prevents any violation due to security vulnerabilities. This is involved with strong encryption techniques and strict authorization to control the access. Say, for example, Amazon EC2 administrators use strong Secure Shell [SSH] to gain access to a host. All of these accesses are logged and regularly audited.
- Network security: In a SaaS deployment model, sensitive data comes from the enterprises, processed by the SaaS application and stored at the SaaS vendor site. All of these data flow through the network has to be secured in order to avoid any leakage. This involves network traffic encryption techniques such as Secure Socket Layer [SSL] and the Transport Layer Security [TLS] for security.
- Data Segregation: In a SaaS model, the application instance and stored data may be accessed by different users. This is cost effective and using this methodology, SaaS vendors use their resource effectively. So, there has to be security check to make sure the data security and prevent unauthorized access to data. The role of data segregation comes over here.
- Regulatory compliance: Saas deployment needs to comply with the regulatory and industry standards. Access, storage, and processing of sensitive data needs to be carefully controlled and is governed under regulations such as ISO-27001, Sarbanes-Oxley Act etc. Since, data may reside at different country , data privacy also matters.
- Sign In Process: All information in terms of user account, passwords has to be maintained at vendor’s site. Relevant portions of user account information should be replicated to the SaaS vendor to facilitate sign on and access control capabilities. The entire user account information including credentials has to be managed and stored independently by each tenant.
- Back up: The SaaS vendor has to ensure that all of the classified information of the customer should be backed up for quick recovery in case of disaster. There has to be strong encryption of back up data to prevent any accidental leakage of the information.
Filed under: Cloud Computing, Enterprise Software and Services, Featured Article, Web
Tags: cloud computing, Data Security, ISO 27001, network security, SaaS, Sarbanes-Oxley Act
Tags: cloud computing, Data Security, ISO 27001, network security, SaaS, Sarbanes-Oxley Act
YOUR VIEW POINT