SlideShare uma empresa Scribd logo

SaaS as a Security Hazard - Google Apps Security Example

Newvewm
Newvewm

As the borderline between a web site and an application blurs, so does the division between the enterprise IT and the internet. More and more enterprises adapt core applications which are provided as a service over the Internet. Until recently those where limited to vertical applications such as salesforce.com for sales automation and monster.com for recruiting, both of which have already suffered major security issues that compromises customer data. Google software push has led to enterprise adaption of general purpose cloud services including office tools, mail and knowledge management, which presents an entirely new risk level. In this presentation we will discuss the security risks of SaaS (Software as a service) and review past incidents on such services. We will than dissect the security implications of using Google Apps as an example for a SaaS and create a checklist of things to examine in a SaaS offering before subscribing to ensure that it provides sufficient security. Lastly we will discuss the solutions offered by Google as well as 3rd party solutions.

TecnologiaNegócios
1 de 21
Baixar para ler offline
SaaS as a Security Hazard The Google Apps example Ofer Shezaf, Product Manager, Security Solutions HP ArcSight ofr@hp.cm ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
About Myself I live in Kibbutz Yiftah, Israel I create Currently, Product Manager for Security Solutions at HP ArcSight security products Prior to that did security research and product management at Breach Security & at Fortify I am an OWASP leader and founder of the OWASP Israeli chapter application Leads the Web Application Firewall Evaluation Criteria project security veteran Wrote the ModSecurity Core Rule Set I really try to Read my blog at http://www.xiom.com learn what information Be ready to some philosophy of science and cognitive security is psychology
What are Google Apps? Gmail, Calendar, Docs, Sites & Groups Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office. Better at sharing and in a way familiar to users Bottom up push to adapt.
If It Was Only Cloud…
Google Apps Role in the IT Environment Hybrid Delivery Traditional Private Cloud Managed Cloud Public Cloud Non-critical business services will 1 SAAS move to SaaS providers who provide some level of security Some critical business services will be deployed in 2 SAAS private clouds with customized security controls Some work-loads will move to public clouds with SAAS 3 security components provisioned in image Security will be componentized and automatically 4 deployed with work-loads, based on sensitivity of assets customization automated required provisioning Note: future availability of hybrid capabilities 5 HP Enterprise Security – HP Confidential
No, it is not about SQL injection Google is better than your So what is it programmers about? in weeding out SQL injections
Ownership
Cloud Entrance Exam: Question 1 Who Owns The Data? You? Google? Your Employee? Google’s Employee?
Cloud Entrance Exam: Question 2 Do You Compete With Google? No (are you serious?) We do, but not me I don’t know Yes (You Bet!)
Cloud Entrance Exam: Question 3 Who Authorized Access to the Data? Me Google Google, but only if the court asks Google, but only if the Chinese ask
Cloud Entrance Exam: Question 4 What About Illegal Material? I never store such data! … apart from competitive marketing and stolen images in presentations … but Google would not interfere with my data Or would they?
Regulations
It’s All About Geography • National laws Privacy • Limitation of transfer of data • PCI, SOX, So where is the data? Compliance SAS 70, ISO 27K… And who is responsible for it? Ownership • Google or I?
Back To Basics
Where and What do we Manage? Hybrid Delivery Authenticatio n Traditional Private Cloud Managed Cloud Public Cloud SAAS Authorization SAAS SAAS Audit Note: future availability of hybrid capabilities 15 HP Enterprise Security – HP Confidential
Authentication & User Management Password strength is of extreme importance in web based services. • Complexity, length, lifetime • Two factor authentication is preferred. Avoid requiring users to have multiple complex passwords • Sticky note passwords Need to make sure users are created, terminated and transferred on all services. SaaS MUST tie in to enterprise directory.
Users Permissions & Authorization Always a hazard in knowledge Tools both for sharing SaaS and self applications. hosted are not mature. Unique to SaaS solutions is the option to share externally. Both permissions management and permissions audit are crucial
Audit Public Cloud HP ArcSight On/Off-Premise Data Center remote workers
For Further Consideration
Did You Consider? Encryption: SSL Disks Administrator Two factor authentication? Access Control Only from within the organization? Administration Can your administrators access users data if needed? Capabilities Backup and Service Level Agreement (SLA) Restore Service for Accidental Deletes Disaster Recovery Way out
For Further Questions Contact: Ofer Shezaf ofr@hp.com

