Upload
kannan-subbiah
View
2.575
Download
0
Embed Size (px)
DESCRIPTION
This presentation is made out for the Chartered Accountants community at Chennai in the last week of January 2011. Comments and feedback are welcome.
Citation preview
SAAS – SECURITY & CHALLENGES
Kannan SubbiahKnowledge Universe Technologies India Pvt Ltd
Services in real life
Own a houseVs
Rent a house
Own a CarVs
Engage Call Taxi
SaaS – What is it?
Software
Services
Business Model
Operating
Model
Application
Architecture
•Chargeable unit•Geographical boundary•Business Domain•Implementation Partners•…
•On-boarding / Exit•Customer Support•Service Level•Contract terms•…
•Hosting infrastucture•Support Multi-tenancy•Scalability•Internationalization•…
SaaS - Evolution
In-houseH/W, S/W
owned and managed.
HostedSoftware
Owned and Managed,
Infrastructure rented
Hosted (ASP)Software
rented, but not
designed to scale
SubscribedSelf
subscribe to the software or parts of software.
Customizable by tenants to an extent
Time
Aff
ord
ab
ility
Characteristics of SaaS
Multi Tenancy Subscription based service Scalability Manageability Self Service Sign-up Tenant specific customization
How does it differ
Attribute Traditional SaaS
Application Delivery Installed Hosted
Updates / Release Cycle
Larger / Longer Smaller / Shorter
Pricing One Time + Maintenance
Subscription
Accounting CAP-EX OP-EX
Implementation Engage Partners / consultants
Simple, end user configurable
Operating Platform Multiple Single
Value proposition Once at the time of selling
Continuous
Benefits for Consumers
Pay per use Any where Access Subscription to service not software Least or no investment on infrastructure
Benefits to Vendors
Stronger protection for IPR Operational control of the environment Recurring revenue stream Shared Infrastructure – PaaS / IaaS
SaaS Maturity Levels
Microsoft – 4 level Scalability, Multi- Tenancy and Configuration
Forrester – 6 Level SEI – for assessing the organization and
not the application Euro Cloud Star Audit None of them are popular
SaaS Maturity Levels by Forrester Level 0 – Outsourcing Level 1 – Manual ASP Level 2 – Industrial ASP Level 3 – Single-app SaaS Level 4 – Business Domain SaaS Level 5 – Dynamic Business Apps
SAAS – CHALLENGES
Design & Development
Solution Design to address Internationalization Cloud Infrastructure Support business & operating model Multi-tenancy Extensibility Security and Audit Wider scope - cover industry needs
Support & Maintenance
Must Support Larger impact SLA driven Disclaimers Increased Focus on
Reliability Availability Extensibility Scalability Quality, etc
Customer On-boarding
Migration from existing software Application Integration Data Integration Data Mining Authentication, Single Sign-on Network infrastructure
Customer Service
Areas of support to include Hosting infrastructure Data center operations Systems and network monitoring Billing Customer education
Longer customer retention for better RoI
Research & Product Improvement Agile approach Rapid releases and upgrades Primary focus on
Rapid action on feedbacks Usage statistics Predict industry trends Platform and tools used Automated testing Service aggregation
Legal
Driving Contracts online Termination and Migration Security, Privacy and related risks Country specific regulations SLAs
Security Concerns
SaaS Security
Data Security
IdM & SSOData
Seggregation
Deployment Model
Deployment
Environment
Network Security
Regulatory
Compliance
Availability
Back up & Recovery
Data Security
Data Location Data Encryption Data Integration APIs Access Logs Return / destruction of data upon exit
Data Security
Data Segregation
Understand the Data & Application Architecture Separate Physical / Virtual Server(s) Separate Instance on shared hardware Separate Database Shared Database
Authentication and Authorization
Data Seggregat
ion
Development Model
Security aware developers Application Design
Application / Data Partitioning Information Sensitivity Design for Performance & Scalability
Configuration Management Security Testing Threat Remediation Build & Release Cycles
Deployment Model
Deployment Environment Boundary Protection Resource Priority Configuration Management Cloud Infrastructure
Certification / accreditation Continuous Monitoring Audit
Deployment
Environment
Network Security
Transmission Integrity Secure Data in transit (SSL)
Intrusion Detection & Prevention Other standard security measures
Man-in-the-middle IP Spoofing Port Scanning Packet Sniffing
Network Security
Regulatory Compliance
Global Legal compliance SAS 70 SOX HIPAA …
Contractual obligations Need for Logs and Audit Trails Data Retention needs
Regulatory
Compliance
Availability
Application Design and Architecture Design for performance Graceful exits Instance Isolation Custom Code Modules
SLA Uptime Guarantees Maintenance / Outage Notifications Documented BC & DRP plans
Code Escrow
Availability
Back up & Recovery
Infrastructure Protection of back up location
Encryption Access control to Backup location
Recovery Documented process Drills
Back up & Recovery
Identity Management
Who manages it? Checks & Controls
Id provisioning Secure storage Password Policies
Federated IdM Trust relationships with tenants Secure federation of user identities
IdM & SSO
Thank You
Follow Me Email: [email protected] Facebook: http://
www.facebook.com/kannan.subbiah LinkedIn: http://in.linkedin.com/in/ksubbiah Blog: http://www.kannan-subbiah.com