Abstract Cloud Computing is one of the emerging technology in
the field of IT industry, many organizations including small scale
organizations and large-scale organizations mostly trust on their cloud
services provider to perform their enterprise’s works to improve efficiency,
integrity, smartness of work and balancing the work load. The massive use of
these services may cause some potential risks and dangers with respect to
security and privacy of user centered data. This paper focus on the security
issues in the Software as a service infrastructure especially dealing with data
secrecy and privacy and risk assessment and management. This paper ?rstly introduces the construction of SaaS and lightens its
value and usability in different scenarios like cloud computing, mobile cloud
computing, SDNs and IOT. Formerly, we will discuss the SaaS security challenges
spreading across data security, application security to SaaS deployment
security and how security threats might affect different things in the SaaS
model.

 

Index Terms— Cloud Computing Security, Software as a service, SaaS security,

 

 

 

 

I.    
INTRODUCTION1

I

 n new Information technology cloud computing
is greatest widespread and profitable web-based computing service, which offer
three basic work models SaaS (Software as a Service), PaaS (Platform as a
Service) and IaaS (Infrastructure as a Service). Cloud computing providing efficient
global dispensation and store huge volume of data. The main cloud service providers
are Google, Microsoft Azure, Amazon AWS, salesforce.com, HP and IBM. Cloud
computing gives web based services and these service providers are third
parties so vulnerability to security is most important issue for an enterprise
who has adopted the business into Cloud computing by using Information
Technology (IT) system. Security is not big issue in cloud computing but also
security in grid computing, distributed computing, fighting, technical and
logical applications, administration, business systems and applications where
we are using computing on a network. 1 Cloud computing security can be
specified in various sorts like corporeal or devices(hardware) safety, network
security, IT system safety, data security (confidentiality, integrity and
availability of data and information) and most importantly application
program’s safekeeping. Security obligation guarantee from both side user side
and service provider’s side. Amazon AWS Elastic Computing 2 donating concern
for security up to virtual machines (hypervisor), hardware security, surrounding
safety and virtualization security. Salesforce.com client store management.
SaaS providing security roles in physical and environmental saftey regulator.
It also certifies the security regulator over on the structure, application and
data. 2

 

     In
all over global many nations fallow rules and protocols for shielding the
information and data. These nations are Japan, Oceania Countries, Europe, Asia
specifically and many more they are consuming data protection and governance
rules and regulations. They are fallow secrecy security regulations formed by
OECD (Organizations for Economic Cooperation and Development) and the APEC
(Asia Pacific Economic Cooperation) and EEA (European Economic Area) 2.

 

      The benefits of seeing SaaS in various
situations and across many applications giving milieus have been enlightened in
3, 4. However, encounters still occur for a full-sized application distribution
application of SaaS. Many of these issues in terms of cloud computing have been
described in 5, 6. It is extremely serious to struggle with and method
security and safety issues to uphold a trusty environment in SaaS. This paper emphases
on the state-of-art sanctuary and security glitches prevailing in modern SaaS
framework summarizing many fields and machineries which are crucial foundations
embracing the SaaS construction structure.

 

II.    
Software
as a service

Software as a Service (SaaS) 7 states to the programs
provided as services which are internet based. SaaS service providers congregation
the software and perform all the vital care and maintenance tasks (procuring
hardware, installation and deployment of software, management and care etc) thus
providing their clients and customers calm contact to the software for use. Software-as-a-Service
is a software supply model in which applications are presented and managed by a
third-party vendor/distributer or service provider and finished available to clients
over a web, classically the Internet. SaaS is fetching a progressively predominant
distribution model as fundamental technologies that helps web services and
service-oriented architecture (SOA) established and new progressive techniques
become popular. SaaS is too frequently related with a pay-as-you-go service
taking licensing model means clients have many facilities which are provided by
the service providers if he pays more money, a healthy enterprise majorly
focuses on this scheme of pay as you go. Temporarily, broadband service has
become gradually accessible to help user access from more areas around the
world.

Fig 1:
Evolution of Cloud Services

SaaS has appeared as an innovative software
conveyance service in last few years primarily trusting on the multiple
supporting technologies. But, the idea overdue SaaS has been growing since 1950s.
Execution by investigation and business groups includes mainframe computers
(1950), ideas of virtualization (1969), Concept of RJE (Remote Job Entry)
(1970), Grid Computing (1990), SOA (Service Oriented Architecture) (1996) and
Utility Computing (1997). SaaS terminology ?rst appeared in 2000 by simply subscription
stand-alone applications, tailed by the on-evidence SaaS model and next off-evidence
SaaS model surrounding Cloud Computing (2007), Mobile Cloud Computing (2008),
and Software De?ned Networking (2009).

