SaaS ISMS Implementation Notes

Sr.
No
1
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Software as a Service (SaaS)

Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
SaaS
As the CSA explains, with SaaS, the provider's applications run on a cloud infrastructure and are ac
browser. The consumer does not manage or control the network, servers, operating systems, stora
application capabilities.
PaaS
With PaaS, consumers create applications using programming languages and tools supported by th
deploy these onto the cloud infrastructure, the CSA explains. As with SaaS, the consumer does not
infrastructure--the network, servers, operating systems or storage--but does have control over the
and possibly the application-hosting environment configurations
IaaS
Here, consumers can provision processing, storage, networks and other fundamental computing re
deploy and run operating systems and applications, according to the CSA. While they don't manag
underlying cloud infrastructure, they do have control over operating systems, storage and deploye
possibly limited control of select networking components, such as host firewalls, the CSA says.
With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itself,
extensibility, according to the CSA. This means users need to manage and secure operating system
content, typically through an API.
Regulations such as the Federal Information Security Management Act (FISMA) require customers t
within the country. Although keeping data within U.S. borders seems like a relatively simple task on
will often not make that guarantee.
In highly virtualized systems, data and virtual machines can move dynamically from one country to
load balancing needs and other factors. Google, for example, would note that if an end user in Cali
business trip to London, it's better (or at least faster) for that user's data to be served up by a data
Google Apps has received FISMA certification for its government cloud, but that same guarantee is
industry. This isn't just a problem for U.S. customers either.
Cloud Consumer
The person or organization that maintains a business relationship with, and uses service from, clou
Cloud Provider
The person, organization or entity responsible for making a service available to cloud consumers.
Cloud Carrier
The intermediary that provides connectivity and transport of cloud services from cloud providers to
Cloud Broker
An organization that manages the use, performance and delivery of cloud services, and negotiates
cloud providers and cloud consumers.
Cloud Auditor
A party that can conduct independent assessments of cloud services, information system operation
security of the cloud implementation.
SLA Template for Cloud Service SLA
The service deployment model covers following options: Private, Community, Public, or Hybrid.
To be effective, a performance metric must be clearly defined in the SLA and understood by both p
generally accepted definitions for the two metrics of interest:
Availability. Percentage of uptime for a service in a given observation period.
Response time. Elapsed time from when a service is invoked to when it is completed including dela
in milliseconds).
Consider following three different example scenarios (network availability, storage availability, and
and the specific performance information required for each.
SAS 70 (http://www.aicpa.org/)
a. Audit of financial reporting controls based on control objectives and control activities (defined by
b. Auditor opinion on the design, operational status, and operating effectiveness of financial repor
c. I ntended to cover services that are relevant for purposes of customers financial statement audi
d. O ften required by customers when the SaaS offering is financial in nature.
SysTrust (http://infotech.aicpa.org/)
a. Audit of controls based on defined principles and criteria for security, availability, confidentiality
integrity.
b. I ntended to apply to the reliability of any system.
WebTrust (http://infotech.aicpa.org/)
a. Audit of controls based on defined principles and criteria for security, availability, confidentiality
and privacy.
b. I ntended to apply to online/e-commerce
SOX - Sarbanes-Oxley Act
SOC - Security Operations Centre
ISO/IEC 27018 Data protection for cloud systems
Another security control based guidance is NISTs special publication 800-53 R3 [28], as well
as NISTs special publication 800-39 [29] for risk management at the organizational level.
Responsibility for managing various parts of IT Services within OnPremises-IaaS,Paas,SaaS is as fo
Cloud Architecture Diagram
Deployment Models:
Private cloud. The cloud infrastructure is operated solely for an organization. It may be
managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a
specific community that has shared concerns (e.g., mission, security requirements,
policy, and compliance considerations). It may be managed by the organizations or a
third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large
industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private,
community, or public) that remain unique entities but are bound together by
standardized or proprietary technology that enables data and application portability
(e.g., cloud bursting for load balancing between clouds).
Service Models:
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the
providers applications running on a cloud infrastructure. The applications are
accessible from various client devices through a thin client interface such as a Web
browser (e.g., Web-based email). The consumer does not manage or control the
underlying cloud infrastructure including network, servers, operating systems, storage,
or even individual application capabilities, with the possible exception of limited userspecific
application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto
the cloud infrastructure consumer-created or acquired applications created using
programming languages and tools supported by the provider. The consumer does not
manage or control the underlying cloud infrastructure including network, servers,
operating systems, or storage, but has control over the deployed applications and
possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to
provision processing, storage, networks, and other fundamental computing resources
where the consumer is able to deploy and run arbitrary software, which can include
operating systems and applications. The consumer does not manage or control the
underlying cloud infrastructure but has control over operating systems, storage,
deployed applications, and possibly limited control of select networking components
(e.g., host firewalls).
Actors in Cloud
Cloud Consumer Person or organization that maintains a business relationship with, and uses serv
Providers.
Cloud Provider Person, organization, or entity responsible for making a service available to Cloud C
Cloud Auditor A party that can conduct independent assessment of cloud services, information sys
performance, and security of the cloud implementation.
Cloud Broker An entity that manages the use, performance, and delivery of cloud services, and neg
between Cloud Providers and Cloud Consumers.
Cloud Carrier The intermediary that provides connectivity and transport of cloud services from Clou
Consumers.
SaaS - Uses application/service for business process operations. - Installs, manages, maintains, an
application on a cloud infrastructure.
PaaS - Develops, tests, deploys, and manages applications hosted in a cloud environment. - Provisi
infrastructure and middleware for the platform consumers; provides development, deployment, an
platform consumers.
IaaS - Creates/installs, manages, and monitors services for IT infrastructure operations. - Provisions
physical processing, storage, networking, and the hosting environment and cloud infrastructure for
Cloud Computing Standards

