Security Plans for SaaS

  • Marco D. Aime
  • Antonio Lioy
  • Paolo C. Pomi
  • Marco Vallini
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 74)

Abstract

The SaaS paradigm offers several advantages, mostly in terms of direct and indirect cost reduction, but its deployment must be carefully planned to avoid several security pitfalls. In this chapter we analyse the security of various SaaS architectures, from pure multi-tenant SaaS to advanced outsourcing services and virtualisation as a service.

We first analyse the SaaS-specific threats, then we discuss a portfolio of best practices for mitigating these threats, and finally we introduce a conceptual framework to formalise security-related requirements associated to the SaaS context.

Our work is mainly intended to help SaaS customers in understanding security issues of SaaS and planning adequate countermeasures for risk reduction.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, pp. 161–184. Wiley, Chichester (2001)Google Scholar
  2. 2.
    Avizienis, A., Kelly, J.P.J.: Fault tolerance by design diversity: Concepts and experiments. Computer 17(8), 67–80 (1984)CrossRefGoogle Scholar
  3. 3.
    Bertino, E., Sandhu, R.: Database security - concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing 2(1), 2–19 (2005)CrossRefGoogle Scholar
  4. 4.
    Blaze, M.: A cryptographic file system for unix. In: Proceedings of the First ACM Conference on Computing and Communication, pp. 2097–2102 (June 1993)Google Scholar
  5. 5.
    Bruegger, B.P., Hühnlein, D., Schwenk, J.: TLS-Federation - a secure and relying-party-friendly approach for federated identity management. In: BIOSIG, pp. 93–106 (2008)Google Scholar
  6. 6.
    Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE allegro: Improving the information security risk assessment process. CMU TR (May 2007), http://www.cert.org/archive/pdf/07tr012.pdf
  7. 7.
    Cardellini, V., Casalicchio, E., Colajanni, M., Yu, P.S.: The state of the art in locally distributed web-server systems. ACM Comput. Surv. 34(2), 263–311 (2002)CrossRefGoogle Scholar
  8. 8.
    Clark, D.D.: RFC 816: Fault isolation and recovery (July 1982)Google Scholar
  9. 9.
    Ferrie, P.: Attacks on more virtual machine emulators. Symantec Advanced Threat Research (2008)Google Scholar
  10. 10.
    Fu, K.: Group sharing and random access in cryptographic storage file systems. Master’s thesis, Massachusetts Institute of Technology (1999)Google Scholar
  11. 11.
    Gobioff, H.: Security for a High Performance Commodity Storage Subsystem. PhD thesis, School of Computer Science, Computer Science Department, Carnegie Mellon University (1999)Google Scholar
  12. 12.
    Gross, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, p. 298. Springer, Heidelberg (2003)Google Scholar
  13. 13.
    Harris, S.: CISSP Exam Guide, 3rd edn., pp. 337–413. McGraw-Hill/OsborneGoogle Scholar
  14. 14.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)Google Scholar
  15. 15.
    ISO. ISO 27005 - Security techniques - Information security risk management. ISO Standard (2005)Google Scholar
  16. 16.
    Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing, pp. 109–116 (2009)Google Scholar
  17. 17.
    Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 58–71. ACM Press, New York (2007)Google Scholar
  18. 18.
    Kim, Y., Narasimha, M., Maino, F., Tsudik, G.: Secure group services for storage area networks. IEEE Communications Magazine 41, 92–99 (2003)Google Scholar
  19. 19.
    Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Transactions on Programming Languages and Systems 4, 382–401 (1982)CrossRefMATHGoogle Scholar
  20. 20.
    Mazieres, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, pp. 124–139 (1999)Google Scholar
  21. 21.
    Microsoft Corporation. Microsoft Threat Analysis & Modeling v2.1 (March 2007), http://blogs.msdn.com/threatmodeling/
  22. 22.
    Miller, E.L., Freeman, W.E., Long, D.D.E., Reed, B.C.: Strong security for network-attached storage. In: USENIX Conference on File and Storage Technologies (FAST), pp. 1–14 (January 2002)Google Scholar
  23. 23.
    Mitchell, C.: Trusted Computing. IEEE Press, Los Alamitos (2005)CrossRefGoogle Scholar
  24. 24.
    OASIS. Assertions and protocols for the OASIS security markup language (SAML) v2.0. OASIS Standard (March 2005), http://saml.xml.org
  25. 25.
    OASIS. SAML V2.0 holder-of-key assertion profile, version 1.0. OASIS Standard (July 2009), http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.pdf
  26. 26.
    Oracle Corporation. Database encryption in oracle9i. Oracle Technical Whitepaper (Febraury 2001), http://www.oracle.com/technology/deploy/security/oracle9i/pdf/f5crypt.pdf
  27. 27.
    OWASP Foundation. Owasp top 10 - the ten most critical web application security vulnerabilities (2007), http://www.owasp.org/index.php/Top_10_2007
  28. 28.
    Schmid, P.: Momentus 5400 FDE.2: Data Encryption On-a-Drive. Tom’s hardware review, http://www.tomshardware.com/reviews/momentus-5400-fde,1742.html
  29. 29.
    Schneier, B.: Attack trees. Dr. Dobb’s Journal (December 1999)Google Scholar
  30. 30.
    Squicciarini, A.C., Bertino, E., Goasguen, S.: Access control strategies for virtualized environments in grid computing systems. In: IEEE International Workshop on Future Trends of Distributed Computing Systems, pp. 48–54 (2007)Google Scholar
  31. 31.
    Stallings, W.: Cryptography and Network Security, 4th edn. Prentice Hall, Englewood Cliffs (2005)Google Scholar
  32. 32.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30 (July 2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
  33. 33.
    Trusted Computing Group (2009), https://www.trustedcomputinggroup.org

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Marco D. Aime
    • 1
  • Antonio Lioy
    • 1
  • Paolo C. Pomi
    • 1
  • Marco Vallini
    • 1
  1. 1.Dip. Automatica e InformaticaPolitecnico di TorinoTorinoItaly

Personalised recommendations