Walk Then Run: 10 Essential Steps to Securing the Cloud

Transcription

1 Walk Then Run: 10 Essential Steps to Securing the Cloud Security and Platform Insights from 15 CIOs Every Organization Needs a Security Plan Every business needs a strategic security plan that takes into account the potential security benefits cloud platforms have to offer. From the small startup to the Fortune 500 enterprise, every business needs to protect intellectual property and knowledge. Strategic security plans range from a few pages to large documents, yet all capture how to anticipate and block threats while ensuring the agility of knowledge and information, an essential element for a successful enterprise. The Salesforce1 platform security model is designed for forward-thinking companies that are relying on security to streamline and secure their most valuable business processes and workflows. Fifteen CIOs across financial services, manufacturing and professional services were interviewed for this paper. Their insights are the foundation of the ten essential steps for creating a platform security framework. While each of these CIOs have different business models to support, they re all concentrating on how to make the most scalable, secure enterprise they can through the use of effective frameworks. APTTUS Corporation apttus.com US: +1 (650) EMEA: +44 (0)

2 Foundational Elements of Cloud Security In speaking with fifteen CIOs across a range of industries, the following foundational elements emerged as the most critical to them in defining current and future strategic security plans: Security model that extends from the cloud platform to applications. A core requirement shared by all CIOs is for a cloud computing platform to have features that enable secure applications to be built and quickly modified while staying compliant with enterprise-wide security policies. What many are looking for is the ability to provide privacy to given systems user data while ensuring the data itself stays independent and secure in a cloud-based database. For this reason, security to the application level needs to support all hosts, database connections, operations and support. Furthermore, the application aspects of the security model need to provide privacy for application providers and enduser customer data. What CIOs want to have is the ability to scale security from the platform to the application level, while staying in compliance with corporate-wide security guidelines. This level of governance is considered a musthave in financial services and is delivered on the Salesforce1 Platform today. Proven ISO compliance. The most secure cloud platforms are capable of providing evidence of compliance to the ISO framework. CIOs mentioned that this is a very useful benchmark because many cloud platforms claim enterprise-level security support, yet few have the ability to show compliance with each element of ISO Steps to a Platform Security Framework Trusted identity hub Evaluate mobile development support Identity management outside the application Admin configurable networkbased security options Support for delegated and federated authentication Auditability & traceability of login history Manage security to the API level Network security audit passing grade Best-in-class operations management Virtualized infrastructure The Salesforce1 Platform orchestrates security training for employees, defines a security staff and senior management team to manage security globally and regularly completes vulnerability assessments. Only the Salesforce 1 Platform goes beyond the minimum requirement of the ISO standard by providing for detailed internal policy definitions, including escalation workflows for detection, response and forensics. A successful track record of compliance to FISMA, SSAE 16 ISO 27001, PCI-DSS, and SSL 128-bit VeriSign transmission level security. Each of these security standards is critical for a cloud platform to be secure, yet scalable enough to manage multi-tenant applications often running in conjunction with each other. These standards are considered just the minimum set, with aerospace and defense firms needing compliance to a wide variety of Department of Defense standards, and financial services firms requiring standards compliance for financial reporting. The Salesforce1 Platform adheres to each of these standards today and has designed the security model of the 2014 APTTUS 2

3 platform to scale and support additions to these certifications in the future. A scalable security model that includes customization for specific business needs. Each company s business model is significantly different, their directions vary and the pace of growth is continually changing. CIOs mention that having the ability to define governance for their companies just once and have it replicated throughout the entire security model is essential for scalability of their security frameworks. Governance defined at the platform level saves thousands of hours a year and helps to ensure a consistent level of compliance to internal security plan benchmarks. As a result, this is a critically important component in any cloud computing security framework. Physical security at each access point of the data center. This is a must-have for any cloud platform provider to be taken seriously by CIOs. All CIOs mentioned how advanced biometrics, access controls at the role and privilege level, and administrator-level controls are essential in any data center operation. CIOs also expect cloud platform providers to have multiple sites with full fail-over capability and redundancy. The Salesforce1 Platform currently supports all of these requirements. Intrusion Detection (ID) systems. Only state-of-the-art data centers support this level of intrusion detection, analysis and protection. With monitoring tools that evaluate application and database activity in conjunction with event management applications, the Salesforce platform is especially adept at anticipating and responding to potential threats. 10 Essential Steps for Creating a Platform Security Framework CIOs are faced with the challenge of delivering high performance mobile apps today, while also ensuring cloud and mobile device security. Platform security frameworks need to address the mobile and social aspects of future presales, sales and service strategies today without impacting current performance. Based on conversations with CIOs on how to create a platform security framework, the ten essential steps are: 1. Qualify cloud platforms based on their support for a Trusted Identity Hub. With mobile support critical to every enterprise, many CIOs are looking for a system that can integrate a variety of identity technologies at the platform layer. Requirements often include support for Security Assertion Markup Language (SAML) and delegated authentication, in addition to support for OAuth for connecting to social and cloud platforms. These are must-haves in fast-growing, knowledge-centric business that are early adopters of cloud platforms. 2. Narrow down the list of cloud platform providers by evaluating their support for declarative tools, programmatic technologies and mobile apps. Salesforce1 was specifically designed with a mobile-first approach, supporting both declarative tools that enable applications to run in legacy Salesforce environments, while also supporting Apex and Visualforce. Salesforce1 supports the rendering of both types of apps on mobile devices, all predicated on a common security model APTTUS 3

