Skip to main content
SpringerLink
Log in

Security Plans for SaaS

  • Conference paper
New Frontiers in Information and Software as Services

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 74))

Abstract

The SaaS paradigm offers several advantages, mostly in terms of direct and indirect cost reduction, but its deployment must be carefully planned to avoid several security pitfalls. In this chapter we analyse the security of various SaaS architectures, from pure multi-tenant SaaS to advanced outsourcing services and virtualisation as a service.

We first analyse the SaaS-specific threats, then we discuss a portfolio of best practices for mitigating these threats, and finally we introduce a conceptual framework to formalise security-related requirements associated to the SaaS context.

Our work is mainly intended to help SaaS customers in understanding security issues of SaaS and planning adequate countermeasures for risk reduction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, pp. 161–184. Wiley, Chichester (2001)

    Google Scholar 

  2. Avizienis, A., Kelly, J.P.J.: Fault tolerance by design diversity: Concepts and experiments. Computer 17(8), 67–80 (1984)

    Article  Google Scholar 

  3. Bertino, E., Sandhu, R.: Database security - concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing 2(1), 2–19 (2005)

    Article  Google Scholar 

  4. Blaze, M.: A cryptographic file system for unix. In: Proceedings of the First ACM Conference on Computing and Communication, pp. 2097–2102 (June 1993)

    Google Scholar 

  5. Bruegger, B.P., Hühnlein, D., Schwenk, J.: TLS-Federation - a secure and relying-party-friendly approach for federated identity management. In: BIOSIG, pp. 93–106 (2008)

    Google Scholar 

  6. Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE allegro: Improving the information security risk assessment process. CMU TR (May 2007), http://www.cert.org/archive/pdf/07tr012.pdf

  7. Cardellini, V., Casalicchio, E., Colajanni, M., Yu, P.S.: The state of the art in locally distributed web-server systems. ACM Comput. Surv. 34(2), 263–311 (2002)

    Article  Google Scholar 

  8. Clark, D.D.: RFC 816: Fault isolation and recovery (July 1982)

    Google Scholar 

  9. Ferrie, P.: Attacks on more virtual machine emulators. Symantec Advanced Threat Research (2008)

    Google Scholar 

  10. Fu, K.: Group sharing and random access in cryptographic storage file systems. Master’s thesis, Massachusetts Institute of Technology (1999)

    Google Scholar 

  11. Gobioff, H.: Security for a High Performance Commodity Storage Subsystem. PhD thesis, School of Computer Science, Computer Science Department, Carnegie Mellon University (1999)

    Google Scholar 

  12. Gross, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, p. 298. Springer, Heidelberg (2003)

    Google Scholar 

  13. Harris, S.: CISSP Exam Guide, 3rd edn., pp. 337–413. McGraw-Hill/Osborne

    Google Scholar 

  14. Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)

    Google Scholar 

  15. ISO. ISO 27005 - Security techniques - Information security risk management. ISO Standard (2005)

    Google Scholar 

  16. Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing, pp. 109–116 (2009)

    Google Scholar 

  17. Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 58–71. ACM Press, New York (2007)

    Google Scholar 

  18. Kim, Y., Narasimha, M., Maino, F., Tsudik, G.: Secure group services for storage area networks. IEEE Communications Magazine 41, 92–99 (2003)

    Google Scholar 

  19. Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Transactions on Programming Languages and Systems 4, 382–401 (1982)

    Article  MATH  Google Scholar 

  20. Mazieres, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, pp. 124–139 (1999)

    Google Scholar 

  21. Microsoft Corporation. Microsoft Threat Analysis & Modeling v2.1 (March 2007), http://blogs.msdn.com/threatmodeling/

  22. Miller, E.L., Freeman, W.E., Long, D.D.E., Reed, B.C.: Strong security for network-attached storage. In: USENIX Conference on File and Storage Technologies (FAST), pp. 1–14 (January 2002)

    Google Scholar 

  23. Mitchell, C.: Trusted Computing. IEEE Press, Los Alamitos (2005)

    Book  Google Scholar 

  24. OASIS. Assertions and protocols for the OASIS security markup language (SAML) v2.0. OASIS Standard (March 2005), http://saml.xml.org

  25. OASIS. SAML V2.0 holder-of-key assertion profile, version 1.0. OASIS Standard (July 2009), http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.pdf

  26. Oracle Corporation. Database encryption in oracle9i. Oracle Technical Whitepaper (Febraury 2001), http://www.oracle.com/technology/deploy/security/oracle9i/pdf/f5crypt.pdf

  27. OWASP Foundation. Owasp top 10 - the ten most critical web application security vulnerabilities (2007), http://www.owasp.org/index.php/Top_10_2007

  28. Schmid, P.: Momentus 5400 FDE.2: Data Encryption On-a-Drive. Tom’s hardware review, http://www.tomshardware.com/reviews/momentus-5400-fde,1742.html

  29. Schneier, B.: Attack trees. Dr. Dobb’s Journal (December 1999)

    Google Scholar 

  30. Squicciarini, A.C., Bertino, E., Goasguen, S.: Access control strategies for virtualized environments in grid computing systems. In: IEEE International Workshop on Future Trends of Distributed Computing Systems, pp. 48–54 (2007)

    Google Scholar 

  31. Stallings, W.: Cryptography and Network Security, 4th edn. Prentice Hall, Englewood Cliffs (2005)

    Google Scholar 

  32. Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30 (July 2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

  33. Trusted Computing Group (2009), https://www.trustedcomputinggroup.org

Download references

Author information

Authors and Affiliations

  1. Dip. Automatica e Informatica, Politecnico di Torino, Torino, Italy

    Marco D. Aime, Antonio Lioy, Paolo C. Pomi & Marco Vallini

Authors
  1. Marco D. Aime
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antonio Lioy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paolo C. Pomi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marco Vallini
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California at Santa Barbara, 93106, Santa Barbara, CA, USA

    Divyakant Agrawal

  2. Computer Science and Engineering Department, Arizona State University, 85287-8809, Tempe, AZ, USA

    K. Selçuk Candan

  3. SAP China, 201203, Shanghai, China

    Wen-Syan Li

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Aime, M.D., Lioy, A., Pomi, P.C., Vallini, M. (2011). Security Plans for SaaS. In: Agrawal, D., Candan, K.S., Li, WS. (eds) New Frontiers in Information and Software as Services. Lecture Notes in Business Information Processing, vol 74. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19294-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19294-4_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19293-7

  • Online ISBN: 978-3-642-19294-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation