To support Intel business groups’ increasing demand for software-as-aservice (SaaS) applications, Intel IT has developed several best practices that can help enhance SaaS security and protect Intel’s intellectual property.
SaaS applications can provide efficiency and agility, cost savings, and enhanced collaboration especially with suppliers and customers. At the same time, SaaS applications present security challenges because they are typically hosted on third-party infrastructure and run third-party application code.
To minimize risk in the cloud, we have established the following best practices:
In our experience, SaaS security controls fall into the following categories:
Our SaaS security best practices enhance security, privacy, and legal compliance at Intel. They also make it possible for business groups to quickly adopt new SaaS solutions.
data loss prevention
software as a service
security business intelligence
system for cross-domain identity management
social, mobile, analytics, cloud, and Internet of Things
Public cloud-based software as a service (SaaS) has become a common delivery model for many business applications in use at Intel, including office applications and sales-and-marketing software. As a result, Intel business groups, as well as external partners and customers, need Intel IT to support cloud-based SaaS applications.
SaaS is best suited for situations with the following requirements:
Adoption of SaaS is part of Intel’s social, mobile, analytics, cloud, and Internet of Things (SMACI) strategy, which is built on the following pillars:
Intel IT recognizes the growing demand for and business value of SaaS solutions. SaaS solutions pose information security challenges, because they are hosted on third-party infrastructure and run third-party application code (both of which are out of Intel IT’s control).
We are currently servicing 250 SaaS use cases with 139,000 users. Based on our experience with these use cases, we have developed a set of best practices for minimizing the risk of using SaaS applications in the enterprise.
First, we defined a strategy for SaaS adoption and built a reference architecture that reflects that strategy. We also determined how to assess risk and implement controls to help enhance security in a SaaS solution and protect Intel’s intellectual property. We are committed to keeping up with technology development so that our reference architecture embodies best-in-class SaaS security. These best practices enable business groups to “go fast” while meeting security policy and privacy and compliance requirements.
To securely and successfully adopt cloud-based SaaS applications in the enterprise, we first developed a SaaS security strategy that guides the rest of our SaaS activities. Our strategy embodies five steps:
We realize that there is a growing demand for SaaS solutions at Intel. Therefore, as shown in Table 1, we established criteria for our SaaS implementation. These criteria have four characteristics: agility, flexibility, security, and usability.
Four Best Practices for Minimizing Risk When Adopting SaaS as a Delivery Model for Enterprise Business Applications
As shown in Figure 1, our SaaS security reference architecture uses the following categories of building blocks:
Security Business Intelligence Platform and Security Operations
Figure 1. Our SaaS security reference architecture comprises building blocks in the categories of application and data security, identity and access management, compliance and governance, device security, and security business intelligence platform and operations.
Our SaaS security reference architecture provides the level of security, privacy, and legal compliance that is necessary in our large enterprise:
One of our key learnings while building our SaaS security reference architecture is that SaaS technology is constantly changing. A secure SaaS security reference architecture requires frequent adjustments and a continuing market for new and enhanced solutions. Security capabilities vary between suppliers, who may take different approaches to file encryption, authentication, logging, remediation work flows, and so on. It is important that we use an Agile method of implementation and make modifications to our architecture when necessary.
Shadow IT is hardware or software within an enterprise that is not supported by the organization’s central IT department. In the context of SaaS, shadow IT refers to personal technology that employees use at work or niche technology that meets the unique needs of a particular business group that is supported by a third-party service provider instead of by corporate IT.
Shadow IT (also known as cloud sprawl) leads to inefficiency, duplication, and business-related decisions being made outside of the formal governance processes of the organization—potentially leading to gaps in compliance and control for an organization along with possible leakage of intellectual property and data.
Intel IT is working to discover shadow IT SaaS services and respond appropriately. Our priorities are to validate the data and understand the environment, take control of the data, and implement governance and compliance. To this end, we have deployed a shadow IT detection tool that can analyze our cloud proxy and offline repository scan logs, detect cloud application usage across the enterprise, provide a risk rating for all discovered cloud applications, and provide usage analytics.
By reducing the use of shadow IT SaaS at Intel, we can identify cost-saving opportunities through supplier consolidation and better protect Intel’s intellectual property.
Intel IT is committed to protecting Intel’s intellectual property and employees’ personally identifiable information. For example, we institute controls to protect against known malware, phishing sites and software, and loss of intellectual property. However, we do not want to arbitrarily block services and the movement of data. We also want to encourage personal responsibility, educating employees about risks and ways to mitigate them through safe cloud behavior. We want to empower users to understand the risks yet be innovative and productive.