Standards are already available in support of many of the functions and requirements for cloud com
Cloud Computing Standards Mapping and Gap Analysis
Cloud Security Alliance (CSA) is a "nonprofit" organization, which implements a wide range of initia
For example, CSA publishes a free guide and instructions on cloud security. Members are a variety
corporate users of cloud computing, in addition to individuals. That combination gives a good weig
and its initiatives. Other initiatives from CSA includes a GRC stack with a "control matrix". The mat
"controls" with relevance to cloud security, each mapped up to ISO 27001, PCI, COBIT, NIST and mo
CCSK is a certification issued by Cloud Security Alliance. The abbreviation means Certificate of Clou
CSA now works wih approved training providers. Neupart is the first CSA partner in Europe to offer
preparation course. In this course, you can enhance your knowledge about cloud security and prep
certification test.
High Level Security Considerations
The following key security elements should be carefully considered as an integral part of the SaaS
and deployment process:
SaaS deployment model
Data security
Network security
Regulatory compliance
Data segregation
Availability
Backup
Identity management and sign-on process
Security considerations and vulnerabilities
The following figure illustrates the layered stack for a typical SaaS vendor and highlights critical as
covered across layers in order to ensure security of the enterprise data.
Cloud Computing is a model for enabling ubiquitous, convenient, on-demand

network access to a shared pool of configurable computing resources
(e.g. networks, servers, storage, applications and services) that can be rapidly
provisioned and released with minimal management effort or service provider
interaction.
Software as a Service (SaaS) is a software deployment model where applications are remotely host
service provider and made available to customers on demand, over the Internet
the layered stack for a typical SaaS vendor and highlights critical aspects that must be covered acr
ensure security of the enterprise data.
The following key security elements should be carefully considered as an integral part of the SaaS
and deployment process:
SaaS deployment model
Data security
Network security
Regulatory compliance
Data segregation
Availability
Backup
Identity management and sign-on process
The SaaS security challenges differ depending upon the deployment model being used by the vend
choose to deploy the solution either by using a public cloud vendor or host it themselves. Dedicate
such as Amazon help to build secure SaaS solutions by providing infrastructure services that aid in
environment security. This involves the use of firewalls, intrusion detection systems, etc. A self-hos
however, requires the vendor to build these services and assess them for security vulnerabilities
In the SaaS model, the enterprise data is stored outside the enterprise boundary, at the SaaS vend
the SaaS vendor must adopt additional security checks to ensure data security and prevent breach
vulnerabilities in the application or through malicious employees
In cloud vendors such as Amazon, the Elastic Compute Cloud [EC2] administrators do not have acc
instances and cannot log into the Guest OS. EC2 Administrators with a business need are required
cryptographically strong Secure Shell [SSH] keys to gain access to a host. All such accesses are log
audited.
While the data at rest in Simple Storage Service [S3] is not encrypted by default, users can encryp
uploaded to Amazon S3, so that it is not accessed or tampered with by any unauthorized party.
In a SaaS deployment model, sensitive data is obtained from the enterprises, processed by the Saa
at the SaaS vendor end. All data flow over the network needs to be secured in order to prevent lea
information. This involves the use of strong network traffic encryption techniques such as Secure S
the Transport Layer Security [TLS] for security.
Data privacy has emerged as another significant challenge. Different countries have their distinct p
how data needs to be secured and stored. These might lead to conflicts when the enterprise data o
in data centers located in another country.
In a mature multi-tenant SaaS architecture, the application instances and data stores may be share
enterprises. This allows the SaaS vendor to make more efficient use of resources and helps achieve
At the same time, sufficient security checks need to be adopted to ensure data security and preven
to data of one tenant by users from other tenants. This involves hardening the data store as well a
ensure data segregation.
In case the SaaS application is deployed at a third party cloud vendor, additional safeguards need
data of an application tenant is not accessible to other applications
The SaaS application needs to ensure that enterprises are provided with service around the clock.
architectural changes at the application and infrastructural levels to add scalability and high availa
A multi-tier architecture needs to be adopted, supported by a load-balanced farm of application ins
variable number of servers.
Resiliency to hardware/software failures, as well as to denial of service attacks, needs to be built fr
the application.
An appropriate action plan for business continuity [BC] and disaster recovery [DR] needs to be con
unplanned emergencies. This is essential to ensure the safety of the enterprise data and minimal d
With Amazon for instance, the AWS API endpoints are hosted on the same Internet-scale, world-cla
supports the Amazon.com retail site.
Standard Distributed Denial of Service [DDoS] mitigation techniques such as syn cookies and conn
To further mitigate the effect of potential DDoS attacks, Amazon maintains internal bandwidth that
supplied Internet bandwidth.
The SaaS vendor needs to ensure that all sensitive enterprise data is regularly backed up to facilita
case of disasters.
Also the use of strong encryption schemes to protect the backup data is recommended to prevent
sensitive information.
The SaaS vendor can support identity management and sign on services using any of the following
1. Independent IdM stack
2. Credential Synchronization
3. Federated IdM
Independent IdM stack

