168 Cloud Computing
6.3.9 Secure Software Development Life Cycle (SecSDLC)
The SecSDLC involves identifying specific threats and the risks they repre-
sent, followed by design and implementation of specific controls to counter
those threats and assist in managing the risks they pose to the organization
and/or its customers. The SecSDLC must provide consistency, repeatability,
and conformance. The SDLC consists of six phases, and there are steps
unique to the SecSLDC in each of phases:
Phase 1.Investigation:
Define project processes and goals, and
document them in the program security policy.
Phase 2.Analysis:
Analyze existing security policies and programs,
analyze current threats and controls, examine legal issues, and per-
form risk analysis.
Phase 3.Logical design:
Develop a security blueprint, plan inci-
dent response actions, plan business responses to disaster, and
determine the feasibility of continuing and/or outsourcing the
project.
Phase 4.Physical design:
Select technologies to support the secu-
rity blueprint, develop a definition of a successful solution, design
physical security measures to support technological solutions, and
review and approve plans.
Phase 5.Implementation:
Buy or develop security solutions. At
the end of this phase, present a tested package to management for
approval.
Phase 6.Maintenance:
Constantly monitor, test, modify, update,
and repair to respond to changing threats.
8
In the SecSDLC, application code is written in a consistent manner
that can easily be audited and enhanced; core application services are pro-
vided in a common, structured, and repeatable manner; and framework
modules are thoroughly tested for security issues before implementation
and continuously retested for conformance through the software regression
test cycle. Additional security processes are developed to support application
development projects such as external and internal penetration testing and
8. Michael E. Whitman and Herbert J. Mattord,
Management of Information Security,
Thom-
son Course Technology, 2004, p. 57.
Chap6.fm Page 168 Friday, May 22, 2009 11:27 AM
Software-as-a-Service Security 169
standard security requirements based on data classification. Formal training
and communications should also be developed to raise awareness of process
enhancements.
6.3.10 Security Monitoring and Incident Response
Centralized security information management systems should be used to
provide notification of security vulnerabilities and to monitor systems con-
tinuously through automated technologies to identify potential issues. They
should be integrated with network and other systems monitoring processes
(e.g., security information management, security event management, secu-
rity information and event management, and security operations centers
that use these systems for dedicated 24/7/365 monitoring). Management of
periodic, independent third-party security testing should also be included.
Many of the security threats and issues in SaaS center around applica-
tion and data layers, so the types and sophistication of threats and attacks
for a SaaS organization require a different approach to security monitoring
than traditional infrastructure and perimeter monitoring. The organization
may thus need to expand its security monitoring capabilities to include
application- and data-level activities. This may also require subject-matter
experts in applications security and the unique aspects of maintaining pri-
vacy in the cloud. Without this capability and expertise, a company may be
unable to detect and prevent security threats and attacks to its customer
data and service stability.
6.3.11 Third-Party Risk Management
As SaaS moves into cloud computing for the storage and processing of cus-
tomer data, there is a higher expectation that the SaaS will effectively man-
age the security risks with third parties. Lack of a third-party risk
management program may result in damage to the provider’s reputation,
revenue losses, and legal actions should the provider be found not to have
performed due diligence on its third-party vendors.
6.3.12 Requests for Information and Sales Support
If you don’t think that requests for information and sales support are part of
a security team’s responsibility, think again. They are part of the business,
and particularly with SaaS, the integrity of the provider’s security business
model, regulatory and certification compliance, and your company’s reputa-
tion, competitiveness, and marketability all depend on the security team’s
ability to provide honest, clear, and concise answers to a customer request
Chap6.fm Page 169 Friday, May 22, 2009 11:27 AM
170 Cloud Computing
for information (RFI) or request for proposal (RFP). A structured process
and a knowledge base of frequently requested information will result in con-
siderable efficiency and the avoidance of ad-hoc, inefficient, or inconsistent
support of the customer RFI/RFP process. Members of the security team
should be not only internal security evangelists but also security evangelists
to customers in support of the sales and marketing teams. As discussed ear-
lier, security is top-of-mind and a primary concern for cloud computing
customers, and lack of information security representatives who can provide
support to the sales team in addressing customer questions and concerns
could result in the potential loss of a sales opportunity.
6.3.13 Business Continuity Plan
The purpose of business continuity (BC)/disaster recovery (DR) planning is
to minimize the impact of an adverse event on business processes. Business
continuity and resiliency services help ensure uninterrupted operations
across all layers of the business, as well as helping businesses avoid, prepare
for, and recover from a disruption. SaaS services that enable uninterrupted
communications not only can help the business recover from an outage,
they can reduce the overall complexity, costs, and risks of day-to-day man-
agement of your most critical applications. The cloud also offers some dra-
matic opportunities for cost-effective BC/DR solutions.