We have established a method of balancing risk and productivity to achieve the appropriate level of risk tolerance. While risk may seem difficult to quantify, Intel has developed methods based on industry standards to calculate information security risk as a function of threat, vulnerability, and consequence in the context of risk scenarios. Risk scenarios are developed in conjunction with subject-matter experts and information security specialists. These risk scenarios allow us to measure the probability that a specific threat agent will exploit a vulnerability or produce a negative business impact.
For example, a given risk scenario may involve a high threat (such as active known malware propagating through the network), targeting highly vulnerable applications and systems (such as unpatched Transport Layer Security) that handle critical personal information. This information could be leaked in a successful compromise (a high consequence). Such a scenario would be rated as a high risk. If a threat is less likely to exploit vulnerabilities in a scenario—such as when the attack surface is reduced through proactive patching or strong access controls—then the risk may be low.
For threats with a high risk rating, we may block a service entirely, or we may combine controls to mitigate the risk.
To help securely support SaaS in the enterprise environment, security controls are necessary. In our experience, most SaaS security controls relate to one of three areas of risk, as shown in Figure 2:
The following three sections provide details about each of these SaaS security control areas. The final section describes how we match the controls with the risk rating arrived at with Best Practice #3.
The first level of control is to manage identity. We use single sign-on to improve the user experience. After the user signs on, we use several service providers’ tools to enforce access controls and multifactor authentication controls to manage access. These controls help maintain a trustworthy computing environment by complying with Intel’s last-day-at-the-office and least-privilege controls. Our overall goal is to make it easy yet secure for Intel employees and their collaborating partners to access SaaS applications.
Identity. The first-line SaaS security control is identity management. When Intel employees want to access a SaaS application, they open a browser window on their device and then sign in using their corporate identity. Intel employees have a single identity (username/password combination) that they can use to access multiple applications, using single sign-on. Single signon improves security and the user experience because employees do not need to keep track of multiple passwords and thus are not tempted to write them down to remember them all.
Identities are managed by identity providers, which can be internal (for Intel employees) or external (for non-Intel employees accessing the same SaaS application). We are developing a hybrid model where we manage identity accounts on Intel premises and synchronize them with external identity providers.
Intel IT manages the user account life cycle for SaaS applications in the same way that we manage any corporate application operating on the corporate network. Intel implements an integrated account provisioning framework to create, update, and disable accounts in the SaaS application. Intel embraces the SCIM (system for cross-domain identity management) accountprovisioning standard in all cases where it is supported by the SaaS application provider.
Access Controls and Multifactor Authentication. While managing identities is important, access controls are also necessary to enhance SaaS security. We manage access controls through enrollment and entitlement workflows. We use a request/approval, role-based, and attribute-based process to manage access to SaaS applications. A context-aware access-control framework grants access to SaaS applications, taking into consideration factors beyond user group membership.
For example, we can use network location to inform an access decision. In some cases it may be important that access is granted only if the user is connected to the corporate network; if we detect that the user is off-network, we can ask for multifactor authentication to provide better assurance of identity. We use various tools for authentication, depending on the SaaS application; the authentication process varies with the device being used.
For certain SaaS applications, employees using a laptop have access to integrated Microsoft Windows* authentication, whereas employees using a small form factor device must complete a one-time form authentication. For our online office, storage, and collaboration environment, laptop users have access to integrated Windows authentication only if their laptop has intranet access; small form factor device users must use a VPN to authenticate for the first time.
Multifactor Authentication – Verification codes sent to a mobile phone can help improve SaaS security. Our work with multifactor authentication is still in progress, and we understand that usability is key to a successful multifactor authentication rollout. Therefore, we are considering a rich set of options that can align with a user’s computing preferences and level of connectivity. (We do know that we will not be using hardware tokens.) These options include the following:
We plan to continue to adjust our multifactor authentication framework to blend usability and security needs as capabilities evolve.
While identity and access controls provide a certain level of security, we also need application and data controls. Application security controls help verify that code using SaaS APIs and supporting the integration of SaaS applications into the enterprise is securely developed and follows best practices.
Once a user logs in to a SaaS application, the method we use for data protection depends on how the application is implemented. But in all cases, the data traffic flows through a cloud proxy where policy is enforced. Policies exist to protect specific types of data and to detect unapproved data.