The SaaS vendor provides the complete stack of identity management and sign on services. All inf
accounts, passwords, etc. is completely maintained at the SaaS vendor end.
Advantages
> Easy to implement
> No separate integration with enterprise directory
Disadvantages
> The users need to remember separate credentials for each SaaS application
Security Challenges
> The IdM stack should be highly configurable to facilitate compliance with enterprise policies; e.g
Credential Synchronization
The SaaS vendor supports replication of user account information and credentials between enterpr
The user account information creation is done separately by each tenant within the enterprise bou
regulatory needs. Relevant portions of user account information are replicated to the SaaS vendor
access control capabilities. The authentication happens at the SaaS vendor end using the replicate
Advantages
> Users don't need to remember multiple passwords
Disadvantages
> Requires integration with enterprise directory
> Has higher security risk value due to transmissions of user credentials outside enterprise perime
Security Challenges
> The SaaS vendor needs to ensure security of the credentials during transit and storage and prev
Federated IdM
The entire user account information including credentials is managed and stored independently by
authentication occurs within the enterprise boundary.
The identity of the user as well as certain user attributes are propagated on-demand to the SaaS v
allow sign on and access control.
Advantages
> Users don't need to remember multiple passwords
> No separate integration with enterprise directory
> Low security risk value as compared to credential synch
Disadvantages
> Relatively more complex to implement
Security Challenges
> The SaaS vendor and tenants need to ensure that proper trust relationships and validations are e
secure federation of user identities
Use of the following key mitigation strategies for addressing the above critical security challenges
robustness of the SaaS applications
Secure Product Engineering
Secure Deployment
Governance and Regulatory Compliance Audits
Third-Party SaaS Security Assessment
It is highly recommended that software vendors treat security as part of the product engineering lif
At each phase of development [architecture, design, coding], a security review should be performe
This will help with faster identification of any security issues and lower rework costs for any securit
implemented.
The coding and testing guidelines should similarly be revised while keeping security considerations
As discussed, SaaS solutions can either be hosted by the SaaS vendor or they can be deployed on
In a self-hosted deployment, the SaaS vendor needs to ensure that adequate safeguards are adopt
network penetration and DoS attacks.
Governance and Regulatory Compliance Audits

Third party Governance and Regulatory Compliance [GRC] audits can help validate the conformanc
government regulations and industry standards such as ISO27001, SOX, GLBA, HIPAA and PCI-DSS.
validate that appropriate BC and DR plans are in place and followed meticulously.
GRC audits help the SaaS vendor to identify and fix any deviations from regulations to ensure comp
standards. They also help the SaaS provider ease customer concerns about the security, privacy an
enterprise data, and help build credibility.

Third-party SaaS security assessments help validate the security and integrity of the SaaS applicat
It is recommended that SaaS vendors periodically conduct a SaaS security assessment to ensure th
solutions.
The standard tools and techniques used for web application vulnerability assessments (VA) as capt
Application Security Project [OWASP] do not provide sufficient coverage for SaaS-specific concepts
data segregation, etc. The Cloud Security Alliance [CSA] captures the critical areas for SaaS applica
Security Guide. A security assessment specifically tailored for SaaS solutions that incorporates thes
essential for detecting security vulnerabilities and fixing them before they can be exploited by mal