Recomendados

Challenges in Cloud Migration & Solutions
Challenges in Cloud Migration & SolutionsChallenges in Cloud Migration & Solutions
Challenges in Cloud Migration & Solutions
Lavina Pinheiro
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overview
Dr. Ramkumar Lakshminarayanan
 
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and IntegrationsCloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
paulfallon
 
How to use Microsoft Graph in your applications
How to use Microsoft Graph in your applicationsHow to use Microsoft Graph in your applications
How to use Microsoft Graph in your applications
Mohamed Ashiq Faleel
 
Soa Eai Ver1 0
Soa Eai Ver1 0Soa Eai Ver1 0
Soa Eai Ver1 0
Maganathin Veeraragaloo
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
Rolf Frydenberg
 
What's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMSWhat's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMS
Asaf Nakash
 

Recomendados

Challenges in Cloud Migration & Solutions
Challenges in Cloud Migration & SolutionsChallenges in Cloud Migration & Solutions
Challenges in Cloud Migration & Solutions
Lavina Pinheiro
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overview
Dr. Ramkumar Lakshminarayanan
 
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and IntegrationsCloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
Cloud Circle Talk - Enterprise Architecture, Cloud Computing and Integrations
paulfallon
 
How to use Microsoft Graph in your applications
How to use Microsoft Graph in your applicationsHow to use Microsoft Graph in your applications
How to use Microsoft Graph in your applications
Mohamed Ashiq Faleel
 
Soa Eai Ver1 0
Soa Eai Ver1 0Soa Eai Ver1 0
Soa Eai Ver1 0
Maganathin Veeraragaloo
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
Rolf Frydenberg
 
What's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMSWhat's New In Microsoft System Center 2016 & OMS
What's New In Microsoft System Center 2016 & OMS
Asaf Nakash
 
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
Sberbank d.d.
 
What do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft AzureWhat do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft Azure
Asaf Nakash
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloads
Asaf Nakash
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions Architects
Roy Kim
 
Saas security
Saas securitySaas security
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Azure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and complianceAzure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and compliance
Asaf Nakash
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
Modernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft AzureModernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft Azure
David J Rosenthal
 
Dropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That WorkDropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That Work
Chris Patterson
 
Ead pertemuan-12
Ead pertemuan-12Ead pertemuan-12
Ead pertemuan-12
Yudha Arif Budiman
 
Windows Azure in Qatar
Windows Azure in QatarWindows Azure in Qatar
Windows Azure in Qatar
guestb9112
 
Azure Hybrid Integration Options
Azure Hybrid Integration OptionsAzure Hybrid Integration Options
Azure Hybrid Integration Options
Alessandro Moura
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming Strawman
Chris Phillips
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven Architecture
Chris Patterson
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
David Chou
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Morgan Simonsen
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
dkaya
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
Mauricio Godoy
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
Azure Group
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
debbanerjee
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
Alistair Croll
 

Mais conteúdo relacionado

Mais procurados

XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
Sberbank d.d.
 
Modernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft AzureModernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft Azure
David J Rosenthal
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming Strawman
Chris Phillips
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
Mauricio Godoy
 

Mais procurados (20)

XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
XaaS as a Modern Infrastructure for eGoverement Busines Model in the Republic...
 
What do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft AzureWhat do you need to know to scale your business to China using Microsoft Azure
What do you need to know to scale your business to China using Microsoft Azure
 
Cloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloadsCloud Camp: Infrastructure as a service advance workloads
Cloud Camp: Infrastructure as a service advance workloads
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions Architects
 
Saas security
Saas securitySaas security
Saas security
 
Azure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and complianceAzure Operation Management Suite - security and compliance
Azure Operation Management Suite - security and compliance
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
 
Modernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft AzureModernize Java Apps on Microsoft Azure
Modernize Java Apps on Microsoft Azure
 
Dropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That WorkDropping ACID - Building Scalable Systems That Work
Dropping ACID - Building Scalable Systems That Work
 
Ead pertemuan-12
Ead pertemuan-12Ead pertemuan-12
Ead pertemuan-12
 
Windows Azure in Qatar
Windows Azure in QatarWindows Azure in Qatar
Windows Azure in Qatar
 
