Shaheen N Abdul Jabbar

Posts Tagged ‘Information Security’

The past year was a learning curve on Cloud Computing, especially on SaaS providers. More and more ASPs are coming back rebranded as SaaS provider. As a security practitioner, it would be good to have a must have check list that we need to use to assess them.

I prepared the following must have check list based on Cloud Computing Alliance Guide (v1.0) document. “SaaS Provider” mentioned is the vendor providing the cloud computing service and “Consumer” is the client or end user of the “SaaS Provider”.

Governance and Enterprise Risk Management

1. SaaS Provider must provide at least SAS 70 Type II or equivalent certifications (e.g. Agreed Upon Procedures) SAS70 Type 2 is a mandatory requirement if the service is a SOX critical or within financial statement audit scope.  If Credit card information is involved, PCI DSS compliant certification is required.
2. SaaS Provider must provide Consumer listings of all third party relationships that it have; and similar audit assurance requirements as above are applicable.  The vendor is expected to obtain such audit assurance from 3rd party subcontractors and provide to MFC upon request.
3. SaaS Provider must divulge policies, procedures and processes comprising its Information Security Management System (ISMS)

Legal

1. Consumer must have authority to define Service Level Agreements with SaaS Provider
2. SaaS Provider must incur all costs for both an expected and unexpected termination of the relationship and for an orderly return or secure disposal of Consumer assets.
3. All of Consumer’s data must be destroyed from the SaaS Provider systems and environments upon the termination of the contract/services and upon completion of the transition and conversion to Consumer’s chosen platform and receipt of confirmation of the same from Consumer’s executive sponsor and/or legal counsel.
4. Consumer information assets must not be used for secondary purpose including use of Consumer asset as test data.
5. SaaS Provider must host all Consumer information assets in a country that Consumer is confortable with (based on regulations that Consumer is subjected to).
6. SaaS Provider must accept all costs related to data breaches if possible including recovery costs
7. SaaS Provider must not share Consumer information assets with a third party or government entity without prior consent.
8. Consumer must have escrow arrangement of SaaS Provider software and applications

Electronic Discovery

1. Consumer must have authority to define roles and responsibilities related to Electronic Discovery, including such activities as litigation hold, discovery searches, who provides expert testimony.
2. Compliance and Audit
3. Consumer must have authority to define type of control that will be applied to locations where data will be stored.
4. Consumer must have authority to audit SaaS Provider on demand
5. Consumer must have authority to perform external risk assessments, including a Privacy Impact Assessment on the SaaS Provider

Information Lifecycle Management

1. SaaS Provider must retain and destroy Consumer information asset per Consumer security policies and standards.
2. Consumer must have authority to perform regular backup and recovery tests to assure that logical segregation and controls are effective
3. All regular backup must be received at a data warehouse owned by Consumer.
4. SaaS Provider must have logical segregation of duties of personnel.

Portability and Interoperability

1. Consumer must receive regular data extractions and backups to a format that is not proprietary and is reusable by Consumer
2. Traditional Security, Business Continuity and Disaster Recovery
3. Consumer must have authority to define business continuity and disaster recovery requirements
4. Consumer must have authority to perform onsite inspections of SaaS Provider’s facilities whenever required
5. Consumer must have authority to inspect SaaS Provider disaster recovery and business continuity plans

Data Center Operations

1. SaaS Provider must demonstrate comprehensive compartmentalization of systems, networks, management, provisioning and personnel.
2. Consumer must have authority to perform test on SaaS Provider’s customer service function regularly to determine their level of mastery in supporting the services.

Incident Response, Notification and Remediation

1. Consumer must receive application layer logs to provide granular details of incidents specific to Consumer.
2. SaaS Provider must at least have application level firewalls, proxies and other application logging tools that are key capabilities currently available to assist in responding to incidents in multi-tenant environments.
3. SaaS Provider must use third party monitoring tools such as HP Cloud Assure or McAfee VA
4. Consumer must receive timely notification of any related incident at SaaS Provider including change in personnel working on Consumer assets.