The SaaS security assessment should be comprised of both the application VA as well as network V
coverage. The following figure gives an overview of the security threats and vulnerabilities which s
of the security assessment.
The application VA helps validate application security in a SaaS deployment. This is generally indep
deployment model used by the vendor. However, dedicated cloud providers such as Amazon help f
SaaS applications by providing infrastructure services that aid in ensuring data security, network se
segregation, etc.
Data Security
Malicious users can exploit weaknesses in the data security model to gain unauthorized access to d
assessments test and validate the security of the enterprise data stored at the SaaS vendor.
Cross site scripting [XSS]
Access control weaknesses
OS and SQL Injection Flaws
Cross site request forgery [CSRF]
Cookie manipulation
Hidden field manipulation
Insecure storage
Insecure configuration
Network Security
Malicious users can exploit weaknesses in network security configuration to sniff network packets.
assessments test and validate the network security of the SaaS vendor.
Network penetration and packet analysis
Session management weaknesses
Insecure SSL trust configuration
Data Segregation
A malicious user can use application vulnerabilities to handcraft parameters that bypass security c
sensitive data of other tenants. The following assessments test and validate the data segregation o
multi-tenant deployment.
SQL Injection flaws
Data validation
Insecure storage
Availability
These assessments test and validate the availability of the SaaS vendor.
Authentication weaknesses
Session management weaknesses
Backup
The following assessments test and validate the security of the data backup and recovery services
vendor.
Insecure storage
Insecure configuration
Identity Management and Sign-on Process

The following assessments test and validate the security of the identity management and sign-on p
vendor.
Authentication weakness analysis
Insecure trust configuration
The following assessments help test and validate the security of the infrastructure used to deploy t
Host scanning
Penetration testing
Perimeter separation for dev/production systems
Server hardening
Firewall testing
Router testing
Domain name server testing
Mail Server testing
The above assessments help ensure security of the SaaS deployment against external penetration
prevent loss of sensitive data.
Availability
The following assessment helps test and validate the availability of the infrastructure used to deplo
DoS testing
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a s
configurable computing resources (e.g., networks, servers, storage, applications, and services). Clo
disruptive technology that has the potential to enhance collaboration, agility, scaling, and availabil
opportunities for cost reduction through optimized and efficient computing.
From an architectural perspective, there is much confusion surrounding how cloud is both similar to
existing models of computing and how these similarities and differences impact the organizational
technological approaches to network and information security practices. There is a thin line betwee
computing and cloud computing. However, cloud computing will impact the organizational, operati
approaches to data security, network security, and information security good practice.
NIST defines cloud computing by describing five essential characteristics, three cloud service mode
deployment models.
Five Essesntial Characterstics
1) Broad N/w Access 2) Rapid Elasticity 3) Measure Services 4) On Demand Self Services 5) Reso
Three Service Models
IaaS , PaaS , SaaS
Four Deployment Models
Public , Private , Hybrid , Community
Cloud providers security controls must be assessed at multiple layers:
Facilities (physical security)
Network infrastructure (network security)
IT systems (system security)
Information and applications (application security)
People (for example, separation of duties between development and
production)
Process (for example, change management and incident response)
First ever baseline control framework specifically designed for Cloud supply chain risk managem
16 control areas, 133 controls
Controls mapped to 32 other security standards, regulations, and controls frameworks including I
ISACA COBIT, FedRAMP, NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS
NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizat
NIST SP 800-161 (Draft) Supply Chain Risk Management Practices for Federal Information Systems
SSAE-16 SOC 2 Report

Reports on the design (Type I) and operating effectiveness (Type II) of a service organizations co
security, availability, processing integrity, confidentiality, and privacy of a system
CSA STAR (Security, Trust & Assurance Registry)

Goal is to improve transparency and assurance in the cloud
Searchable, publicly accessible registry to allow cloud customers to review the security practices
accelerating their due diligence and leading to higher quality procurement experiences
Helps customers to assess the security of Cloud Providers
Based on a multilayered structure defined by Open Certification Framework Working Group
CSA STAR Self-Assessment - Voluntary
- Based on:
Cloud Control Matrix
Consensus Assessments Initiative Questionnaire
CSA STAR Certification (Level 2 - TPA) Rigorous third party independent assessment of a cloud providers security
Measures cloud providers capability levels
No formal approach
Reactive approach
Proactive approach
Improvement based approach
Optimising approach
Leverages the requirements of:
ISO 27001:2013
CSA Cloud Control Matrix
Ensures the scope, processes and objectives are fit for purpose
CSA STAR Attestation (Level 2) Provides a framework for performing assessments of cloud service providers using SOC 2 engage
criteria in the CSA Cloud Control Matrix
Typically, Cloud Providers acquire a CSA Attestation, 27001 certification, and SOC 2 Type II certifi
since so many of the criteria are common between the three
CSA CAI Questionnaire (Level 3) Consensus Assessments Initiative Questionnaire