4 3. Look for cloud platforms that support identity management and authentication outside the immediate perimeter of the application. State-of-the-art cloud platforms have the ability to support authentication well beyond immediate applications, expanding to on premise systems, social, mobile and cloud applications as well. Support for this broad security platform is essential in global deployments. Only the Salesforce1 platform supports authentication outside the immediate perimeter of applications, extending to mobile and social platforms as well. 4. Best-in-class cloud platform providers offer network-based security options that are easily configured by administrators to allow access to any authorized mobile device. This is critical for the mobile strategies of every CIO interviewed. Defining mobile use to the device and IP address level is a must-have requirement, as is the ability of a cloud platform to support wiping a mobile device of all data and resetting its configuration. CIOs mentioned that the Apple ios and Google Android options didn t go far enough at the application level. What they want is the cloud platform to completely disable and wipe all data from their apps in real-time. Of the many cloud computing platforms that support remote device resetting and configuration, only the Salesforce1 platform can control these functions to the IP address and identity level. 5. Support for single sign-on that includes delegated and federated authentication is a musthave to support complex, secured mobile applications. Cloud platforms vary in their level of support for single sign-on authentication techniques, which has a direct impact on how agile a mobile strategy can become over time. Supporting a highly mobile workforce requires both delegated and federated authentication. With delegated authentication, Web Services are used to define credentials. In federated authentication configurations, the cloud platform verifies the HTTP POST request and allows single sign-on. For mobile applications requiring a high degree of security, delegated authentication is critical. For mobile-based worker that don t require access to sensitive data, the federated authentication model works best. Cloud platforms need to support both in order to meet the total set of mobility needs of CIOs today and in the future. 6. Look for support of auditability and traceability of login history and application use. Capturing specific account, case, contacts, login attempts and changes to opportunities, service contracts and leads is essential for continually improving the performance of a security model. Cloud platforms are often limited to just reporting application performance overall, not specific events. Only the Salesforce1 platform can report specific application activity, including login attempts, and perform traceability across the entire spectrum of devices an enterprise workforce needs to use daily. 7. A successful track record of managing security to the API level of applications. Cloud-based applications based on AJAX, Active X controls, Java applets and other web-based development languages are susceptible to cross-script attacks and a myriad of other threats. Being able to track potential threats through the use of monitoring, filtering and data loss prevention to the data flow level are increasingly showing up on the lists of CIOs evaluating cloud platforms. This includes support for security patches and continued compliance to applicable regulatory requirements including the U.S. Sarbanes-Oxley Act and the U.S. Health Insurance Portability and Accountability Act (HIPAA). Legacy on premise applications are not capable of accomplishing this, yet cloud platforms including Salesforce1 track security performance of applications to the API level APTTUS 4

5 8. Look for cloud platform providers with a track record of successfully passing network security audits that comply with international standards. To pass audits based on ISO 27001, ISO and SAS 70 Type II, a cloud platform provider will need to have two-factor authentication in place at the delegated platform level, in addition to supporting IPsec and Secure Sockets Layer with Extended Validation certificates. Load balancing for firewalls, intrusion detection and prevention of Denial of Service attacks is also a requirement. Public cloud platforms can provide a subset of these functions, but not all of them. As the Salesfroce1 platform is based on a unified security model that extends from the infrastructure to the application layer, all of these requirements are met today. 9. Best-in-class operations management for managing a cloud platform. This includes a thorough background screening process for evaluating new employees working in data centers to advanced database monitoring applications. The best-in-class cloud platform providers also have processes in place to support monitoring the performance of operating systems and the security level improvements based on security patches. Best-in-class operations management also supports vulnerability management, intrusion prevention, incident response, and incident escalation and investigation. The highest-performing cloud platform providers can also provide continuity management and disaster recovery management that include the individual client's enterprise-specific applications and data, as well as evidence that it has tested those procedures. While large-scale public cloud platform providers are capable of doing some of these processes today, the Salesforce1 platform has been purpose-built to support each of these areas in depth with traceability and realtime monitoring. 10. Virtualized infrastructure is critical to current and future cloud platform deployment and future application development. While many CIOs remarked that virtualization has become nearly a commodity-like feature of cloud platforms, their current and future plans call for greater virtualized support of mobile platforms and more effective malware prevention. Virtualization needs to extend beyond system scalability and progress towards selective control of security performance and separation of data and security information among applications, even on mobile devices. This requirement is critical for scaling mobile applications across global workforces while protecting valuable intellectual property. Of the many cloud platforms available today, only the Salesforce1 platform can scale to support each of these requirements. Conclusion Across a range of business models, industries and organizational maturity, our fifteen CIOs agree: regardless of size, to create a scalable and secure enterprise, organizations require the use of effective security frameworks. And, the CIOs interviewed also agree that such a security framework should be based on a mobile and social first approach in order to ensure scalability for future presales, sales and service strategies. Every business needs a strategic security plan that takes the cloud into account. Finally, the need for adherence to industry standards, a track record of compliance and a solid physical security plan are necessary for helping enterprises go from walking to running with a scalable security framework APTTUS 5

6 About Apttus Apttus, the category-defining Quote-to-Cash software company, drives the vital business process between the buyer s interest in a purchase and the realization of revenue. Apttus is delivered on the Salesforce1 Platform, the world s most trusted and comprehensive cloud delivery infrastructure. Applications include Configure- Price-Quote (CPQ), Renewals, Contract Management and Revenue Management. Additionally, Apttus patent pending X-Author technology enables Microsoft Office to be a user-interface with full interaction and control between Salesforce TM and Microsoft Office. Apttus is based in San Mateo, California, with additional offices in London, UK, Bozeman, Montana and Ahmedabad, India. For more information visit: APTTUS 6