Azure Hybrid Integration Options
Azure Hybrid Integration OptionsAzure Hybrid Integration Options
Azure Hybrid Integration Options
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming Strawman
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
 
Event Driven Architecture
Event Driven ArchitectureEvent Driven Architecture
Event Driven Architecture
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
The security of SAAS and private cloud
The security of SAAS and private cloudThe security of SAAS and private cloud
The security of SAAS and private cloud
 

Destaque

Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
debbanerjee
 

Destaque (6)

Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
 
Why Software as a Service (SaaS) requires a new approach to Application Manag...
Why Software as a Service (SaaS) requires a new approach to Application Manag...Why Software as a Service (SaaS) requires a new approach to Application Manag...
Why Software as a Service (SaaS) requires a new approach to Application Manag...
 
9 Worst Practices in SaaS Metrics
9 Worst Practices in SaaS Metrics9 Worst Practices in SaaS Metrics
9 Worst Practices in SaaS Metrics
 
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
Google Accel Report - SaaS India, Global SMB Market, $50B in 2025 #SaaSinIndi...
 
Best Practices for Managing SaaS Applications
Best Practices for Managing SaaS ApplicationsBest Practices for Managing SaaS Applications
Best Practices for Managing SaaS Applications
 

Semelhante a SaaS as a Security Hazard - Google Apps Security Example

A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
Novell
 
NIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudNIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private Cloud
Kristian Nese
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
CloudPassage
 

Semelhante a SaaS as a Security Hazard - Google Apps Security Example (20)

A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
A Practical Approach to Delivering Cloud Platforms Using Novell Solutions: Ho...
 
Securing Your Cloud Applications with Novell Cloud Security Service
Securing Your Cloud Applications with Novell Cloud Security ServiceSecuring Your Cloud Applications with Novell Cloud Security Service
Securing Your Cloud Applications with Novell Cloud Security Service
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
 
17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria17h30 aws enterprise_app_jvaria
17h30 aws enterprise_app_jvaria
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy Architecture
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud
 
Enterprise Applications on AWS
Enterprise Applications on AWSEnterprise Applications on AWS
Enterprise Applications on AWS
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs Elite
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
 
Gartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case StudyGartner Catalyst Savvis Cloud API Case Study
Gartner Catalyst Savvis Cloud API Case Study
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summary
 
Cloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with CloudCloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with Cloud
 
SaaS Testing Overview - Foundation
SaaS Testing Overview - FoundationSaaS Testing Overview - Foundation
SaaS Testing Overview - Foundation
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
NIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private CloudNIC 2013 - Configure and Deploy Private Cloud
NIC 2013 - Configure and Deploy Private Cloud
 
Securing and Governing Cloud APIs
Securing and Governing Cloud APIsSecuring and Governing Cloud APIs
Securing and Governing Cloud APIs
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 

Mais de Newvewm

Secure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorSecure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by Porticor
Newvewm
 

Mais de Newvewm (12)

Entrepreneur un slideshow v6
Entrepreneur un slideshow v6Entrepreneur un slideshow v6
Entrepreneur un slideshow v6
 
The Inevitable Cloud Outage
The Inevitable Cloud OutageThe Inevitable Cloud Outage
The Inevitable Cloud Outage
 
Newvem's Utilization Heat Map
Newvem's Utilization Heat MapNewvem's Utilization Heat Map
Newvem's Utilization Heat Map
 
Hitting Your Cloud’s Usage Sweet Spot
Hitting Your Cloud’s Usage Sweet SpotHitting Your Cloud’s Usage Sweet Spot
Hitting Your Cloud’s Usage Sweet Spot
 
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud AdoptionCloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
Cloudpreneurs - McKinsey Reveals Fast Growth of Cloud Adoption
 
Onavo aws summit 2012
Onavo aws summit 2012Onavo aws summit 2012
Onavo aws summit 2012
 
ClickSoftware AWS Customer Case
ClickSoftware AWS Customer CaseClickSoftware AWS Customer Case
ClickSoftware AWS Customer Case
 
Cloud security management by newvem
Cloud security management by newvemCloud security management by newvem
Cloud security management by newvem
 