Provides a set of questions a cloud consumer can ask of a cloud provider about their security con
Questions can be tailored to suit each unique cloud consumers evidentiary requirements
Questions mapped to the compliance requirements in Cloud Control Matrix
PII and Personal Information

PII (Personally Identifiable Information)
Information that can identify an individual (name, date of birth, etc.)
Personal information
Information that does not directly identify an individual, but is deemed sensitive by social mores -->
shopping habits
Privacy vs Security
Privacy governs how PII should be used, shared, and retained
Security restricts access to the sensitive data and protects confidentiality/integrity during collect
transmission
FTC Consent Decrees
Designate individuals to be accountable for the information security program
Identify risks to personal information
Design, implement and test reasonable safeguards to control risk
EU Data Protection Directive (95/46/EC)

Data controller (cloud customer) must implement appropriate technical and organizational mea
data against . all unlawful forms of processing
Processing of data by a data processor (cloud provider) must be governed by a contract or legal
processor to the controller
Cross-border data transfer out of the EEA prohibited unless the third country in question ensures
protection
US/EU Safe Harbor

Allows US companies to register their certification that they meet the EU Data Protection require
Take reasonable precautions to protect personal information
Onward Transfer Principle
PIPEDA Principles for the Protection of Personal Data (Canada)

An organization is responsible for personal information in its possession or control, including info
transferred to a third party (cloud provider) for processing
NIST SP800-53 Rev. 4 Appendix J Privacy Control Catalog

ISO/IEC 27018 Information technology -- Security techniques -- Code of practice for PII protection
as PII processors
HIPAA Health Insurance Portability and Accountability Act
PCI DSS Payment Card Industry Data Security Standard
Cloud Provider should have a strong Privacy Policy that specifies the following for personal inform
Collection
Usage
Storage
Release
Retention
Deletion
Cloud Provider should provide Privacy Notice to Cloud Consumer upon demand
IEC 62443-3-3 Requirement

SR 5.1 Network Segmentation
The network with access to the Cloud Providers application should be logically or physically segme
control system network
SR 5.2 Zone boundary protection
Access to the Cloud Providers application must take place via a zone and conduit designed for this
SR 5.2 Zone boundary protection
The Cloud Providers security and access controls must fulfill the requirements of the asset owners
security policy designed to meet the target Security Level

SR 3.1 Communication integrity & SR 4.1 Information confidentiality
The confidentiality and integrity of all network communication between the asset owners system a
system must be protected via cryptographic means
SR 3.4 Software and information integrity & SR 4.1 Information confidentiality
The confidentiality and integrity of data at rest must be protected by the Cloud Provider using stron
cryptographic controls
Control Group & Consensus Assessment Question(s)

* Interoperability & Portability (Standardized Network Protocols)
- Can data import, data export and service management be conducted over secure (e.g., non-clear
industry accepted standardized network protocols?
- Do you provide consumers (tenants) with documentation detailing the relevant interoperability an
protocol standards that are involved?
* Application & Interface Security (Data Integrity)
- Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for
and databases to prevent manual or systematic processing errors or corruption of data?
Multi-Tenancy Resources and services used by multiple cloud consumers are physically collocated, but logically se
data from multiple cloud consumers are stored in he same database, or on the same server, and s
data logically separated
Typical cloud guidance

Cloud Consumer (tenant) generates encryption key, encrypts and decrypts data en-route to/from
Provider
Cloud SaaS encryption hurdles
SaaS is not just storage need to validate, estimate, aggregate, search, sort, and analyze
Cloud Consumer (tenant) should control their own encryption keys
Encryption keys should never be stored alongside the encrypted data
Extremely important to manage encryption keys securely

* Audit Assurance & Compliance (Information System Regulatory Mapping )
- Do you have the ability to logically segment or encrypt customer data such that data may be prod
only, without inadvertently accessing another tenant's data?
-Do you have capability to recover data for a specific customer in the case of a failure or data loss?
* Encryption & Key Management (Encryption)
- Do you encrypt tenant data at rest (on disk/storage) within your environment?
- Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity
public key certificate (e.g. identity-based encryption)?
-Do you have documentation establishing and defining your encryption management policies, proc

* Encryption & Key Management (Storage and Access)
- Are your encryption keys maintained by the cloud consumer or a trusted key management provid
-Do you store encryption keys in the cloud? Do you have separate key management and key usage
* Supply Chain Management, Transparency and Accountability (Data Quality and Integrity)
-Do you inspect and account for data quality errors and associated risks, and work with your cloud
correct them?
-Do you design and implement controls to mitigate and contain data security risks through proper s
role- based access, and least-privileged access for all personnel within your supply chain?

