1. Security concerns with SaaS
layer of Cloud computing
Clinton D Souza
CSE486
01/29/2013

2. Outline
Cloud computing.
Service and Deployment.
SaaS layer.
Cloud security structure.
SaaS possible exploits.
Security breaches.
SaaS solution criteria.
Conclusion.

3. References
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&a
rnumber=5704104
http://cloud.trendmicro.com/data-breach-at-microsoft-highlights-
security-problem-in-saas/
http://cylaw.info/panda-security-hacked-by-antisec/
http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-
McAfee-s-SaaS-Products-247051.shtml

4. Cloud computing
A model for enabling :
ubiquitous,
convenient,
on-demand network access
to a shared pool of configurable computing resources that can
be rapidly provisioned and released with minimal management.
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://en.wikipedia.org/wiki/File:Cloud_computing.svg

5. Service models
Infrastructure as a Service (IaaS).
Platform as a Service (PaaS).
Software as a Service (SaaS).
http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png

6. Deployment models
Public cloud.
Provisioned for open use by general public.
Owned, managed and operated by business, academic or
government organization or a combination.
Exists on premises of cloud provider.
Private cloud.
Exclusive use by a single organization with multiple business
units.
Hybrid cloud.
Composition of two or more cloud infrastructures.
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

7. SaaS layer
Software applications which are loaded in a cloud platform made
accessible to consumers from various client devices.
Consumer doesn’t manage or consume underlying cloud infrastructure.
Service App Service App Service App
(SaaS) (SaaS) (SaaS)
Platform Business Service (PaaS)
Tenant
Data Service
Management
System Infrastructure (IaaS)
Hardware Infrastructure (IaaS)
http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104

8. Cloud security structure
Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012

9. SaaS possible exploits
Two main points of entry into SaaS layer:
User Point of Entry
o Most common point of attack in a SaaS model
Provider Point of Entry
An example query that exploits the vulnerability in most
database servers like PostgresSQL and MySQL, which will grant
the attacker administrator privileges could be:
<?php
// $uid: ' or uid like '%admin%
$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';"
;
// $pwd: hehehe', trusted=100, admin='yes
$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE
...;";
?> http://php.net/manual/en/security.database.sql-injection.php

10. SaaS attack types
The most common attacks
associated with SaaS
model in a public cloud
•Denial of Service
infrastructure. Availability •Account lockout
•Buffer-overflow
They are divided into the
•Cross-site scripting
following four groups: Data Security •Access control weakness
•Privilege escalation
•Network Penetration
Network Security •Session Hijacking
•Data Packet Interception
Identity Management •Authentication Weakness
•Insecure Trust
SaaS (Software as a Service) vulnerabilities

11. Recent security breaches
Data breach at Microsoft highlights security problem in
SaaS .
Panda Security hacked by Antisec.
Zero-Day vulnerability found in McAfee’s SaaS products.

12. McAfee Security breach
Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011)
Attacker can execute arbitrary code by exploiting the flaw if victim visits a
malicious page or open the file.
Common Vulnerability Scoring System score it to be 9 out of 10 maximum.
Method will accept commands that are passed to a function that simply
executes them without authentication.
McAfee SaaS includes:
Email Protection (Protection against viruses and spam)
McAfee Integrated Suites (Protection against viruses, web threats,
etc…)
Patch released in August 2011.
http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml

13. SaaS solution criteria
Reliability.
Effectiveness.
Performance.
Flexibility.
Control.
Privacy and Security.
Total Cost of Ownership (TCO).
http://www.websense.net/assets/white-papers/whitepaper-seven-criteria-for-evaluation-security-as-a-service-solutions-en.pdf

14. Conclusion
Cloud computing models are relatively new and are thus
susceptible to vulnerabilities.
SaaS layer in a public cloud is more vulnerable to attacks due to
access by users.
The type of attacks on SaaS products remain the same but the
intensity of the breach increases.
A number of sercuity criteria needs to be considered while
developing a SaaS application.