  TABLE I: Advantages
of SaaS for users and providers

Benefits

SaaS User

SaaS SP

Cost of maintenance

Small

Small

Cost of Management

Small

Small

Mobility

Possible

Simple

Organization

Decentralized

Centralized

Payment

Pay as you go

Varies

Scalability

Easy

Flexible

Availability

24 hours per day

Changeable

Stable Nature

Enhanced

Exploited

 

 

The single service acquiring time licensing
model is frequently used for on-evidence software. In disparity, SaaS
application access for users and clients is recurrently vended using a
subscription licensing model, with clients forfeiting an ongoing charge to custom
the application. While the on-premises SaaS model contains mounting, and installing
program software application on end devices of the user’s location, the off-ground
SaaS model denotes to the model in which software and its allied data are accommodated
and warehoused in the cloud services. Off-premises SaaS model revenues
advantage of the advantages of monopolization through a single-instance of
application, multi-tenant architecture (multiple instances of an application),
and offer a property rich knowledge inexpensive with similar on-premise
applications. From the belvedere of SaaS service venders, multi-tenancy and
virtualization tools and techniques importantly, recovers reserve application
and ef?ciency over preceding techniques. 8

 

 

TABLE II: Comparison of traditional software and SaaS

Property

Outdated Software

SaaS

Expense

Static

Dynamic

Agreement

Monotonous

Simpler

Regulation

Client

SP

Charges

Single Time

Subscription Time

Deployment

Required

Not Required

Internet

No

Yes

Proprietorship

Client

SP

Duty

Client

3rd Trusted
Party

Security

Enterprise

SP

Scalability

Bounded

Unbounded

Testing

Exhaustive

Less

Improvement

Affluent

Cheap

 

 

SaaS can also yield
benefits of Service Oriented Architecture(SOA) to empower software program
applications to interconnect with each other. Each service of software can act
as a SP (service provider), revealing its mechanism to other program and
service applications through public dealers, and can also act as a service
taker and requester, in inter-related data and procedure from other services. SOA
provides services which are purely service-oriented services, which are
installed and maintained by SaaS. In a SaaS platform, users commonly get access
to the application via a browser or client software which is thin deployed on
user devices. On the server and technical side, users are unchecked by application
elevation and cover disposition as the application management and maintenance
is done silently by the SaaS vender. From the ?nancial view, the pay-as-you-go
subscription payment model is a persistent income river for the SaaS venders elevated
them to look on nonstop upgrading of the service application. Table I reviews
the advantages of SaaS for both SaaS service providers and SaaS users and
clients.

 

 

III.    
SOFTWARE-AS-A-SERVICE
SECURITY CHALLENGES for an Enterprise

   The mammoth development of SaaS services
applications has rehabilitated the technique the application services are
distributed and fetches respectable rewards and opportuneness to the providers
of software and clients. But, as spare and additional persons and enterprises
install their applications in the SaaS, anxieties initiate to exterior which distrust
how trusty and reliable Software as a Service is? There are problems that are equivalent
as persistently and even further persuasive and complexed because of   loopholes of the Software as a Service installment
and insufficient security fear and threat. In this section of paper, we will
discuss SaaS security issues and challenges under two main groups which are
information and data safety and security and Safety and Security of application.

A.    
Data
Privacy and Security

 

1)    
Data
Storage

 

Database is the repository of the physical appearance
of a database. The basic need to achieve data privacy and security is that SaaS
service provider saves numerous clients from keen-sighted data of other users
as data is only thing which is highly confidential and private and all
enterprises are doing their business on the behalf of stored data if data is
unprotected from unauthorized access then it may be possible that enterprises
will face too much loss in business. As multi-tenancy which is achieved by
doing virtualization of machines is one of the key and basic characteristics of
the SaaS model, data of multiple clients may exist in the same server, or in
the different instances presented in the same server. If one instance of a
server is affected by the malevolent attack such as SQL injection, there might
be big threat and risk that subtle data in another instance presented in the
same server will be also affected. For example, in a virtualized environment, hypervisor
(a virtual machine) permits many operating systems like windows, Linux and MAC
to run on a same physical hardware simultaneously, if a hacker can get access
and control to the hypervisor, he can make variations to any instance of server
and get access and control to all the crucial and secret data storage in that device(hardware).

