Shaheen N Abdul Jabbar

Posts Tagged ‘SaaS’

The past year was a learning curve on Cloud Computing, especially on SaaS providers. More and more ASPs are coming back rebranded as SaaS provider. As a security practitioner, it would be good to have a must have check list that we need to use to assess them.

I prepared the following must have check list based on Cloud Computing Alliance Guide (v1.0) document. “SaaS Provider” mentioned is the vendor providing the cloud computing service and “Consumer” is the client or end user of the “SaaS Provider”.

Governance and Enterprise Risk Management

1. SaaS Provider must provide at least SAS 70 Type II or equivalent certifications (e.g. Agreed Upon Procedures) SAS70 Type 2 is a mandatory requirement if the service is a SOX critical or within financial statement audit scope.  If Credit card information is involved, PCI DSS compliant certification is required.
2. SaaS Provider must provide Consumer listings of all third party relationships that it have; and similar audit assurance requirements as above are applicable.  The vendor is expected to obtain such audit assurance from 3rd party subcontractors and provide to MFC upon request.
3. SaaS Provider must divulge policies, procedures and processes comprising its Information Security Management System (ISMS)

Legal

1. Consumer must have authority to define Service Level Agreements with SaaS Provider
2. SaaS Provider must incur all costs for both an expected and unexpected termination of the relationship and for an orderly return or secure disposal of Consumer assets.
3. All of Consumer’s data must be destroyed from the SaaS Provider systems and environments upon the termination of the contract/services and upon completion of the transition and conversion to Consumer’s chosen platform and receipt of confirmation of the same from Consumer’s executive sponsor and/or legal counsel.
4. Consumer information assets must not be used for secondary purpose including use of Consumer asset as test data.
5. SaaS Provider must host all Consumer information assets in a country that Consumer is confortable with (based on regulations that Consumer is subjected to).
6. SaaS Provider must accept all costs related to data breaches if possible including recovery costs
7. SaaS Provider must not share Consumer information assets with a third party or government entity without prior consent.
8. Consumer must have escrow arrangement of SaaS Provider software and applications

Electronic Discovery

1. Consumer must have authority to define roles and responsibilities related to Electronic Discovery, including such activities as litigation hold, discovery searches, who provides expert testimony.
2. Compliance and Audit
3. Consumer must have authority to define type of control that will be applied to locations where data will be stored.
4. Consumer must have authority to audit SaaS Provider on demand
5. Consumer must have authority to perform external risk assessments, including a Privacy Impact Assessment on the SaaS Provider

Information Lifecycle Management

1. SaaS Provider must retain and destroy Consumer information asset per Consumer security policies and standards.
2. Consumer must have authority to perform regular backup and recovery tests to assure that logical segregation and controls are effective
3. All regular backup must be received at a data warehouse owned by Consumer.
4. SaaS Provider must have logical segregation of duties of personnel.

Portability and Interoperability

1. Consumer must receive regular data extractions and backups to a format that is not proprietary and is reusable by Consumer
2. Traditional Security, Business Continuity and Disaster Recovery
3. Consumer must have authority to define business continuity and disaster recovery requirements
4. Consumer must have authority to perform onsite inspections of SaaS Provider’s facilities whenever required
5. Consumer must have authority to inspect SaaS Provider disaster recovery and business continuity plans

Read the rest of this entry »

In my quest to understand the evolution of SaaS, I started going back a little bit. A few years back, companies use to call a similar delivery model as ASP (Application Service Provider) which is confused with SaaS model. Senior management in the IT world who are used to ASP model started questioning – “So, what’s the difference?”.

According to a research by Alexander Factor, who later published a book called “Analyzing Application Service Providers”, ASP is a business that (1) delivers application services over the network, (2) delivers services to many customers with a wide range of requirements, (3) charges rental or subscription-based fees, and (3) provides customer-specific service guarantees.

So ASP services could be delivered over any type of network, not just through the internet, to many customers with unique rental fee per customer-specific Service Level Agreements (SLA). We could track this model way back to the days when Mainframes were accessed via dumb terminals.

Now, how is this different from SaaS? To understand the difference, we must first go to the basics of Cloud Computing.

According to Cloud Security Alliance (CSA), Cloud Computing is defined as the set of disciplines, technologies, and business to render IT capabilities as an on-demand, scalable, elastic service.

There are some unique characteristics that could be attributed to Cloud Computing:

1. Abstraction of Infrastructure – The compute, network and storage infrastructure resources are abstracted from the application and information resources as a function of service delivery model.

2. Resource Democratization – Provides the capability for pooled resources to be made available and accessible to anyone or anything authorized to utilize them using standardized methods for doing so.

3. Service Oriented Architecture – Provides a services oriented architecture where resources may be accessed and utilized in a standard way. In this model, the focus is on the delivery of service and not the management of infrastructure.

4. Elasticity/Dynamism – Capability to rapidly expand or contract resource allocation to service definition and requirements using a self-service model that scales to as-needed capacity. Since resources are pooled, better utilization and service levels can be achieved.

5. Utility Model of Consumption & Allocation – Provide an “all-you-can-eat” but “pay-by-the-bite” metered utility-cost and usage model. This facilitates greater cost efficiencies and scale as well as manageable and predictive costs.

