Abstract
The SaaS paradigm offers several advantages, mostly in terms of direct and indirect cost reduction, but its deployment must be carefully planned to avoid several security pitfalls. In this chapter we analyse the security of various SaaS architectures, from pure multi-tenant SaaS to advanced outsourcing services and virtualisation as a service.
We first analyse the SaaS-specific threats, then we discuss a portfolio of best practices for mitigating these threats, and finally we introduce a conceptual framework to formalise security-related requirements associated to the SaaS context.
Our work is mainly intended to help SaaS customers in understanding security issues of SaaS and planning adequate countermeasures for risk reduction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, pp. 161–184. Wiley, Chichester (2001)
Avizienis, A., Kelly, J.P.J.: Fault tolerance by design diversity: Concepts and experiments. Computer 17(8), 67–80 (1984)
Bertino, E., Sandhu, R.: Database security - concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing 2(1), 2–19 (2005)
Blaze, M.: A cryptographic file system for unix. In: Proceedings of the First ACM Conference on Computing and Communication, pp. 2097–2102 (June 1993)
Bruegger, B.P., Hühnlein, D., Schwenk, J.: TLS-Federation - a secure and relying-party-friendly approach for federated identity management. In: BIOSIG, pp. 93–106 (2008)
Caralli, R.A., Stevens, J.F., Young, L.R., Wilson, W.R.: Introducing OCTAVE allegro: Improving the information security risk assessment process. CMU TR (May 2007), http://www.cert.org/archive/pdf/07tr012.pdf
Cardellini, V., Casalicchio, E., Colajanni, M., Yu, P.S.: The state of the art in locally distributed web-server systems. ACM Comput. Surv. 34(2), 263–311 (2002)
Clark, D.D.: RFC 816: Fault isolation and recovery (July 1982)
Ferrie, P.: Attacks on more virtual machine emulators. Symantec Advanced Threat Research (2008)
Fu, K.: Group sharing and random access in cryptographic storage file systems. Master’s thesis, Massachusetts Institute of Technology (1999)
Gobioff, H.: Security for a High Performance Commodity Storage Subsystem. PhD thesis, School of Computer Science, Computer Science Department, Carnegie Mellon University (1999)
Gross, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, p. 298. Springer, Heidelberg (2003)
Harris, S.: CISSP Exam Guide, 3rd edn., pp. 337–413. McGraw-Hill/Osborne
Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)
ISO. ISO 27005 - Security techniques - Information security risk management. ISO Standard (2005)
Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On technical security issues in cloud computing. In: IEEE International Conference on Cloud Computing, pp. 109–116 (2009)
Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 58–71. ACM Press, New York (2007)
Kim, Y., Narasimha, M., Maino, F., Tsudik, G.: Secure group services for storage area networks. IEEE Communications Magazine 41, 92–99 (2003)
Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Transactions on Programming Languages and Systems 4, 382–401 (1982)
Mazieres, D., Kaminsky, M., Kaashoek, M.F., Witchel, E.: Separating key management from file system security. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, pp. 124–139 (1999)
Microsoft Corporation. Microsoft Threat Analysis & Modeling v2.1 (March 2007), http://blogs.msdn.com/threatmodeling/
Miller, E.L., Freeman, W.E., Long, D.D.E., Reed, B.C.: Strong security for network-attached storage. In: USENIX Conference on File and Storage Technologies (FAST), pp. 1–14 (January 2002)
Mitchell, C.: Trusted Computing. IEEE Press, Los Alamitos (2005)
OASIS. Assertions and protocols for the OASIS security markup language (SAML) v2.0. OASIS Standard (March 2005), http://saml.xml.org
OASIS. SAML V2.0 holder-of-key assertion profile, version 1.0. OASIS Standard (July 2009), http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-of-key.pdf
Oracle Corporation. Database encryption in oracle9i. Oracle Technical Whitepaper (Febraury 2001), http://www.oracle.com/technology/deploy/security/oracle9i/pdf/f5crypt.pdf
OWASP Foundation. Owasp top 10 - the ten most critical web application security vulnerabilities (2007), http://www.owasp.org/index.php/Top_10_2007
Schmid, P.: Momentus 5400 FDE.2: Data Encryption On-a-Drive. Tom’s hardware review, http://www.tomshardware.com/reviews/momentus-5400-fde,1742.html
Schneier, B.: Attack trees. Dr. Dobb’s Journal (December 1999)
Squicciarini, A.C., Bertino, E., Goasguen, S.: Access control strategies for virtualized environments in grid computing systems. In: IEEE International Workshop on Future Trends of Distributed Computing Systems, pp. 48–54 (2007)
Stallings, W.: Cryptography and Network Security, 4th edn. Prentice Hall, Englewood Cliffs (2005)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30 (July 2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Trusted Computing Group (2009), https://www.trustedcomputinggroup.org
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aime, M.D., Lioy, A., Pomi, P.C., Vallini, M. (2011). Security Plans for SaaS. In: Agrawal, D., Candan, K.S., Li, WS. (eds) New Frontiers in Information and Software as Services. Lecture Notes in Business Information Processing, vol 74. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19294-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-19294-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19293-7
Online ISBN: 978-3-642-19294-4
eBook Packages: Computer ScienceComputer Science (R0)