SaaS VPC Management

SaaS VPC management focuses on managing vulnerabilities, security patching, and system configuration in the CSP-managed infrastructure, as well as the customer infrastructure interfacing with the SaaS service.

Since the SaaS delivery model is anchored on the premise that the application service is delivered over the Internet to a web browser running on any computing device (personal computer, virtual desktop, or mobile device), it is important to secure the endpoints from which the cloud is accessed.

Hence, a VPC management program should include endpoint VPC management requirements and should be tailored to the corporate environment. It is standard practice for most companies to institute a standard OS image for personal computers that include security tools such as antivirus, anti-malware, firewall, and automatic patch management from a central management station.

SaaS provider responsibilities

The following list represents SaaS VPC scope:
  • ┬áSystems, networks, hosts, applications, and storage that are owned and operated by the CSP
  • Systems, networks, hosts, applications, and storage that are managed by third parties
  • Personal computers and smartphones owned by the SaaS employees and contractors

SaaS customer responsibilities

Because SaaS services are typically delivered to web browsers and, in some cases, are integrated with customer applications (via an XML interface), the customer has limited responsibilities for VPC management of the infrastructure in the cloud. However, SaaS customers are responsible for VPC management of their systems that interface with the SaaS service. The responsibilities include:
  • Personal computers of a SaaS user.
  • Applications or services that interface with the SaaS service.
  • Security testing of the SaaS service. Although SaaS providers are responsible for vulnerability management of the software delivered as a service, some enterprise
customers can choose to independently assess the state of application security. Customers evaluating this independent verification option should gain the consent of the CSP, because SaaS security testing can be performed only with the permission and cooperation of the SaaS vendor. This type of application testing, usually performed by a third-party tester, may involve an active analysis of the application and a simulation of real attack scenarios with the objective of discovering vulnerabilities in the application. This is a qualitative method, and the scope of testing could vary based on the identified vulnerability. Hence, it is advisable to verify and agree on the scope prior to the exercise. This type of testing can reveal the top web application vulnerabilities that are categorized as OWASP Top 10 vulnerabilities. SQL injection, parameter manipulation, cookie poisoning, and cross-site scripting (XSS) are common types of vulnerabilities found during the application vulnerability testing cycle.

Leave a Reply

Your email address will not be published. Required fields are marked *