An increasing number of Software-as-a-Service (SaaS) applications have enabled enterprises to undergo digital transformation. Web services or multi-tenant enable micro-services based choreography is typically adopted by business applications to leverage SaaS offerings. For example, an enterprise providing a partner portal for Internet of Things (IoT) hardware kits it offers, may utilize Magento-based e-commerce functionality to manage the product catalog and order fulfilment functionality, Atlassian cloud-hosted JIRA for trouble ticketing, and a Confluence-based Content Management System (CMS). The absence of a well-architected and provisioned security capabilities in such a collaborative environment risks an increase in the attack surface due to numerous integration points, as well as potential 3rd party product vulnerabilities. This could enable a malicious actor to attack a business application to steal information or to inflict damage to the reputation to the enterprise.
As shared responsibility is the mantra for securing applications in a cloud based economy, SaaS vendors typically provide best practices and detailed security checklists for consumption of their micro-services or micro apps through APIs. For example, Salesforce.com provides a detailed checklist, and best practices, for applications that leverage force.com or SFDC based services for streamlining sales operations, customer relationship management etc., SaaS applications like Adobe AEM have inbuilt security capabilities to aid business applications (e.g. scrubbing user-supplied content to avoid cross-site scripting).
It is important for the developers & DevOps team of these business applications to contextualize security shared responsibility model frameworks based on SaaS applications utilized in a business application. Few such considerations in a shared responsibility model could be as follows:
- In order to use capabilities exposed by SaaS services, identity of the enterprise application must be established and managed. This may involve federating and managing access & refresh tokens, API keys, PKI certificates for establishing a root of trust in a heterogeneous environment and for secure connectivity, establishing identity and cryptographic keys for accessing a specific portion of the data lake in a multi-tenant enabled SaaS application.
- Some of these enterprise applications could support end user as a persona to consume their capabilities by providing individual user identities. In such cases, the enterprise application needs to adopt cross-domain identity management and lifecycle management through protocols such as IETF SCIM 2.0 to manage user identity data distributed across cross-domain applications. Policy federation for cross-domain users could be done through User Managed Access (UMA), and an oAuth 2.0 profile promoted by the Kantara initiative could be adopted.
- Determine whether to build the identity federation capability at the browser or client side MVC framework (which is not recommended) or build it as part of a lightweight portal backend server that hides the complexities related to orchestrating multiple identity systems and attributes and also caches the information.
- Securing connectivity between business and SaaS applications at the enterprise (or tenant) level and individual user levels.
- Using lightweight integration portal backend based on node.js or web application firewall that handles security challenges rather than directly invoking SaaS application from the browser/client side MVC logic.
- Using server side security filters/libraries or input object validation frameworks like joi.js or contextable.js.
- Automated usage of static scanning and dynamic scanning tools for vulnerability assessment, coupled with implementation of an orchestration layer that assists in false positive removal, identification of exploitable vulnerabilities, and tracking exploitable vulnerabilities across different software release cycles. With security testing following the ‘left shift testing’ approach popularized through adoption of Agile & DevOps methodologies, care should be taken not to leave any backdoor for an adversary in staging & development environments.
- Keep current with the hardened & patched web server facing the Internet and also the OS on which the web server is installed; file integrity monitoring – especially server side to avoid attacks like the one highlighted in  where e-commerce application Magento’s vulnerability was exploited by an adversary.
- Load balancing and availability planning both for the enterprise application as well as for the SaaS application APIs it is consuming. When available, leverage load balancing & availability functionality built in as part of SaaS application e.g., Adobe AEM provide load balancer & caching module as part of their solution.
Aricent has been investing in expertise and software frameworks that can help to address afore mentioned heightened security architecture considerations while consuming APIs exposed by SaaS applications. Few such Aricent software frameworks are:
- HAVOC (Highly Automated Vulnerability (Assessment) Orchestration Containers) framework – provides a knowledge graph based machine learning (ML) driven orchestration layer to automate management of exploitable vulnerabilities during development of enterprise application software.
- IDROCK (identity federation, root of trust management, certificate & key lifecycle management & delivery) framework helps streamline identity & trust federation across cross-domain applications in a heterogeneous environment.
These frameworks are available as building blocks that can complement overall architecture of an enterprise application to address security architecture needs arising due to application economy.