We opened this years virtualization security podcast with Phil Cox, the “Security Guy” at Rightscale, who is working through a tangled problem to meet compliance and auditing goals within the cloud. Rightscale is a 100% cloud based company delivering a solution that is also SaaS based. As such they often run directly into SaaS related issues. Rightscale has been running into a problem with the simplest of auditing requirements: how to know when someone has logged in. This problem spans nearly all their 100s of SaaS providers used to run their business.
Getting it Right
Who gets it right? The SaaS providers that have maturity and compliance requirements of their own often get it right, but they still do not make it easy to extract the data. Companies like SalesForce and Google who are used to Enterprise customers can provide either extractable logs or hook into your own authentication store (via SAML). Even if they provide the data, it is not in a form normally usable by current SIEM installations. You have to tweak everything and in some cases it is a manual process to import logs.
Getting it right implies that security related data about a tenant should be extractable in some normal means (such as using syslog or eventlog mechanisms) and importable into the tenants security monitoring tools or a logfile analysis engine such as provided by Splunk.
The technology exists, it requires the SaaS provider to make use of it.
IaaS implementations give us many opportunities to log data at the virtual machine level, to implement security at the virtual machine level, to provide command and control within clouds via tools like Cloud Passage. IaaS security is often agent-full but could include mechanisms provided within the hypervisor layers. Unfortunately, once we enter into the hypervisor or cloud management layers we run into a problem of not really knowing who did what instead we have to correlate data from the hypervisor logs and those logs produced up the management stack.
SaaS Auditing or PaaS Auditing
We discussed one possible solution for SaaS which is depicted below which involves not just changing what logs the SaaS providers generate but what tools they use for networking as well as provide authentication.
In essence, this solution requires greater use of SDN, which already contains a Tenant ID, as well as SAML, which allows for remote authentication stores. Using either of these methods provides a way to log who logged into a service by tenant even if they are coming in over a hand held device such as an tablet, etc.
However, this requires the SaaS providers to step up and hook into these technologies as well as provide per tenant logs of who did what, when, where, and how.