Security that works with, not against, your SaaS business

Dave Shackleford, Lead Faculty, IANS

Rand Wacker, VP Products, CloudPassage

10/2/2013

Copyright © 2013 IANS. All rights reserved. 2

Who We Are

Dave ShacklefordLead Faculty at IANS

Rand WackerVP of Products at CloudPassage

Copyright © 2013 IANS. All rights reserved. 3

Virtualization: First step to Cloud

• Security is in upheaval

• We must adapt to cloud disruption

• Check out Dave’s Cloud Security classes with SANS

Copyright © 2013 IANS. All rights reserved. 4

Overview for Today

• Business imperatives for SaaS

• Cloud-based delivery architecture

• Security complexity in agile cloud environments

• Customer case studies with Halo Enterprise

• Q&A

Moving to a SaaS Business

© 2013 CloudPassage Inc.

Two Sides of the SaaS Coin

What Custs Fear– Loss of data / I.P.

– Their brand being caught up in a compromise

– Failing their own audits

– Having to migrate to another provider later…

What You Want– Recurring revenue

– Organic incremental sales

– Nothing to ship, one codebase to support

– Higher profit margins at scale…

Data protection is often a new business

challenge for software providers.

© 2013 CloudPassage Inc.

SaaS Adoption and Fear Trends

SaaS is the primary cloud investment

• 82% of companies use SaaS providers

• 50% use SaaS for business-critical apps

Source: North Bridge Capital “Future of the Cloud” survey (June 2012)

Security, compliance still top concerns

• 55% consider security a major issue

• 38% view compliance as show-stopper

© 2013 CloudPassage Inc.

SaaS Adoption and Fear Trends

SaaS is the primary cloud investment

• 82% of companies use SaaS providers

• 50% use SaaS for business-critical apps

Source: North Bridge Capital “Future of the Cloud” survey (June 2012)

Security, compliance still top concerns

• 55% consider security a major issue

• 38% view compliance as show-stopper

Companies want to use SaaS

but fear security issues.

SaaS providers who get security right are at a

massive advantage over competitors.

© 2013 CloudPassage Inc.

What SaaS Customers Demand

27002

Maintaining compliance is more complex in dynamic cloud-based

environments.

Building SaaS Today

© 2013 CloudPassage Inc.

Cloud Accelerates SaaS Dev

• SaaS feature development must stay ahead of competition

• DevOps and cloud architectures enable agile development

• Accelerates time-to-market, but complicates security…

© 2013 CloudPassage Inc.

Poll: SaaS Challenges• What are your biggest challenges in

building/transitioning to a SaaS business model? (Select all that apply)– Organizational expertise in building SaaS offerings– Security of service/customer data– Transitioning customers from perpetual to

subscription– Cannibalization of existing revenue streams– Other

Securing Cloud Development

Cloud Security Challenges

• There are many security challenges in cloud computing• Some are more technical

– Tracking data migration from abc (mobility)– Data/customer segmentation (Multi-tenancy)– Identity and Access Management– Incident response in multitenant environments

• Some are more “macro” level issues:– Policy and Risk Assessment– Governance– Audit requirements– Compliance

“If you’re a large enterprise, somebody in your organization is using cloud computing, but they’re not telling you.”

--James Staten, principal analyst at Forrester Research

The Role of Virtualization in the Cloud

• Virtualization is a cloud enabler– Pooled resources– Abstracted components and applications– Shared infrastructure– Resource and data migration and replication

• Virtualization technologies have security issues, too:– More complexity, more moving parts– New configuration controls– Segmentation and separation– Monitoring

Multi-tenancy: Security Issues

• One physical platform may host numerous distinct entities’ data and services

• Critical needs arise for:– Segmentation & Isolation– Policy boundaries– Monitoring (availability/security)– Management

• Needs may differ for private vs. public cloud types

Visibility

• Visibility is a challenge in cloud

environments – why?– Customers do not have visibility into the

internal security controls in place at a cloud

provider facility– Cloud providers need controls that are

flexible and dynamic across different

environments

Copyright © 2013 IANS. All rights reserved. 18

Gaining Additional Visibility

• SaaS environments will employ IaaS principles and infrastructure to host VMs and application instances

• Monitoring these instances can be a challenge as they migrate and balance across clusters

• Traditional tools for monitoring (IDS, for example) may have difficulty “following” systems or gaining visibility into virtual environments

• Monitoring at the individual VM level makes more sense in a cloud infrastructure

Change Management in the Cloud

• Change management is one of the most important operational aspects of the cloud

• Cloud computing is built on a foundation of consistency and uniformity– Changes can affect this dramatically

• Issues:– Virtualized infrastructure increases the rate of change due

to dynamic nature– Virtualization and multi-tenancy add new levels of

complexity• App Virtual OS Virtual Hardware Storage

Hypervisor Platform Physical Hardware

Automation and DevOps

• In many SaaS cloud environments today, numerous small/rapid code pushes are becoming necessary– Automating this process with proper test and risk

assessment is key

• DevOps strives for a number of goals and focal areas:– Automated provisioning– No-downtime deployments– Monitoring– “Fail fast and often”– Automated builds and testing

