Robin Vermeirsch Securing SaaS applications
Apr 15, 2017
Robin Vermeirsch
Securing SaaS applications
Who is using SaaS applications today?
Who knows what users are doing in the cloud?
Lack of visibility
Compliance
Threat prevention
Data security
Security in the SaaS world• Security Policies/requirements are developed for on premises
solutions.
• In many cases SaaS applications are a initiated by the business
• SaaS providers implement ‘some’ security, but does it fit my needs?
• Limited control/visibility what users are doing in the cloud.
• No visibility over anomalies over different applications.
Security in the SaaS world
Does not meet requirements
SHOWSTOPPER
Requirements met by adding
control
COMPENSATED
Requirements met by SaaS
provider
ACCEPTABLE
Change architecture
Adjustment expectations
Src: http://www.gartner.com/webinar/3100619
Evolution in security
Transport
• IP Firewalling• Segmentation
Protocol inspection
• Proxies• Deep inspection
Application Protection
• MDM• Web Application
Firewalls
Data CentricAudit & Protection(DCAP)
• CASB• SPSM• CDPG
+ Unmanaged devicesShadow ITCompany data is spread over multiple providers How to protect DATA?
Note trend of ABAC in DEV
What do we need?
But how?
CASB (Gartner)
• on-premises, or cloud-based security policy enforcement points
• placed between cloud service consumers and cloud service providers
• to combine and interject enterprise security policies as the cloud-based resources are accessed.
• consolidate multiple types of security policy enforcement.
http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs
Options to add security
SaaSIaaS /PaaS
SPSMSaas Platform Security
Management
CASBCloud Access Security
Brokers
CDPGCloud Data Protection Gateway
EncryptionTokenization
Masking
User activity monitoring
Data discoveryDLP
Remediation
Usage discoveryUser activity monitoringDLP (passive and active)
User activity blocking (real time)Data discovery
SSO
Vendors: http://www.gartner.com/webinar/3100619
REALTIME RETROACTIVE
Architecture Options•Using forward proxies
• Integration existing proxies
• Placing Reverse proxies
•Using Endpoint agents
+ IDaaS/MDM/Log integrations
Hackers/unkown
endpointsApproved Endpoint
Unknown SaaSApproved SaaS
Reverse Proxy
Forward Proxy
ControlAccess
&Actions
Existing Proxy
BlockActions
Architecture Solutions
• CASB (Cloud Access Security Brokers)• Forward Proxy• Reverse Proxy• API Integration
• CDPG (Cloud Data Prot. GW)• Forward Proxy• Reverse Proxy
• SPSM (SaaS Platform Mgmt)• API integration
Hackers/unkown
endpointsApproved Endpoint
Unknown SaaSApproved SaaS
Reverse Proxy
Forward Proxy
ControlAccess
&Actions
Existing Proxy
BlockActions
CASB
SPSM
CDPG
Where should you look at?
Impact on functionality & operational risk
Src: http://www.gartner.com/webinar/3100619
Implementation strategy
Implementation strategy
Src: http://www.gartner.com/webinar/3100619
Start small and add functionality
Benefits implementing CASB
Call to action
•Detect shadow IT today (=High Risk)
• Start controlling access to SaaS applications
•Get visibility over user activity in SaaS applications
•Protect your company data in SaaS applications
Xylos Cloud Services
PaaS: Debunking myths on data & analytics in the cloud
Tim Jacobs – 25 Feb 2016
Agenda•PaaS?•Myth #1•Myth #2•Myth #3•Conclusions
PaaS?
• Provides a platform for:• Development (cloud native apps)• Content distribution (media / CDN)• Internet of Things• Automation• Data processing & analytics
Data and data analytics?
Prescriptive analytics
Predictive Analytics
Diagnostic Analysis
Descriptive Analytics
Data Collection
Big Data
Incr
ease
in va
lue
of d
ata
IoT
Hypes linked together
Analytics
IoTBig Data
Debunking myths on data & analytics in the cloud• Myth #1 – Predictive analytics & big data are just BI on steroids• Myth #2 – All my data needs to go to the cloud! Y0u f00lz cr4zy?• Myth #3 – You need to hold 3 PhD’s to do predictive analytics
Myth confirmed?
