SESSION ID: CSV-R09 Untangling SaaS Security in the Enterprise Rehman Khan Brajesh Moni Director, Cloud & Data Security TD Ameritrade https://www.linkedin.com/in/rehmankhan/ @cryptorak Sr. Security Consultant, Cloud & Data Security TD Ameritrade https://www.linkedin.com/in/brajeshmoni/ #RSAC Public Cloud Security Threats 2 #RSAC Public Cloud Business Drivers #RSAC Disrupt legacy competitors using public cloud economy of scale Rapid businesses pace & agility due to competition Acquisitions continue to pressure the markets demanding agility Aspirations of social integration, digital innovation, agility, and scale rapidly Access to information anywhere from any device by authorized users Developers wanting to experiment IOT, AI, Analytics, and APIs Innovation focus to transform business and technology foot print 3 #RSAC Enterprise SaaS Expansion 4 https://www.gartner.com/en/newsroom/press-releases/2019-11-13-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2020 What is the SaaS Security Problem ? #RSAC Public Cloud Security Program Lorem Ipsum is simply dummy text Lorem Ipsum is simply dummy text 6 #RSAC Data Security Is Key ! #RSAC #RSAC Cloud Security SaaS Engagement Model Communicate Proactively Vendor Management Build relationship with vendor assessment and procurement team Cloud Security Introduce cloud security assessment questionnaire to SaaS vendors based on cloud security standards Business Engagement Identify and build trust relationships with innovation teams, business areas that are experimenting with SaaS applications Monthly cloud security tech talks Cloud security immersion day Create a collaborative channels for innovators and developers Cloud Risk Management Process #RSAC #RSAC Foundational Cloud Security Controls Foundational Cloud Security Controls 11 #RSAC Foundational Cloud Security Controls - IAM Standardized Provisioning — Without Custom Connectors Identity & Access Management AuthN - SSO,SAML, OpenID AuthZ – OAuth 2.0 12 #RSAC Foundational Cloud Security Controls – Data Protection Proxy Encryption Data Protection 13 #RSAC Data Integration Secure Patterns #RSAC Pattern1: File Transfer from SaaS to External Vendor Pattern2: File Transfer from SaaS to On-premise Pattern3: API calls from SaaS to External Vendor Pattern4: API calls from On-premise to SaaS Pattern5: API calls from External Vendor to SaaS Data Protection 14 Foundational Cloud Security Controls – App Security APP Security Application Security Requirements Risk  Secure handling of Access token  Access Token Misuse  Storage of sensitive Information  Insecure Transmission  Secure Rest API Implementation  Third party insecure app  API access rate/traffic management implementation  Session Management 15 #RSAC Foundational Cloud Security Controls – Logging & Monitoring SaaS Logging Logging & Monitoring SaaS Monitoring Centralize & Ingest SaaS cloud Log Data Explore the data – for critical operational & security insight. Enable native logging and monitoring Source: Gartner 16 #RSAC Foundational Cloud Security Controls – Incident Response Engage Incident Response team Engage SaaS operation team and provide visibility to IR team. Incident Response Establish a joint response plan with the SaaS provider. IR team to evaluate the monitoring controls and security measures that are in place for SaaS provider. Define alerts, security events categorize & score risk events. Update IR playbook. Build Recovery Plan. Source: NIST 800-61 17 #RSAC Foundational Cloud Security Controls - Takeaways #RSAC Identity & Access Management Formalize standards and process for AuthN/AuthZ with SaaS services. [SCIM, SAML, Oauth, OpenID]  Enable MFA – Send MFA status as an attribute when using federated Auth.  Privileged Identities – Vaulted, should use MFA always.  Data Protection    Data Classification, Data Lifecycle, Data Location/Residency Encryption Engine – Provider Managed Encryption, Proxy Encryption Key management – Customer managed, Provider Managed. – Have control of the key all the time. App Security      Secure handling of Access token Storage of sensitive Information Secure Rest API Implementation API access rate/traffic management Session Management Logging  Centralize & Ingest SaaS cloud Log Data  Explore the data – for critical operational & security insight.  Enable native logging and monitoring Incid