Copyright © 2013 IANS. All rights reserved. 21

Traditional Security Breaks Cloud Ops

• Many traditional security tools and controls are not well-suited to dynamic cloud operational environments

• In general, many network-focused and larger architectural controls can be slow to change/adapt– Orchestration tools can help, but API support is

required

Copyright © 2013 IANS. All rights reserved. 22

Host-Based Security in Cloud Environments

• For truly dynamic SaaS deployments, security architecture will be a balance of network and host controls– Many are leaning more toward local system security

controls, though

• Some of the challenges include:– Resource utilization– Integration with virtualization platforms– Testing with SaaS application instances– Manageability

Host-based Security Agents

• The biggest issue with host-based security agents is resource consumption– Too much RAM, CPU, etc. – This is a serious issue in virtualized environments

• A lightweight, specially-adapted agent is needed• Tight integration with the OS kernel and

components is also key– Local scans and monitoring need to be as low-impact

as possible– Scalability and centralized control are critical

© 2013 CloudPassage Inc.

Introducing Halo Enterprise

© 2013 CloudPassage Inc.

Halo Enterprise automates security for large, complex private, public & hybrid clouds• Visibility & control across any

infrastructure• Less time demanded from DevOps &

Security• More competitive SaaS offerings• Meet compliance needs, remove sales

barriers

Confidential NDA material. Do not distribute.

Security and Compliance AutomationProtect servers and applications in any private,

public, or hybrid cloud environment

Server Account Managements

Security Event Alerting

File Integrity Monitoring

REST API Integrations

Broad set of security controls, critical for securing cloud-hosted applications

Firewall Automation

System & Application Config Security

Multi-Factor Authentication

Vulnerability & Patch Scanning

HALO PLATFORM

z

Private cloud &SDDC

Virtualized & bare-metal datacenterPublic cloud IaaS

Halo security analytics engine

Halo administration web portal

Halo REST API gateway

HALO SECURITY MODULES• Firewall policy orchestration• Multi-factor authentication• File integrity monitoring• Configuration security

monitoring• Software vulnerability scanning• System access management

Workload VM Instance

Operating System

Application Code

System Administration Services

ApplicationEngine

App StorageVolume

System StorageVolume

Halo Daemon

1

Halo activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates.

1

2

Halo secures privileged access via dynamic firewall rules triggered by multi-factor user authentication.

2

4

Application configurations are scanned for vulnerabilities and are continuously monitored.

4

5

Cryptographic integrity monitoring ensures app code and binaries are not compromised.

5

6

Halo monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities.

6

Halo scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity.

3

3

7

Application data stores are monitored for access; outbound firewall rules prevent data extrusion.

7

© 2013 CloudPassage Inc.

Solving Cloud Security Challenges

Cloud Complications

Virtualization and multi-tenancy

Maintaining visibility

Taming change management

Supporting automation & DevOps

CloudPassage Approach

Build security into cloud stack

Design for automation, portability, and scalability

Broad range of security controls

Simplify compliance management

© 2013 CloudPassage Inc.

Cloud Security Case Studies

© 2013 CloudPassage Inc.

Poll: SaaS Offerings• Today, what percentage of your

business is from a SaaS offering (vs boxed product or other?)– All– More than half– Less than half– None– Not applicable to our organization

© 2013 CloudPassage Inc.

Case Study: Enabling SaaSification

• Top 10 Fortune’s software list

• Corporate imperative move boxed product to SaaS

• Security is paramount; customers demand SOC2, HIPAA, etc

• Running across mix of AWS, VMware, and others

© 2013 CloudPassage Inc.

Case Study: Enabling SaaSification

Product Line 1

Product Line 2

Product Line 3

SaaS Product 1

SaaS Product 2

SaaS Product 3

Halo automates security and compliance for each

BU running in cloud

Halo security platform

Halo Benefits

• Enable fast and agile DevOps model

• Security built into stack for portability

• Ensures consistency of servers, visibility, and enables rapid response

© 2013 CloudPassage Inc.

Case Study: Securing Acquisitions

• B2B SaaS pioneer

• Core product in virtualized datacenters, traditional security practices

• 20+ acquisitions for growth: most built in public cloud

• Must extend security and compliance across any infrastructure

© 2013 CloudPassage Inc.

Case Study: Securing Acquisitions

Core Product Datacenter& IT Security Operations

Halo provides security and compliance across

all environments

Acquisitions built in public & private clouds

Halo Benefits

• Easily installs into any cloud architecture

• No disruption to development pace

• Extends existing security operations to cloud

Wrap Up

Copyright © 2013 IANS. All rights reserved. 37

Summary

• SaaS businesses require strong security

• Cloud-based development complicates traditional security

• Security and compliance must enhance, not slow down, agile SaaS development

• Focus security architecture on automation, portability, and visibility

Copyright © 2013 IANS. All rights reserved. 38

Q&A and Additional Information

Dave Shackleford

Lead Faculty, IANS

@ians_security

cloudpassage.com/saas

Rand Wacker

VP, Producs

@cloudpassage

Securing SaaS whitepaperRequest a Halo demo or free trial

Thank You!