SR 1.3 Account management
Ideally the asset owner should manage accounts centrally and the cloud provider should federate a
identity store, or the cloud provider can provide an application account store
SR 1.5 Authenticator management & SR 1.7 Strength of password- based authentication & SR 1
attempts
The asset owner must be able to customize account and password policies when managing accoun
Providers application account store

* Identity & Access Management (User ID Credentials)
- Do you support use of, or integration with, existing customer- based Single Sign On (SSO) solution
- Do you use open standards to delegate authentication capabilities to your tenants?
- Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of au
users?
- Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biom
access?
- Do you allow tenants to use third-party identity assurance services?
- Do you support the ability to force password changes upon first logon?
- Do you support password (minimum length, age, history, complexity) and account lockout (lockou
duration) policy enforcement?
- Do you allow tenants/customers to define password and account lockout policies for their account
- Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-ser
challenge questions, manual unlock)?

SR 6.2 Continuous monitoring
The Cloud Provider must continuously monitor their system and use common security industry prac
for example) to detect and respond to security breaches in a timely manner
SR 6.1 Audit log accessibility
The Cloud Provider must provide the capability for an asset owner to access tenant-specific audit lo
SR 2.8 Auditable events
It should be possible to export tenant-specific audit logs from the Cloud Provider into a centrally m
asset owner's system where they can be further analyzed by standard log analysis tools such as a

* Security Incident Management, E- Discovery & Cloud Forensics (Incident Management)
- Do you have a documented security incident response plan? Do you integrate customized tenant
security incident response plans?
- Do you publish a roles and responsibilities document specifying what you vs. your tenants are res
security incidents?
- Have you tested your security incident response plans in the last year?
* Security Incident Management, E- Discovery & Cloud Forensics (Incident Reporting)
- Does your security information and event management (SIEM) system merge data sources (app lo
logs, physical access logs, etc.) for granular analysis and alerting?
- Does your logging and monitoring framework allow isolation of an incident to specific tenants?
* Security Incident Management, E- Discovery & Cloud Forensics (Incident Response Legal Preparat
- Does your incident response plan comply with industry standards for legally admissible chain-of-c
processes and controls?
- Does your incident response capability include the use of legally admissible forensic data collectio
techniques?
- Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a sp
freezing other tenant data?
- Do you enforce and attest to tenant data separation when producing data in response to legal sub
- Do you provide the capability for a customer (tenant) to access their audit logs via a visual or pro
- Do you provide the capability for a customer (tenant) to export their audit logs in an industry stan
the logs may be analyzed by the customers organization using industry standard log analysis tool

* Audit Assurance & Compliance (Information System Regulatory Mapping)
- Do you have the capability to restrict the storage of customer data to specific countries or geogra
* Data Security & Information Lifecycle Management (Data Inventory / Flows)
-Can you ensure that data does not migrate beyond a defined geographical residency?
* Datacenter Security Secure (Area Authorization)
- Do you allow tenants to specify which of your geographic locations their data is allowed to move
legal jurisdictional considerations based on where data is stored vs. accessed)?
Cloud Providers that are not certified can be assessed using the Consensus Assessments Initiative
Topic Title
Implementation Area
Ref
Abbrevations
Nil
D:\MyKnowledge Folders\ISMS\Cloud
Security\1. Cloud security - The basics #.docx
Terminology
Training
Terminology
Training
Terminology
Training
Legal Requirement
Customer Acqusition
Process
Security\2.5 problems with SaaS
security.docx
Third-party assurance
options
Gain Credibility
Security\2.5 problems with SaaS
security.docx
Terminology
Training
Security\3.2012_Practical_Guide_to_Cloud_
SLAs.pdf
Agreement Templates
SLA Finalization
SLAs.pdf
Terminology
Training
SLAs.pdf
Performance Metrics
for SLA
SLA Finalization
SLAs.pdf
options
Gain Credibility
Security\4.BDOTech-5-10Special.pdf
options
Gain Credibility
options
Gain Credibility
Abbrevations
Nil
Standards Available
Recommended NIST
Resources
Gain Credibility
Knowledge
Accountbility for
different IT service
matters
Knowledge
Framework
Knowledge
Terminology
Knowledge
Terminology
Knowledge
Terminology
Knowledge
Security Consideration
High Level Division of

ISMS Domain
Definition
Definition
Knowledge
Glossary Terns
D:\MyKnowledge Folders\ISMS\SaaS
Security Control\Securing SaaS
Applications [A Cloud Security Perspective
for Application Providers] By Pradnyesh
Rane #.docx
SaaS Stack Layer wise Macro View of Security

