Tag Archives: saas

Security in the cloud

Web-security-stock

After all the news about PRISM and data collection of internet traffic in the US and abroad, it got me thinking about how security is even more relevant now that so much of our work is done on the Internet. While running basic security techniques won’t really stop entities with special back-door access, being vigilant about security while using services on the cloud is always a best practice.

The cloud is often divided into three main categories. Infrastructure-as-as-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The majority of users are most familiar with SaaS, either interacting with one at work (most likely Salesforce, among others) or even internet mail (Gmail, Yahoo Email, etc.).

saas-is-the-next-generation-of-recruiting-software

SaaS Security

Security with SaaS is often very similar to one you would consider when using a website. You will almost always want to:

  • Create a unique password that is difficult to guess
  • Enable HTTPS whenever possible
  • Enable two-factor authentication
  • Guard against socially engineered attacks

As a user, you are reliant on the SaaS provider to ensure that the systems that they are running on are secure, that they employ best practices, and are PCI-compliant (if they are taking your credit card information). The basic items listed above are some of the steps you can take to improve security.

The first item is well-known for anyone who has used email before so I will go into more depth about the other options. Enabling HTTPS means that the traffic from your browser to the server is encrypted. So anything sent through the internet will be difficult to read if it is ever intercepted. Clearly this is important when sending your login information since that complex password is meaningless if anyone sniffing your traffic can grab it. The details of this encryption can be fairly complex but essentially you want providers who use at least 1024 bit key but the standard is quickly moving to 2048 (the longer the length, the harder it is to crack). However, this only encrypts traffic in transit and NOT at rest. So once your data is in the server, it may or may not be encrypted.

Two-factor authentication is all the rage since passwords are guessed, stolen or simply given away in socially engineered attacks. The idea behind this security is that to get in, you need to have something you know (your password) and something you have (your token) and its unlikely that a remote hacker will have both. The token can take the form of a physical key – like an RSA token that generates a random number every 60 seconds, an app that does the same thing on your smart phone (like Google Authenticator) or a random number sent as a text message to your phone. While there are ways to defeat two-factor (like man-in-the-middle attacks) it is generally safer than single authentication.

Social engineering is the electronic version of the con game – using psychological manipulation to gain information for the purposes of theft, fraud or other nefarious activities. The danger in these types of threats is that as a user, you are dependent on people you don’t even know, who have access to your personal information, being vigilant about not giving away your information. While there is little that you can do about this other than ensuring that your SaaS vendor has known security policies and procedures to prevent this from happening. You can also protect yourself somewhat by not linking your Internet life together. Use different passwords and try not to link too many services together – doing so may lead to a vulnerability in one imploding the rest. Mat Honan wrote an excellent article about his unfortunate experience of getting hacked and what steps he could have taken to prevent it.

IAAS

IaaS Security

I’m going to skip PaaS since it is rapidly beginning to blend into IaaS (and vice versa). When you are using an IaaS provider, you are operating at the infrastructure layer, meaning the individual components that are used to host your application. You are no longer interfacing with a website but rather dealing at the compute, network and storage layer. You are most likely using this type of provider because you are hosting your own SaaS service and want it to reside in the cloud or are hosting some sort of online service, like a website or mobile app. Because you are now dealing with infrastructure, you are faced with a whole different set of security requirements than SaaS users. You will want to look into:

  • The physical security of the data center where your infrastructure is located
  • The security settings of the server
  • The security services offered by the provider
  • Any certifications that you need to meet for your particular use case
  • Specific security you need to provide for your customers
  • Data backup and disaster recovery
  • Your own security policies and procedures

At the IaaS layer, you are often a business serving your own customers so you have more security considerations to think about. You are also responsible for configuring your own security above the server layer as this is often not the responsibility of the IaaS provider.

One of the things to look for is if the data centers of the provider have strong security and controls – this is often reflected in attaining a SSAE 16 Type II and / or ISO 27001 certified data center designation. This is an internationally recognized auditing standard that contains a detailed audit report of the providers controls and security and in the case of Type II, the auditor’s opinion on whether the controls were operating effectively. Note that SSAE16 Type II replaces SAS 70 Type II (they are one and the same). Determine if the provider has the right compliance (PCI, HIPAA, FISMA, etc.) for your particular requirements. Data retention (what happens when your cancel your account) and data distribution policies (is your data automatically replicated or backed-up to other data centers?) should also be investigated.

The security settings of the server have to determined. There are a lot of factors to consider here that could probably consume a full-time training course. Suffice to say, you will need to do your research on what you need to tweak on your operating system of choice in order to meet the security requirements of your use case. One option to consider is to install CloudPassage on your server – in addition to providing firewall management for Linux and Windows, it also makes security recommendations. Note that some of these changes are uncommon and may not be compatible for all applications.

Research what security services are offered by your cloud provider. There is often a firewall option (software or hardware), a virtual private cloud option (which is a way to create network isolation), VPN services and even more advanced options like a Web App Firewall (WAF) or Intrusion Detection Systems (IDS / IPS). Firehost is one company that focused specifically on security and provides a variety of options.