Data encryption and tokenization. One type of data control includes data encryption and tokenization. The data is encrypted using an encryption key, which is stored on Intel premises. We can encrypt both structured data (specific fields in a database, for example) and unstructured data (such as entire files). Our encryption model is a hybrid in that some encryption is done on-premises and some off-premises. Encryption keys are pushed to the cloud proxy on a specified time interval. Keys are stored only in memory in the proxy environment—they are signed and can be used only by the appropriate tenant.
When tokenization is required for data residency for some fields or data elements, they are sent to the SaaS application as a replacement for the actual data. The use of tokenization requires an on-premises database, because an unencrypted index is created. Intel IT is investigating tokenization as a future use case.
Data loss prevention. DLP is another type of data control that helps us prevent the transfer of documents containing certain types of information. DLP has two aspects: detection and action. Detection means that we look for certain keywords or phrases (depending on policy), such as “top secret.” If we detect a prohibited word or phrase, we instigate appropriate actions, such as informing the user of security policies and encrypting, quarantining, deleting, or unsharing a document.
We use two types of DLP controls:
Depending on the use case, we can use either type or both types of DLP. The offline scan engine can send an alert to a user if it detects that inappropriate control. All DLP events are logged into our SBI platform (see Logging and data has been sent to a SaaS application.
Monitoring Controls for more details). With either type of control, if a keyword is found, the SBI platform receives an alert and opens a service ticket to the SaaS management team, which can then determine the appropriate response. For example, we can remove the file on the user’s behalf, if necessary, or encrypt, quarantine, or unshare the file. In addition to alerting the SBI platform when inappropriate content is being sent to a SaaS application, the DLP controls send the user an alert message.
We match SaaS security controls to the security assessment and the risk level, instead of using every control on every SaaS application or in every use case. Figure 4 illustrates this concept. In the figure, the employee is using a client device (a smartphone, tablet, 2-in-1 device, or a laptop) to access two SaaS applications—an online office, storage, and collaboration environment and a sales and marketing CRM tool. We use a cloud proxy to route user traffic to the correct SaaS application, with the appropriate controls.
Figure 4. Different SaaS applications have different risk levels. One application may use only identity and access controls with offline data loss prevention inspection; another application may combine identity and access controls with data controls such as encryption and data loss prevention.
For example, for the online office, storage, and collaboration environment, we might use only identity and access controls on the front end and use offline DLP inspection on the back end. For the CRM tool, however, we might add encryption and real-time DLP controls to help protect the data.
The third area of SaaS security controls that we focus on is logging and monitoring. We use our SBI platform as the focal point for logging, monitoring, alerting, responding to information security violations, and using advanced analytics to improve our information security environment. Security logs and alerts are collected from the cloud and fed into the platform. Actionable alerts are immediately sent to our IT security information and event management system for incident response and remediation purposes. Security data is correlated and monitored for anomaly detection.
We use detective controls to monitor cloud traffic for many kinds of anomalies, including the following:
The SBI platform portal enables easy access to reporting capabilities, workflow automation, and the security and event management system.
We have learned that, just as enterprise applications and data are moving to SaaS, SaaS security controls are also moving to the SaaS model. That is, many security service providers currently host their services in the cloud, and we expect significant expansion of enterprise security capabilities delivered as SaaS. Therefore, we must decide which SaaS security controls will remain internally hosted and managed and which ones will be externally hosted and managed. Carefully evaluating SaaS providers can help us make these decisions based on the maturity of a particular provider’s controls.
But a one-time evaluation is not enough—we must constantly reevaluate providers and controls because the public cloud, especially the SaaS ecosystem, is continually changing and evolving. We expect such technology development to occur for a significant period of time. Therefore, we will conduct continuous and short cycles of reviewing the SaaS landscape for security solutions so that we can enhance access controls, data protection and encryption, and device posture.
While we have developed best practices and security controls for supporting enterprise use of SaaS applications, we plan to explore the following risk management challenges, which are growing more and more complex:
As the SaaS ecosystem continues to mature, we will develop controls and additional best practices to address these areas of concern.
The SaaS delivery model for enterprise applications offers efficiency, velocity, agility, cost-effectiveness, and collaboration benefits for many enterprise use cases. To support the increasing demand at Intel for SaaS solutions, Intel IT has established several best practices to minimize risk in the cloud:
Our SaaS security controls have enhanced security, privacy, and legal compliance at Intel, and we are making it safe for business groups to “go fast” when adopting new SaaS solutions. For more information on Intel IT best practices, visit intel.com/IT.