Security Focus Areas
Requirement
Rane #.docx
SaaS Deployment
Model
Rane #.docx
Fundamental
Data Security
Access Control
Data Storage
Network Security
Fundamental
Rane #.docx
Vendor's Access Control

to application
Rane #.docx
Encryption of data by
customer
Rane #.docx
Network Operation
Rane #.docx
Regulatory Compliance Fundamental
Rane #.docx
Data Segregation
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Data Segregation
Avaialbility
BC-DR
D-DoS
Data Backup
Identity Management
[IdM] and Sign-on
Process
Identity Management
[IdM] and Sign-on
Process
Identity Management
[IdM] and Sign-on
Process
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Governance and
Regulatory Compliance Fundamental
Audits
Rane #.docx
Third-Party SaaS
Security Assessment
Rane #.docx
Identity Management
[IdM] and Sign-on
Process
Securing SaaS
Applications
Secure Product
Engineering
Secure Deployment
Fundamental
Third-Party SaaS
Security Assessment
Data Security
Network Security
Data Segregation
Availability
Backup
Identity Management
and Sign-on Process
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
Fundamental
Rane #.docx
What is Cloud
Computing
CLOUD COMPUTING
ARCHITECTURAL
FRAMEWORK
Security Control\CSA Security Guidance for
Critical Areas of Focus in Cloud Computing
V3.0 #.pdf
Simialarities and
Differences Between
conventional
computing and cloud
computing
CLOUD COMPUTING
ARCHITECTURAL
FRAMEWORK
Network Vulnerability
Assessment m- SaaS
Deployment Model
Network Vulnerability
Assessment mAvailability
CLOUD COMPUTING
What Comprises Cloud
ARCHITECTURAL
Computing?
FRAMEWORK
Cloud Security Layers
Security Control
Security Control\Assessing the Security of
Cloud SaaS Solutions #.pdf
CSA Cloud Controls

Matrix
Cloud Certification
NIST Cloud Security

Documents
Security Control
SSAE-16 SOC 2 Report Cloud Certification
CSA STAR (Security,

Trust & Assurance
Registry)
Cloud Certification
CSA STAR (Security,

Trust & Assurance
Registry)
Cloud Certification
CSA STAR (Security,

Trust & Assurance
Registry)
Cloud Certification
CSA STAR (Security,

Trust & Assurance
Registry)
Cloud Certification
CSA STAR (Security,

Trust & Assurance
Registry)
Cloud Certification
PII and Personal

Information
Security Control
Privacy vs Security
Security Control
Privacy Standards and

Security Control
Regulations

Security Control
Regulations

Security Control
Regulations
Security Control
Regulations

Security Control
Regulations
Privacy Policy
Network Segmentation
and Zoning
Data Integrity and

Confidentiality
Data Integrity and

Confidentiality
Definitions
Fundamental
Encrypting Data At
Rest
Data At Rest
Data Integrity and

Confidentiality
Data Integrity and

Confidentiality
Identity and Account

Management
Identity and Account

Management
Auditing and
Monitoring
Auditing and
Monitoring
Legal Compliance
TRUST
Cloud Certification
Page No
Remarks
Symantec, which has data centers in 14 countries, does offer an in-country guarantee, according to Trollope.
The use of the term broker varies significantly and should be clarified with the various stakeholders,
especially in context of a cloud SLA. An entity may provide broker services and functionality, but as a legal
organizational entity not be recognized as a cloud broker. For example, an entity may perform research and
negotiate on behalf of a consumer, but the actual SLA and contract terms are between the cloud consumer
and cloud provider. The distinction of acting broker like vs. being an actual broker will evolve as the
cloud computing industry matures and terminologies become more consistent. Due to these complexities
this paper does not address all the SLA considerations for cloud brokering.
In case of Amazon WebServices [AWS], the network layer provides significant protection against traditional
network security issues, such as MITM attacks, IP spoofing, port scanning, packet sniffing, etc. For maximum
security, Amazon S3 is accessible via SSL encrypted endpoints. The encrypted endpoints are accessible
from both the Internet and from within Amazon EC2, ensuring that data is transferred securely both within
AWS and to and from sources outside of AWS.
The SaaS deployment needs to be periodically assessed for conformance to regulatory and industry
standards. The SAS 70 standard includes operating procedures for physical and perimeter security of data
centers and service providers. Access, storage, and processing of sensitive data needs to be carefully
controlled and is governed under regulations such as ISO-27001, Sarbanes-Oxley Act [SOX], Gramm-LeachBliley Act [GLBA], Health Insurance Portability and Accountability Act [HIPAA] and industry standards like
Payment Card Industry Data Security Standard [PCI-DSS].
In the case of Amazon, the S3 APIs provide both bucket-level and object-level access controls, with defaults
that only permit authenticated access by the bucket and/or object creator.
Write and Delete permission is controlled by an Access Control List (ACL) associated with the bucket.
Permission to modify the bucket's ACL is itself controlled by an ACL, and it defaults to creator-only access.
Therefore, the customer maintains full control over who has access to their data.
Amazon S3 access can be granted based on AWS Account ID, DevPay Product ID, or open to everyone.
3-4
In the case of cloud vendors such as Amazon, the data at rest in S3 is not encrypted by default.
The users need to separately encrypt their data and backups so that it cannot be accessed or tampered
with by unauthorized parties.
Full with SaaS Vendor
Partially by SaaS Vendor
Full with Client
4-5
Product vendors are always rushing to meet market release deadlines.