An important consideration in any situation is how you can backup your data in the case of failure. Does the vendor provide a mechanism for backing up your data or will you need to provide that yourself? In some cases the vendor has built-in high-availability (for example, Amazon offers 99.999999999% durability for S3). However, standard data backup (defining a secondary location to store your data) is a good practice since durability guarantees do nothing if your sys admin deletes your files by accident.

You are responsible for you own security

Ultimately, you have to do the legwork to ensure that where ever you run your application or website, it will have the right level of security that you need. I don’t think that the cloud is inherently less safe than on-premise. After all, maintaining the integrity and security of their service is in the best interests of the vendor. In the case of IaaS, their core competency is on maintaining infrastructure – something your company is probably not focused on. Your company’s expertise is most likely geared towards your particular industry. However, you will need to be aware of the security options that are available to you and to make sure to take advantage of the ones offered by the vendor.

Why BI in the Cloud?

Business Intelligence (BI) has been around for a while but recently, the interest in analytics and tools to support it have become increasingly popular. Previously, only large enterprises were able to afford the infrastructure and license cost to implement traditional business intelligence. However, the advent of the cloud is an opportunity for everyone to take advantage of the transformative power of data.

img_businessIntel

Traditional BI was typically a client server setup with companies typically shelling out for dedicated equipment in their own data center or a co-lo, requiring license fees for the software and a dedicated staff to manage all the equipment and to maintain the server. The more data that you had to analyze, the more equipment that you had to buy and the more staff that you had to hire. The massive amount of investment in this area became a sunk cost and some enterprises are still tied to this model despite the fact that new models have arisen to tackle the data challenge.

The Cloud

The cloud opens up all new options for companies looking to either build out their own solution or to leverage new products that are native to cloud. There are currently three generally accepted cloud delivery models: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). I consider SaaS and IaaS to be the models that will be the most effective for BI.

One of the concerns that are often raised regarding the cloud is security – this in particular with BI since it involves data and sometimes personal information. The question then is, how will a provider that specializes in managing a data center (in the case of IaaS) or large-scale application and data hosting (in the case of SaaS) any less secure than a company who’s focus is on their own business and not on securing the data center? You will need to verify a few things depending the delivery model that you are using. For SaaS, you will want to ensure that the provider can give you secure login and authentication, the ability to define granular levels of access, SSL, and the option of encryption at rest. For IaaS, the customer is typically responsible for setting up security but you will want to see ISAE 16, ISO 7001 certification, DDOS mitigation as well as options to provision firewalls and load balancers. The Cloud Security Alliance (CSA) is currently working on their Security, Trust and Assurance Registry (STAR) which will make it easier to determine security criteria for a cloud provider but it is currently only in the preview stage.

Deciding which Cloud Model

If you are interested in just providing data and then having software available to analyze, manipulate and create reports, SaaS products may work for you. Example of some SaaS BI companies are BIRST, PivotLink, and GoodData. All of them provide the BI-stack, which is a method for extracting, transforming and loading data, a place to store the data, and a front-end to create ah-hoc reports and dashboards. The advantages of using this style of BI is that all the management of the infrastructure and software is handled by the vendor. There is also minimal up-front costs – the model is to simply pay for what you use.

If you want to build your own BI platform, you can leverage IaaS and open-source software. You will need to find an IaaS vendor that best suites your needs – Amazon Web Services, GoGrid and Rackspace are the leaders in this space. Using IaaS, you will have full control of your infrastructure – you can determine how many servers to spin up, the security you want to use and how you want to store the data. You will also need to build out the software assuming that you have that expertise in-house. Some good open-source options are Talend for data migration and manipulation, Pentaho for data integration and analytics, BIRT for reporting and MySQL or Postgres for the database. This model requires more system administration expertise and developer resources to build out a custom BI solution but this may be worth the investment if you want tighter control of your product or have very specific custom needs. In either case, if you can leverage the features offered in open-source software, your will also minimize up-front costs and will pay for the infrastructure that you use – with the option of spinning up servers to meet demand or remove servers when they are no longer needed. You can start off with small 1GB server and expand to more cores, more RAM and more storage quickly and easily.

In addition, the flexibility of the cloud gives you the option to expand your infrastructure if you need to incorporate a Big Data solution to meet a particular use case. Currently, most of the popular technology is open-source such as Hadoop, MongoDB and Cassandra. I discuss Big Data in more depth in a previous blog post.

Ultimately, you may decide that you need all the features that are offered by a traditional BI vendor or have already made the investment in a particular infrastructure or technology. After all, these companies have been around a long time and there are many talent individuals who are well-versed in these products. However, if you are interested in lowering costs and off-load the infrastructure and software work to another vendor or are new to BI and want to get started with minimal up-front costs, the cloud based BI solutions might be the right option for you. Instead of having to project growth in order to order the hardware up-front, you will have the ability to pay-as-you-go, and add infrastructure and cost only as your growth demands. DASHbay is experienced in both delivery models discussed here and we can provide the right analytics expertise and development experience for your BI needs. Considering the growth in data, the flexibility of the cloud and the much needed analytic features of a BI solution work well together to provide a powerful, low-cost and scalable solution. Make sure that you work with the right vendors and partners to make your project a success!