There are three major types of cloud computing services – SaaS, PaaS and IaaS

Software as a Service (SaaS) – These are applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as Web browser (e.g. web based email). Technologies such as SOA and Web 2.0 enable this model. Some of typical solution includes desktop publishing, sales, financials, CRM, HR and collaboration.

Platform as a Service (PaaS) – This service will help deploy consumer–created applications using programming languages and tools supported by the provider (e.g. java, python, .Net). Application Servers and ESB tools enables this model which are used in solutions such as Business Intelligence and application development.

Infrastructure as a Service (IaaS) – Consumer of this service could rent processing, storage, networks, and other fundamental computing resources where the consumer is anle to deploy and run arbitrary software, which can include operating systems and applications. Some of the basic ASP enabling technologies high bandwidth network, redundant storage and multi-core CPUs enable this model. Consumers use this model for solutions such as storage and high computing demand.

SaaS is the comprehensive cloud computing model that includes Paas and Iaas. It differs from ASP in its characteristics.

While the infrastructure of an ASP is unique and customized for the consumer, infrastructure is abstracted and is common to all SaaS consumers.

Unlike an ASP, all resources except consumer information or data are common to all consumers. ASP consumers usually have their resources customized for their unique needs.

In the ASP model, the ASP buys third party software on behalf of the consumer, customize it and host it on behalf of the consumer. However in SaaS model, the SaaS provider develops their own application that will not be available in the retail market. The developed applications built by SaaS providers are usually based on industry standards so that they can be widely available through multiple interfaces.

A consumer of an ASP always has the luxury to dictate Service Level Agreements with the ASP provider that is unique and based on their needs. This is not applicable with a SaaS provider. SLAs are usually common and are non-negotiable in SaaS model.

Both ASP and SaaS providers charge their consumers for renting their space and resources. However, the rental fee paid to an ASP provider is usually a flat amount agreed upon for the entire term of the contract for the allocated space and resource. In the SaaS model, the consumer pays the provider based on the usage of the space and resources. For the first month, you may end up paying more for using large space and computing resources and for the later months your payment may decrease as the usage decreases. In the ASP model, you pay the same amount every month, no matter how whether you use the resource to the maximum allocated or not.

Acknowledgement – Thanks to Jim Reavis at Cloud Security Alliance for validating my illustration.

With all the bells and whistles from SaaS providers, should we adopt SaaS as a Strategy for our software application needs?

In my previous blog, I pointed out the difference between ASP and SaaS. However, it would help to step back a little and give some background. SaaS is a delivery model in which a commercial software vendor builds the software application, host it at an environment that it comfortable with and expose its services to its customers through web-based interfaces. The interface could be browser based or through web-services.

SaaS is one of the three types of cloud computing services available in the market today. Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) being the others.

Examples of SaaS include Salesforce.com CRM and Google Apps. http://www.saas-showplace.com gives a list of SaaS providers.

Unlike Application Service Provider (ASP)s, SaaS accommodates multiple tenants. The exposed services are common to all its users and is centrally managed, maintained and supported by the provider. Since the service is exposed through the web, it can be utilized by anyone across the globe. Once a user signs up with the provider, all services are available immediately and there is no wait for customization. An amateur user goes through the same training and orientation as an advanced user since the exposed service is the common to all type of users. The user is charged on a as-use basis instead of a fixed monthly charge.

Since the solution is centrally managed, the service level agreements (SLA) would be common to all and may not be flexible at all. Except for the data or information of the user, everything else belongs to the provider. So is the performance of the application too. User data or information is at a location of provider’s discretion and at their mercy. Since the software is built for SaaS model on the web, it may not be available to purchase from a retailer. This prevents the user to independently try out the software or host the software application elsewhere.

Since the software application is completely accessed over the web, it is also exposed to the threats that any other service on the web is exposed. Malicious code attacks and denial of service attacks are some to name.

User need to be concerned about the confidentiality and integrity of data or information that is passed on to the provider. This includes intellectual and confidential information. Sometimes part of the provider operation may be outsourced to another provider that the user may not be aware of. The provider need to ensure that user data or information should neither be accessed by unauthorized personnel nor by other users of the service.

User need to ensure that the data or information that they pass on to the provider is hosted in a compliant jurisdiction. Data originating from certain countries like China cannot be hosted in another country due to legal restrictions. Certain types of data, for example Personal Identifiable Information (PII), are subject to local regulations which prevent it to be hosted in another country. A good example is Canadian Privacy Regulation (PIPEDA). There are others subject to regulations such as HIPAA and GLBA.

User should ensure that there are proper security controls in place at the provider that is compliant with security policies and standards of the user. User should be given the right to audit and monitor the provider periodically.

There should be proper understanding of reporting any issues and their ownership of issues in case of a security incident. User should also consider what happens if the contract with the provider is terminated. Providers may not be able to give back the data in the same model that is expected by the user.

Before signing up with a provider, user may need to verify how resilient the provider is, their security posture, customer support, track record and reputation.

So can we sign up for SaaS? It all depends on the classification and business criticality of data or information that will be passed on to the SaaS provider. If we are subject to laws and regulations that prevent data leaving from our perimeter, then SaaS is not a solution. However, there are other types of information that can very well be managed by a SaaS provider and should be passed on to them so that we can reduce our operational cost.