Some of the advantages that SaaS can provide over traditional BC/DR
are eliminating email downtime, ensuring that email messages are never
lost, and making system outages virtually invisible to end users no matter
what happens to your staff or infrastructure; maintaining continuous tele-
phone communication during a telecommunication outage so your organi-
zation can stay open and in contact with employees, customers, and
partners at virtually any location, over any network, over any talking device;
and providing wireless continuity for WiFi-enabled “smart” phones that
ensures users will always be able to send and receive corporate email from
their WiFi-enabled devices, even if your corporate mail system, data center,
network, and staff are unavailable.
9
6.3.14 Forensics
Computer forensics is used to retrieve and analyze data. The practice of
computer forensics means responding to an event by gathering and preserv-
ing data, analyzing data to reconstruct events, and assessing the state of an
9. http://www.eseminarslive.com/c/a/Cloud-Computing/Dell030509, retrieved 15 Feb 2009.
Chap6.fm Page 170 Friday, May 22, 2009 11:27 AM
Software-as-a-Service Security 171
event. Network forensics includes recording and analyzing network events
to determine the nature and source of information abuse, security attacks,
and other such incidents on your network. This is typically achieved by
recording or capturing packets long-term from a key point or points in your
infrastructure (such as the core or firewall) and then data mining for analysis
and re-creating content.
10
Cloud computing can provide many advantages to both individual
forensics investigators and their whole team. A dedicated forensic server can
be built in the same cloud as the company cloud and can be placed offline
but available for use when needed. This provides a cost-effective readiness
factor because the company itself then does not face the logistical challenges
involved. For example, a copy of a virtual machine can be given to multiple
incident responders to distribute the forensic workload based on the job at
hand or as new sources of evidence arise and need analysis. If a server in the
cloud is compromised, it is possible to clone that server at the click of a
mouse and make the cloned disks instantly available to the cloud forensics
server, thus reducing evidence-acquisition time. In some cases, dealing with
operations and trying to abstract the hardware from a data center may
become a barrier to or at least slow down the process of doing forensics,
especially if the system has to be taken down for a significant period of time
while you search for the data and then hope you have the right physical
acquisition toolkit and supports for the forensic software you are using.
Cloud computing provides the ability to avoid or eliminate disruption
of operations and possible service downtime. Some cloud storage imple-
mentations expose a cryptographic checksum or hash (such as the Amazon
S3 generation of an MD5 hash) when you store an object. This makes it
possible to avoid the need to generate MD5 checksums using external
tools—the checksums are already there, thus eliminating the need for foren-
sic image verification time. In today’s world, forensic examiners typically
have to spend a lot of time consuming expensive provisioning of physical
devices. Bit-by-bit copies are made more quickly by replicated, distributed
file systems that cloud providers can engineer for their customers, so cus-
tomers have to pay for storage only for as long as they need the. You can
now test a wider range of candidate passwords in less time to speed investi-
gations by accessing documents more quickly because of the significant
increase in CPU power provided by cloud computing.
11
10. http://www.bitcricket.com/downloads/Network%20Forensics.pdf, retrieved 15 Feb 2009.
Chap6.fm Page 171 Friday, May 22, 2009 11:27 AM
172 Cloud Computing
6.3.15 Security Architecture Design
A security architecture framework should be established with consideration
of processes (enterprise authentication and authorization, access control,
confidentiality, integrity, nonrepudiation, security management, etc.), oper-
ational procedures, technology specifications, people and organizational
management, and security program compliance and reporting. A security
architecture document should be developed that defines security and pri-
vacy principles to meet business objectives. Documentation is required for
management controls and metrics specific to asset classification and control,
physical security, system access controls, network and computer manage-
ment, application development and maintenance, business continuity, and
compliance. A design and implementation program should also be inte-
grated with the formal system development life cycle to include a business
case, requirements definition, design, and implementation plans. Technol-
ogy and design methods should be included, as well as the security processes
necessary to provide the following services across all technology layers:
1. Authentication
2. Authorization
3. Availability
4. Confidentiality
5. Integrity
6. Accountability
7. Privacy
The creation of a secure architecture provides the engineers, data center
operations personnel, and network operations personnel a common blue-
print to design, build, and test the security of the applications and systems.
Design reviews of new changes can be better assessed against this architec-
ture to assure that they conform to the principles described in the architec-
ture, allowing for more consistent and effective design reviews.
11. http://cloudsecurity.org/2008/07/21/assessing-the-security-benefits-of-cloud-computing,
retrieved 15 Feb 2009.
Chap6.fm Page 172 Friday, May 22, 2009 11:27 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.