 

If SaaS service providers implement their
application on a public PaaS (Platform as a Service) service provider, the
delicate information might infrequently be warehoused together in the same
physical device with the data of another irrelevant SaaS application. To
confirm data high convenience and availability, duplication and backup, service
provider might, also, redundant the data and handover it to another place across
countries. It is a big threat and risk that crucial and sensitive data might be
escaped to unanticipated sites. Even poorer, when the information in a data
center meets outage, the data in other site or place might travel through
country borders. But, in some states the law suggest that sensitive data is not
permitted to pass the border of state 9 and in situation of emergency the federal
government has an authority to raise the log system to examine inward and outward
traf?c in recent weeks or months. This is observed as a crucial potential risk to
the secrecy of client’s data.

 

To defend against the outflow of sensitive
information, SaaS service provider uses cryptography to increase the
con?dentiality and privacy of data in database or a data warehouse. But, cryptography
techniques have their challenges including key sharing and management, correct
use of crypto cipher algorithms and repositories.

A participant of the security team who is
answerable for privacy and confidentiality should collaborate with the
enterprise legal team to describe data privacy issues and challenges with their
concerns. As with security, a privacy navigation group should also be formed to
aids make right decisions connected to data confidentiality. Typically, the
security obedience team, if one even exists, will not have official training
and development on data privacy, which will shorten the skill of the enterprises
to describe effectively the data privacy problems they now look and will be repeatedly
challenged on in the upcoming period. The answer of this problem is chartering
a advisor in this field, hire a privacy consultant, or have one of your current
team members of security team skilled properly. This will ensure that your enterprise
is ready to meet the data privacy requirements of its clients and controllers.

 

2)    
Data
Access Control

 

     In
SaaS model, the hole of security or privacy can originate from the confidential
reliable partner where provider’s workforces cautious or uncaring acts origin
data loss data outflow, even it can initiate from the outside malicious invaders
who anticipate misusing the loopholes of the system and take benefit from them.
In this scenario, service provider must promise that access to data will only
be bounded to the legitimated access by monitoring who can access what kind of
information in the data repository. The information may state to database
fields such as types of records, data structure; calculations over certain database
objects such as types of query. Commonly, database access regulator is set by
the official administrators via Protected DBMS GUI. In some scenarios, some enterprises
may have their own access rules and policies to obey to the SaaS application given
by SaaS service providers. Hence, SaaS venders must can incorporate these
speci?c policies into their own access control regulations and schemes. Also,
the employee’s data in a company cannot stay static all the time which might influence
the data access control. Thus, when SaaS application is approved by an
enterprise, how will SaaS vender ensure their employee manual is steady with
the manual in the enterprise’s ?le? Is there any moderately secure alert scheme
applied to keep the SaaS vender restructured with the latest edit of employee
information? These issues will carriage risk and threat on the enterprise’s sensitive
data and business information when they are ignored by the managers.

 

3)    
Data
Recovery and Backup

 

     Backup
and recovery is one of the most vital and necessary characteristics of DBA. The
incidence of data exploitation, hardware exploitation and data damages in a
database is probable. SaaS clients and user do not have any backup services at
their side and are fully relies on SaaS service providers for data backup and
recovery actions, it will be overwhelming for users to hurt data loss and in
return income loss. It falls on the SaaS service provider shoulders to make sure
when any fortune occurs, some countermeasures should be existing to carry the
database to the earlier state and diminish the influence of the incident.

 

4)    
Data
Integrity

 

Data Integrity 10 refers to upholding and promising the accurateness
and uniformity of data over its whole life-cycle. It is originally indorsed to stop
the incidence of information which does not consensus to the expressed composition
in database and avert the i/o of unsuitable communication which could reduce inacceptable
process and fault communication in database. Data integrity can be put in
danger by human mistake when the data is arrived into database or when the data
is unsuitably drifted from one server to another server. Software virus and
bugs, crashing of hardware and natural tragedies (earthquake and ?ood) can
result in the compromise of data integrity as well.

 

It is basic that SaaS service providers should contrivance procedures
to guarantee data integrity and be able to say what occurred to a certain set
of data and at what stage

 

5)    
Data
Transfer Security

 

The transmission medium which conventional between SaaS service
provider’s site and client (user) is not considered always secure and protected
especially in SaaS model. Data is transmitted in many packets of data and ?ow via
many third-party devices before arrival-ling the final host address usually a
client side. So, the data travel over the transmission course may be topic to
the network threats and risks such as DNS poisoning attack, MITM (Man-In-The
Middle attack), IP spoo?ng, port scanning and sniffer attacks. 11.