Hadoop & MapReduce
Hadoop & MapReduceHadoop & MapReduce
Hadoop & MapReduce
 
Monitoring Your AWS Cloud Infrastructure
Monitoring Your AWS Cloud InfrastructureMonitoring Your AWS Cloud Infrastructure
Monitoring Your AWS Cloud Infrastructure
 
OneHourTranslation - AWS Cloud Case Study
OneHourTranslation - AWS Cloud Case StudyOneHourTranslation - AWS Cloud Case Study
OneHourTranslation - AWS Cloud Case Study
 
Secure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by PorticorSecure Your AWS Cloud Data by Porticor
Secure Your AWS Cloud Data by Porticor
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

SaaS as a Security Hazard - Google Apps Security Example

  • 1. SaaS as a Security Hazard The Google Apps example Ofer Shezaf, Product Manager, Security Solutions HP ArcSight ofr@hp.cm ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 2. About Myself I live in Kibbutz Yiftah, Israel I create Currently, Product Manager for Security Solutions at HP ArcSight security products Prior to that did security research and product management at Breach Security & at Fortify I am an OWASP leader and founder of the OWASP Israeli chapter application Leads the Web Application Firewall Evaluation Criteria project security veteran Wrote the ModSecurity Core Rule Set I really try to Read my blog at http://www.xiom.com learn what information Be ready to some philosophy of science and cognitive security is psychology
  • 3. What are Google Apps? Gmail, Calendar, Docs, Sites & Groups Google alternative to Exchange, SharePoint, Outlook and to a lesser extent to Office. Better at sharing and in a way familiar to users Bottom up push to adapt.
  • 4. If It Was Only Cloud…
  • 5. Google Apps Role in the IT Environment Hybrid Delivery Traditional Private Cloud Managed Cloud Public Cloud Non-critical business services will 1 SAAS move to SaaS providers who provide some level of security Some critical business services will be deployed in 2 SAAS private clouds with customized security controls Some work-loads will move to public clouds with SAAS 3 security components provisioned in image Security will be componentized and automatically 4 deployed with work-loads, based on sensitivity of assets customization automated required provisioning Note: future availability of hybrid capabilities 5 HP Enterprise Security – HP Confidential
  • 6. No, it is not about SQL injection Google is better than your So what is it programmers about? in weeding out SQL injections
  • 8. Cloud Entrance Exam: Question 1 Who Owns The Data? You? Google? Your Employee? Google’s Employee?
  • 9. Cloud Entrance Exam: Question 2 Do You Compete With Google? No (are you serious?) We do, but not me I don’t know Yes (You Bet!)
  • 10. Cloud Entrance Exam: Question 3 Who Authorized Access to the Data? Me Google Google, but only if the court asks Google, but only if the Chinese ask
  • 11. Cloud Entrance Exam: Question 4 What About Illegal Material? I never store such data! … apart from competitive marketing and stolen images in presentations … but Google would not interfere with my data Or would they?
  • 13. It’s All About Geography • National laws Privacy • Limitation of transfer of data • PCI, SOX, So where is the data? Compliance SAS 70, ISO 27K… And who is responsible for it? Ownership • Google or I?
  • 15. Where and What do we Manage? Hybrid Delivery Authenticatio n Traditional Private Cloud Managed Cloud Public Cloud SAAS Authorization SAAS SAAS Audit Note: future availability of hybrid capabilities 15 HP Enterprise Security – HP Confidential
  • 16. Authentication & User Management Password strength is of extreme importance in web based services. • Complexity, length, lifetime • Two factor authentication is preferred. Avoid requiring users to have multiple complex passwords • Sticky note passwords Need to make sure users are created, terminated and transferred on all services. SaaS MUST tie in to enterprise directory.
  • 17. Users Permissions & Authorization Always a hazard in knowledge Tools both for sharing SaaS and self applications. hosted are not mature. Unique to SaaS solutions is the option to share externally. Both permissions management and permissions audit are crucial
  • 18. Audit Public Cloud HP ArcSight On/Off-Premise Data Center remote workers
  • 20. Did You Consider? Encryption: SSL Disks Administrator Two factor authentication? Access Control Only from within the organization? Administration Can your administrators access users data if needed? Capabilities Backup and Service Level Agreement (SLA) Restore Service for Accidental Deletes Disaster Recovery Way out