towards efficient and secure data storage in multi-tenant cloud-based crm solutions

Towards Efficient and Secure Data

CloudSPD 2015 Workshop | 09/12/2015

Dr. Simone Braun, Dr. Julia Vuong

Storage in Multi-Tenant

Cloud-Based CRM Solutions

Copyright ©2015 | All rights reserved. 2

CAS Software AG

The leading German provider of CRM solutions for SMEs

Dr. Simone Braun | CAS Software AG


Multi-Tenant Cloud-Based CRM Solution CAS PIA

Requirements for a User-Context-Specific Data Security

Concept

Data Encryption and Physical Distribution: A Roadmap

Conclusions

Agenda



Key objective:

Streamline business processes and increase sales with an

integrated CRM system

Storing customer data centrally in a company

All areas and departments can access information (depending

on individual rights)

360 degree view of all customer's information

appointments, tasks, telephone notes, correspondence, sales

opportunities, complaints, orders, delivery notes, projects and

more

CAS PIA

Multi-Tenant Cloud-Based CRM Solution



CAS PIA

Customer Dossier with Latest Customer Information



CAS PIA Database Model

Dealing with a Huge Variety of Data Types



CAS PIA built on top of CAS Open – a PaaS for building xRM

enterprise software

Persistence layer implements a relational database abstraction

layer and a proprietary SQL dialect, the CAS SQL

“One tenant per database” enforced by CAS SQL parser

All data types are dynamic

Extensions through adding new attributes

Any data type includes permission attribute

CAS PIA Technical Details

Data in Multi-Tenant Cloud-Based CRM Solution



CAS PIA Permission System

For Specific Dataset



Multi-Tenant Nature

Level of security depending on nature and type of data E-mail address/phone number vs. salary in Germany

Availability everywhere and at any time Usability on Different Devices and any Popular Operational Systems

User context

Efficiency aspect

Currently no sophisticated solution for data encryption and distribution that supports CAS easily compromise of securing confidential data and limiting the performance impact

Safe & Secured CRM Data Sharing

A Security Concept Taking into Account



Data security according to user needs

Encrypting a huge amount of data causes significant loss of

performance and enlarges the computational cost

Only data marked as sensitive by end-user itself or policies

pretended by company rules should be protected

Automatic interpretation and application of security

mechanism corresponding to chosen data privacy level

Encryption and physical distribution of data

Goal

User-Driven Level of Data Privacy and Security



1. Secure Data and Application Lifecycle Management

2. Secure Key Management

3. Context-Aware Access Control

4. Developer Support

Requirements for User-Context-Specific

Data Security Concept



Secure Data and Application Lifecycle Management

Security within the whole data lifecycle

Backup data stay encrypted

Ensure usability in case of regular key change

Include backup data in re-encryption process if key is

compromised

Include Application Lifecycle Management to ensure to close

security leaks in used third party libraries





Secure Key Management

Cryptographic Keys can be Entry Point to protected sensitive

data

Include configurable secured key management to satisfy

companies security requirements

Context-Aware Access Control

Restrict data access to user context

Access control mechanism taking into account context

information





Developer Support

CRM developers are non-security experts

CRM solution needs to secured

Available documentation and guidelines of security features

necessary

IDE plug-in available

Validation check of applied security mechanisms





Data Security using Searchable Encryption

Native Approach: Download, decrypt data, working on, re-

encrypt, upload

Loss of efficiency

Better: Application of Searchable Encryption

Avoid that cloud service provider retain information about

stored data due to search words

Hide search keywords

Store encrypted data physically distributed

Efficiency with respect to different computation capabilities

and resources on different devices

Data Encryption and Physical Distribution

Roadmap



Encrypted Persistency Framework

Cryptographic capabilities directly integrated at code level

no further configuration necessary

Non-static key management by transparent data encryption

immune to partial key exploitation

no statically stored key inside the application

Extensible DAO annotation scheme translated during runtime

Policy enforcement of authenticated and authorized users

Included as IDE plug-in


Roadmap



Context-Aware Security Model and Policies

Model and Access Policies with fine-grained attributes

User context including dynamically changing parameters as IP

address, location, type of device or browser, user’s position and

role in the company

Detect anomalies in user’s context evaluation

prevent unauthorized access to sensitive data


Roadmap



A Roadmap for a Holistic Data Privacy and Security Preserving Framework including

Physical distributed storage of encrypted data

Secured data and application lifecycle management

Secured key management

Developer support

User-driven data encryption

Realized by searchable encryption and encrypted persistency framework

User-defined data access policies by code annotations in combination with suitable context model

To be implemented and integrated into CAS PIA for efficient and secure data storage

Conclusions


Thank you for your attention.

We‘re looking forward to your questions!

Dr. Simone Braun Dr. Julia Vuong

[email protected] [email protected]

This project has received funding from the European Union’s

Horizon 2020 research and innovation programme under grant

agreement No 644814.

towards efficient and secure data storage in multi-tenant cloud-based crm solutions

Science