During transmission of data from sender side to receiver side only
these two parties are said to be legal parties, that means there should be no
third-party who can watch traffic and examine it for their negative use, hence
no changes should be occurred in data while it is being travelled on a path and
medium to do transmission by any middleware third -party.

The security risks and threats for the data in transmission has amplified
due to ”eavesdropping” 11. It is commonly done silently and difficult to notice
whether the networked has been ”eavesdropped” by any middleware person. Invaders
can make use of ”eavesdropping” to capture the Transmission control protocol
(TCP) session, then the invaders can search the sequence number of the ongoing
packets to either falsify a false section with a hateful payload or imitate as
the sender IP address to do the more malicious act. Data and information
security over the transitioning networks converts vital issue that is in persistent
requirement to be demonstrated.

.

B.    
Application
Security

       

       Application security mentions to the use
of the software and hardware to promise that no injurious or harmful task is
performed, and the invader is not talented to get access to the manager’s
console or interface and make malicious edits. Application security problems
can be tempted at dissimilar hierarchy of application design structure,
implementations, developments and access. So, it can be reduced by the design
loopholes which are secret in the program itself or the unprotected con?gurations
of the user console, interface or APIs which are web services based via which
the user can get authorized access to the application. Furthermore, widespread
malware hidden in the SaaS application is another way to pointing at the user.

 

1)    
 Loophole in software Design

.

           Software design for SaaS is variant from
the traditional client-server environment and architecture in respect of ”architecture”,
”UI (user interface)” and many APIs. Multi-tenancy architecture (important
Characteristic of SaaS architecture) of SaaS application is a fence that an
architecture designer familiar to designing remote, single tenant applications must
overawed. For example, when a user at one enterprise accesses user information
by using a CRM (Customer Relationship Management) application service, the
application’s instance that the user connects to may be accepting users from lots,
or even hundreds, of other enterprises, all instances fully vague to any of the
users. This requires an architecture that increases the sharing of computing resources
across all tenants, but that is still able to distinguish between owners of
data.

 

           APIs are the baseline of SaaS model
due to SaaS’s heterogeneity. For example, SaaS application working in the web browser
is helped by many programming languages, such as the group of HTML, CSS and
JavaScript in the application’s presentation tier (interface level; low level
of application); or an engine using some non-static Web data tools and technology
(Java, PHP, Python etc.) in the application’s middle tier (Business logic
tier). A lot of APIs must be implemented to achieve interoperability between
all tires, either APIs that previously exist in the market or APIs need to be
intended for special needs. However, worst developed and designed APIs might be
issue to the malicious attack which software developer should consider 12.

     Customers follow the guidelines represented
by the service providers on how to use these APIs, but also in some scenarios invaders
can misuse these APIs and find their vulnerabilities and loop holes.

 

2)    
UI and web
technologies and tools

 

SaaS service providers commonly represent a set of interfaces and
consoles and APIs that permits their customers to do and perform various tasks.
User can interact with application via user credential such as username and
passwords etc. However, if these input ?elds do not authenticate user input, it
could be oppressed by invaders by beginning injection attacks. Similarly, some SaaS
applications allow customers to consent remarks which are noticeable to all
customers. Invaders can insert a malicious script (a short piece of code) in
the remarks area, which is then provide access to the application without confirmation
and send to web browsers of other customers. All the victim’s browsers watching
this place will perform this writing which can takeover user sessions, spoil
websites or resend user to another malevolent website.

 

HTTP is the protocol used for communication between browser and
application server. However, HTTP protocol is developed to be a stateless
protocol. Thus, web application developers favor to apply web session
management techniques or cookies to promise distribution. However, it is taken
as unprotected because this kind of procedure is vulnerable to session
hijacking technique of acquiring the control of session. If cookies deployed in
the application website is not protected by encryption during the transmission
or the transmission media is not protected, it is utmost probable that the
credentials and other sensitive information and data such as session ID saved
in cookie can be read by attacker to unveiling the next attack. For instance,
attackers can ”masquerade (forging)” as the reliable user and do anything the
user has authority to do on the network.

 

3)    
Web
Services and Technologies

 

       Web service is a software system
designed to support interoperable machine-to-machine interaction over a
network. It has a console demonstrated in a machine process able format (particularly
WSDL). Other systems interrelate with the web service in a way described by its
explanation using SOAP alerts, delivered using HTTP with an XML ”serialization”
in combination with other web related standards.

 

         Various
attacks 13, 14 against web services comprises ”over-size payload”, ”coercive
parsing”, ”XML injection”, ”XML wrapping attack”,. Also, ”Denial of
Service (DoS) attack” or ”Distributed Denial of Service

 

 

Post Author: admin