Application Security

1. Consumer must have authority to conduct acceptance test on any new changes introduced by SaaS Provider
2. SaaS Provider must have separate environment for development, testing and production deployment of applications.
3. SaaS Provider must always maintain an application instance for Consumer logically segregated from other instances of SaaS Provider customers.
4. SaaS Provider must construct a registry of application owners by application interface (URL, SOA service, etc.)
5. Consumer must receive third party binary code analysis report (e.g. Veracode report) on SaaS Provider application

Encryption and Key Management

1. Consumer must have authority to stipulate encryption requirements (algorithm, key length and key management at a minimum) for any data classified as restricted or regulated.
2. Cryptographic keys used by SaaS Provider must be hosted by a third party that Consumer is comfortable with.

Identity and Access Management

1. SaaS Provider must use standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
2. SaaS Provider must support strong authentication natively or via delegation.
3. SaaS Provider must support robust password policies that meet and exceed Consumer security policies and standards

Storage

1. SaaS Provider must provide details of storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries
2. SaaS Provider must provide the list of storage geographical location.
3. SaaS Provider must provide details of controls that are used during storage provisioning to partition multiple customers
4. Data search capabilities of SaaS Provider must not violate Consumer information classification and handling security standards.
5. At storage, SaaS Provider must utilize strong storage encryption that renders data unreadable when storage is recycled, disposed of, or accessed by any means outside of authorized applications.
6. SaaS Provider must use unique encryption key for Consumer purposes to encrypt Consumer information assets or data.
7. SaaS Provider must meet Consumer data retention policies for long term archival. Decryption and associated technologies should still be useable on the data after several years later.

Virtualization

1. Virtualized operating systems of the SaaS Provider must be augmented by third party security technology to provide layered security controls and reduce dependency on the platform provider alone.
2. SaaS Provider must assure secure by default configurations by following or exceeding available industry baselines for all its VM platforms.
3. SaaS Provider must monitor or enable Consumer to monitor traffic crossing VM backplanes, which will be opaque to traditional network security controls.
4. Administrative access and control of virtualized operating systems is crucial and SaaS Provider must include strong authentication integrated with enterprise identity management, as well as tamper proof logging and integrity monitoring tools.

Feel free to post your thoughts or suggestions. Don’t feel shy

UPDATE: January 2010 – Cloud Security Alliance have a new version of the guide. I will review the document shortly to make necessary changes soon.

Nandan Nilekani’s…..Fully integrated ID card system for Indian citizens!!

Operator : “Thank you for calling Pizza Hut . May I have your…”

Customer: “Heloo, Heloo, can I order..”

Operator : “Can I have your multi purpose ID card number first, Sir?”

Customer: “It’s he…,hold……….on……889861356102049998-45-54610″

Operator : “OK… You’re… Mr Singh and you’re calling from 17 Jal Vayu. Your home number is 22678893, your office 25076666 and your mobile is 09869798888. Today morning you landed in India at IG International Airport. Welcome back, Sir. Which number are you calling from now Sir?”

Customer: “Home! How did you get all my phone numbers?

Operator : “We are connected to the system , Sir”

Customer: “May I order your Seafood Pizza…”

Operator : “That’s not a good idea ,Sir”

Customer: “How come?”

Operator : “According to your medical records, you have high blood pressure and even higher cholesterol level Sir”

Customer: “What?… What do you recommend then?”

Operator : “Try our Low Fat Pizza. You’ll like it”

Customer: “How do you know for sure?”

Operator : “You borrowed a book entitled “Popular Dishes” from the National Library last week Sir”

Customer: “OK I give up… Give me three family size ones then, how much will that cost?”

Operator : “That should be enough for your family of 05, Sir. The total is Rs 500.00″

Customer: “Can I pay by! Credit card?”

