Since Software-as-a-Service (SaaS) adopts a multi-tenancy architecture (MTA), and building an MTA SaaS application requires much effort, the SaaS development framework must address major issues of concern, especially security. SaaS applications are often built either from scratch or with the help of existing platforms such as Google App Engine. SaaS development should be simplified and, if possible, use the simplest alternative to build your SaaS application.
An example of a simplified alternative would be one that allows publishing of customers’ application-specs, their requirements and test scripts, and then letting the SaaS providers create customized SaaS solutions to meet these requirements.
Alternatively, it should allow tenants compose the application using templates (if any) provided. Such a framework would alleviate the workload of both tenant developers and providers, providing an easy approach to customization according to tenant’s specific requirements, in a more collaborative manner. Most services in such a platform would be domain independent because the domain knowledge is kept in ontology in order to support cross-domain development.
Private companies’ surveys on cloud, security, as well as privacy issues are the key to adoption of cloud, at least as thought by IT executives. So, under these circumstances, an organization should ensure that they fully understand the security and privacy risks associated with cloud computing, as well as their security and privacy requirements – of course based on business requirements – and are satisfied with their chosen cloud service providers (CSPs) before they can use cloud-services. But first, to better understand the cloud environment, let’s look at cloud service models.
Cloud Service Models
A clear understanding of the cloud architecture, as well as features usually addressed under deployment models, service models and service attributes are helpful in gaining a better understanding of the security issues in the cloud environment. Below are the details of service models:
SaaS can be described as services and applications, publicly available online, where responsibility starts and ends with entering system and managing its data. However, the service provider is solely responsible for everything – from application level to the infrastructure level.
Platform as a Service (PaaS)
Typically, PaaS can be described as middleware responsible for providing virtual machines, services, operating systems, development frameworks, applications. The customer, however, is responsible for installing and effectively managing the application being deployed. On the other hand, the service provider is responsible for managing the cloud infrastructure, as well as operating system.
Infrastructure as a Service (IaaS)
Ideally, IaaS is the infrastructures offered to customers and can be provisioned by them. These include virtual machines and virtual storage, other hardware assets, and other virtual infrastructures. While the responsibility of managing all the infrastructures lies with the service provider, all other aspects of the deployment are the customer’s responsibility.
Security Concerns in the Cloud
Advances in cloud computing continue to significantly change the manner in which people do business and even the technology infrastructure of organizations. This is because its service-oriented architecture impacts the structure of applications, and even systems, both in terms of design and development, and also deployment. These advances, however, also bring up the existing traditional security concerns and even new issues come into question.
As of 2013, the top 9 cloud computing threats are as follows:
- Data breaches
- Data loss
- Insecure interfaces and APIs
- Account/ Service traffic Hijacking
- Denial service
- Abuse of cloud services
- Malicious insiders
- Shared technology vulnerabilities
- And insufficient due diligence
Due to the highly dynamic nature of cloud computing, these issues continue to be a hot topic of discussion. In order to deal with the security challenges properly, there has to be a systematic approach (to be considered within the SaaS development framework) that covers all the critical information security management practices to provide fundamental security measures in every phase of a cloud-based solution development.
What is an Information Security Management?
This can simply be defined as processes that enable organizations to protect both their IT operations, as well as assets from not only unauthorized access, but also unauthorized use, modification, disclosure, disruption and destruction. It is both a technical and management issue. Therefore, it is the responsibility of all members of the organization, right from the top management to the bottom employees. As cloud adoption continues to increase, cloud customers continue demanding more confidentiality, integrity and availability, what is known as CIA triad and forms the information security’s core. In fact, data security and system availability form the two key parameters of service level agreement (SLA). So, to adequately respond to all these issues, an organization must have a systematic approach to integrating security practices into their own development life cycle. This is possible with a security integrated system development lifecycle (SDLC).
The SDLC is a conceptual model with a sequence of processes that are followed in order to develop information systems. Typically, SDLC phases include:
- Acquisition and development
- Implementation and assessment
- Operations and maintenance
Integrating security activities into all phases of the SDLC is a proven way to provide an adequate level of security to protect key assets in project development. With such integration, security can be planned, acquired and built-in, and deployed as an integral part of the project. Moreover, it is crucial to handle security practices in the initial stages of the SDLC.
This is because it plays a key role in measuring and even enforcing security requirements throughout all the phases of the lifecycle. It is also important to plan and implement an elaborate risk management program, as this will help identify, control, and minimize some of the security risks in projects, accomplishing an early attempt to control the risks.
As advances in cloud computing continue to have a significant impact on the technology infrastructure of organizations and the way business is done, the relevance and significance of cloud computing is increasingly becoming difficult to ignore or overlook. This is because its service-oriented architecture affects the structure of both applications and systems in terms aspects such as design and development, and deployment.
Such advances, however, also bring up new issues, and even the traditional security concerns come into question. Regardless, security concerns should thoroughly be addressed within the SaaS development framework, in the early stages of the development lifecycle.