Is it plausible?
Blow everything up
No No
Yes
Yes
Myth Debunking Flowchart
Agenda
•PaaS?•Myth #1
“Predictive analytics & big data are just BI on steroids”•Myth #2•Myth #3•Conclusions
New in the data landscape…1. “Big” data2. “Artificial Intelligence” & learning from data3. Fast & ubiquitious network connectivity
Evolution of data
(R)Evolution in data, the questions & tooling
Standard reports
Ad-hoc reports
Query & drilldown
Alerts
Statistical analysis
Forecasting/extrapolation
Predictive modeling
Optimization
Degree of intelligence
Valu
e
Desc
riptiv
e An
alyti
csPr
edic
tive
Anal
ytics
What happened?
How many? How often? Where?
Where exactly is the problem?
What actions are needed?
Why is this happening?
What if these trends continue?
What will happen next?
What is the best that can happen?
Traditional BI questionsETL Tools, SQL & variants
Big data, or not.
New type of questionsNew tooling, ELT,
machine learning, …
Big Data Traditional BI
Predictive Analytics
• BI and Predictive Analytics worlds are converging :• BI platform extensions to Big Data-esque & Advanced Analytics-y operations • Big Data tooling gets SQL-like interfaces:
Drill, Impala, Hive, SparkSQL, HAWQ, Presto, Vortex, …
• Big Data tooling can do descriptive and predictive analytics: MLLib, H2O, Oryx, Mahout, SAMOA, FlinkML, …
(R)Evolution & convolution
Agenda
•PaaS?•Myth #1•Myth #2
“All my data needs to go to the cloud! Y0u f00lz cr4zy?”•Myth #3•Conclusions
On-premises or cloud?• Advantages of cloud:• Start fast & fail fast• Easy consumption of created data models• Democratic in pricing & availability of algorithms
• Attention points for cloud (mostly exceptions!):
• Data privacy: legislation ↔ provider• Data volume & velocity: bandwidth
Getting data to the cloud• Transfer existing data:• “Just upload the CSV”• Azure Data Factory
(SQL, Oracle, DB2, MySQL, Sybas, PostgreSQL, ODBC, HDFS, … )
• Capture event/streaming data:• Eventhub / IoT hub
Scheduling / transformation
Event Hub
Stream A.
Azure Data Factory
Blob Storage
Data Lake
Data Warehouse
Data BaseDirect
Data Mgmt
Gateway
File
Data Base
Data Warehouse IoT IoT
IoT IoT
© The Cloud ®™
Conclusion• Compliant solutions available through provider• Subsetting & anonimization easily possible with data transfer tools
Agenda
•PaaS?•Myth #1•Myth #2•Myth #3
“You need to hold 3 PhD’s to do advanced analytics”•Conclusions
Predictive Analytics• Azure ML studio has a low learning curve• Modular, drag & drop• Pre-built machine learning algoritms with meaningful default settings
• Use case: very easy to publish “predictive engine” for your own applications
• Do you need expert knowledge? • Is the out of the box 70% accuracy sufficient?• Or do you need 95% prediction accuracy?
Example: predicting Belgian house prices
Model Features Prediction accuracy
Linear 1 Just based on m2 living area 48,40%
Linear 2 m2 living area & postal code 69,43%
Linear 3 m2 living area, postal code, # bedrooms, house type
70,36%
Decision Tree 1 m2 living area, postal code, # bedrooms, house type
70,41%
Linear 4 Linear in: postal code, # bedrooms, house type3rd power in: m2 living area
71,17%
Agenda•PaaS?•Myth #1•Myth #2•Myth #3•Conclusions
Conclusions• Three valid use cases for data in the cloud:• Reporting & analytics on big data sets, with new types of intelligence• Storing and synchronizing (subsets of) your data in the cloud• Adding intelligence to existing applications you develop
• Advantages of cloud:• Easy to start, quick to get to results, fast decommissioning once completed• Democratizing of tools & algorithmes lowers starting threshold
• Xylos can help with:• advanced expertise (data scientists)• data collection & storage expertise• data consumption / visualization expertise
Xylos Cloud Services