Operator : “I’m afraid you have to pay us cash, Sir. Your credit card is over the limit and you owe your bank Rs 23,000.75 since October last year. That’s not including the late payment charges on your housing loan, Sir..”

Customer: “I guess I have to run to the neighbourhood ATM and withdraw some cash before your guy arrives”

Operator : “You can’t Sir. Based on the records, you’ve reached your daily limit on machine withdrawal today”

Customer: “Never mind just send the pizzas, I’ll have the cash ready. How long is it gonna take anyway?”

Operator : “About 45 minutes Sir, but if you can’t wait you can always come and collect it on your Nano Car…”

Customer: ” What!”

Operator : “According to the details in system ,you own a Nano car,…registration number GZ-05-AB-1107..”

Customer: ” ????”

Operator : “Is there anything else , Sir?”

Customer: “Nothing… By the way… Aren’t you giving me that 3 free bottles of cola as advertised?”

Operator : “We normally would Sir, but based on your records you’re also diabetic……. ”

Customer: #$$^%&$@$% ^

Operator : “Better watch your language Sir..Remember on 15th July 2010 you were convicted of using abusive language on a policeman…?”

Customer: [Faints]

Here is an excellent use case for a badly implemented identity system. Thanks to my friend Lakshmi K (last name purposely not given) who forwarded this joke to me.  I couldn’t resist posting it to this boring security blog. I guess some humor adds some spice!

The Unique Identification Authority of India, or the UIDAI, is an agency of the Government of India responsible for implementing the envisioned Multipurpose National Identity Card or Unique Identification card (UID Card) project in India. It was established in February 2009, and will own and operate the Unique Identification Number database. The authority will aim at providing a unique number to all Indians, but not smart cards. The authority would provide a database of residents containing very simple data in biometrics. [Wikipedia]

With the increase of various types of application in an enterprise, the nightmare of managing access to them increases. One of the major issues is how to manage passwords to multiple applications.

I would like to remember only one password for all applications in the enterprise instead of writing each one down whenever its time to change it. The frequency of changing the password may vary from application to application, so does the password rules.

If you look at it from the cost perspective, every call to help desk to manage password costs an estimated $25 – according to Help Desk Institute. So having a password doesn’t come cheap, especially when you have multiple applications at various domains. Imagine this cost coupled with the cost of maintaining the credentials at various applications.

So why not use a software like Bruce Schneier’s Password Safe (http://www.schneier.com/passsafe.html )? That type of software is good for personal use when I have the luxury of time to dig through my list of domains and their credentials. They are not good for an enterprise that is regulated by various statutory requirements. It still does not solve my pain of signing in to multiple applications.

How about Singe Sign On? According to experts in the field, not many enterprises were successful in implementing in this area with single sign on. With all the acquisitions and mergers, it is found better implemented at the divisional or business unit level. However a more realistic approach would be to have reduced sign on.

This is not an easy job for architects as they need to consider stronger authentication mechanisms based on risk policies while consolidating application and reducing the number of access challenges.

One of the major constraints to reduced sign on is the multiple identity and policy domains that exist in the enterprise. They can be handled by having a primary authentication point which will facilitate background authentication with other policy domains. A user is challenged by a single primary system, while that primary system takes care of authenticating with other system in the background without the user’s knowledge.

Some of the options in consolidating sign on are extending network operating system login and centralized LDAP. However, they do have their own limitations. For example, network operating system login cannot be extended to external users and there could be multiple LDAPs within the enterprise that need to be consolidated.

Implementations such as E-SSO where multiple logins can be integrated to one single system is preferred for reduced sign on, however it is a large undertaking and requires time. Similar is the case with federated authentication using protocols such as SAML.

One of the easiest and quick fix to manage this nightmare is to have a password management system. Whenever a user changes the password, it is synchronized with all applications and tools such as LDAP and Active Directory using the password management system. In this way, I have only one password, possibly one user-id, for accessing all system in the enterprise. This still does not reduce my multiple sign on, however it’s the right step in the right direction.