Consequently, product security is often given lesser precedence.
This can result in buggy software that is prone to security vulnerabilities.
It is a known fact that leakage of sensitive data due to security exploits can result in heavy financial loss to
enterprises and expose the SaaS vendor to potential liability issues along with lost credibility.
Dedicated cloud providers such as Amazon and Google help facilitate building secure SaaS applications by
providing infrastructure services that aid in ensuring data security, network security, data segregation, etc.
The SaaS applications that are deployed on these public clouds should ensure that they harden their
application security settings to conform to the best practices recommended by the public cloud vendor.
5-6
Any vulnerability detected during these tests can be exploited to gain access to sensitive enterprise data
and lead to a financial loss.
Any vulnerability detected during these tests can be exploited to hijack active sessions, gain access to user
credentials and sensitive data.
Any vulnerability detected during these tests can be exploited to gain access to sensitive enterprise data of
other tenants.
Many applications provide safeguards to automatically lock user accounts after successive incorrect
credentials. However, incorrect configuration and implementation of such features can be used by malicious
users to mount denial of service attacks.
Any vulnerability detected during these tests can be exploited to gain access to sensitive enterprise data
stored in backups.
Any vulnerability detected during these tests can be exploited to take over user accounts and compromise
sensitive data.
Network VA helps validate the network/host security in the cloud used for deploying the SaaS application in
a self hosted model.
The above assessment helps test and validate the resilience of the SaaS deployment to denial of service
attacks and help ensure availability of the service to end users.
13
13
14
10
16
17 - 18
19
22-23
25
27
29
30
31
31
32
32
33
34
36
37
38
39
40
41
42
43
44 - 45
46
47 - 49
50
51
value Importance factor

- Irrelevant if service is hosted on-premise or cloud
1 Minimal importance (most part moved to SLA)
2 Partial importance
3 Important
4 High importance (almost always)
5 Highest importance (important for each company / IS)
mpany / IS)

SaaS ISMS Implementation Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SaaS ISMS Implementation Notes

Uploaded by

Copyright:

Available Formats

Sr.

Software as a Service (SaaS)

SLA Template for Cloud Service SLA

Responsibility for managing various parts of IT Services within OnPremises-IaaS,Paas,SaaS is as fo

Cloud Architecture Diagram

Cloud Computing Standards

Security considerations and vulnerabilities

Cloud Computing is a model for enabling ubiquitous, convenient, on-demand

Independent IdM stack

Governance and Regulatory Compliance Audits

Third-Party SaaS Security Assessment

Third-Party SaaS Security Assessment

Identity Management and Sign-on Process

SSAE-16 SOC 2 Report

CSA STAR (Security, Trust & Assurance Registry)

CSA CAI Questionnaire (Level 3) Consensus Assessments Initiative Questionnaire

PII and Personal Information

EU Data Protection Directive (95/46/EC)

US/EU Safe Harbor

PIPEDA Principles for the Protection of Personal Data (Canada)

NIST SP800-53 Rev. 4 Appendix J Privacy Control Catalog

IEC 62443-3-3 Requirement

IEC 62443-3-3 Requirement

Control Group & Consensus Assessment Question(s)

Typical cloud guidance

Control Group & Consensus Assessment Question(s)

Control Group & Consensus Assessment Question(s)

IEC 62443-3-3 Requirement

Control Group & Consensus Assessment Question(s)

IEC 62443-3-3 Requirement

Control Group & Consensus Assessment Question(s)

Control Group & Consensus Assessment Question(s)

High Level Division of

SaaS Stack Layer wise Macro View of Security

Vendor's Access Control

Regulatory Compliance Fundamental

Cloud Security Layers

CSA Cloud Controls

NIST Cloud Security

SSAE-16 SOC 2 Report Cloud Certification

CSA STAR (Security,

CSA STAR (Security,

CSA STAR (Security,

CSA STAR (Security,

CSA STAR (Security,

PII and Personal

Privacy Standards and

Privacy Standards and

Privacy Standards and

Privacy Standards and

Cloud Security Layers

Data Integrity and

Cloud Security Layers

Data Integrity and

Cloud Security Layers

Data Integrity and

Cloud Security Layers

Data Integrity and

Cloud Security Layers

Identity and Account

Cloud Security Layers

Identity and Account

Cloud Security Layers

Cloud Security Layers