|By Srinivasan Sundara Rajan||
|November 24, 2010 07:00 AM EST||
Security #1 Concern for Cloud Adoption
An analysis of several CIO Surveys about cloud adoption reveals two things:
- There is a growing adoption of cloud computing
- But Security Concerns remains on top of CIO's minds
So either as a SaaS provider or a IT services provider who develops applications on PaaS platform, we should address the security concerns, and this series of article aims at addressing various security concerns.
This concern is aptly shown in the study, Courtesy ‘Microsoft : The Economics Of Cloud'.
SaaS and SQL Injection
Like other web-based systems, cloud applications are prone to most of the common web attacks ranging from:
- Cross-Site Scripting (XSS)
- Injection Flaws
- Information Leakage and Improper Error Handling
- Broken Authentication and Session Management
- Failure to Restrict URL Access
- Improper Data Validation
- Insecure Communications
- Malicious File Execution
While most of these are common vulnerabilities found in web applications, a SQL Injection is one of the highest possibilities in a SaaS application.
SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept, and can be exploited in any application parameter that influences a database query.
Examples include parameters within the url itself, post data, or cookie values. If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database.
SQL Injection In Multi Tenant Database Design
We have seen in some of the earlier posts about multi tenant database design, that storing the multi tenant database in the same table segregated by the Tenant ID acting as a primary key is a valid design pattern.
For example if there is a Retail SaaS applications that allows multiple retailers to host their products and sell them through the online SaaS Application, then the possible multi tenant table design for table that hosts all the orders could be.
Unique ID that distinguishes each tenant
Unique Order ID per tenant
Order Total Price
Total Price Of the Order
Currency in which the order is done
.... Other Order related parameters like Customer Information, Shipping Address Etc.
If the SaaS application is prone to SQL Injection, then it is very easy for some one logging on behalf of One Tenant can view the orders belonging to another Client, let us see with an example.
As explained in this simple example.
- Front end application sends the tenant id to the database calls, so that the orders belonging to that tenant can be retrieved
- However the dynamic SQL written simply attaches the ‘tenant Id' Supplied, and returns the results
- This could potentially lead to a situation, where a hacker who could create a dummy ‘tenant id' with the SaaS application can pass on random tenant ID values and could view orders belong to other tenants
Common Steps to Avoid SQL Injection
Below are some generic best practices that could be utilized by any application to avoid SQL Injection.
- Parameterized Queries: SQL Injection arises from an attacker's manipulation of query data to modify query logic. The best method of preventing SQL Injection attacks is thereby to separate the logic of a query from its data. This will prevent commands inserted from user input from being executed.
- Validate input: The vast majority of SQL Injection checks can be prevented by properly validating user input for both type and format.
- Stored Procedures: Consider using stored procedures. They require a very specific parameter format, which makes them less susceptible to SQL Injection attacks.
Additional Steps for SaaS Applications
Below are some additional steps on top of the common steps mentioned above, which could be used to prevent SQL Injection specific to SaaS cloud application.
- Never pass the Tenant ID as a parameter to the back end queries in a open form, which will enable hackers to guess and manipulate the same, keep the Tenant ID as a hidden or internal value from the eyes of the user.
- Do not display the internal values of Tenant ID or the Table names involved when database errors happen, rather mask the errors with generic text
- Validate that the Tenant ID indeed belong to the particular User who has logged on before executing the query. For example if a particular user say John Doe logged on and use the SaaS application for the Tenant A, then any queries by John Doe should only retrieve records from Tenant A and should not include other tenants , this cross reference between the users and tenants are maintained in the system and should be used in all queries.
- Enable additional controls at the database level like Virtual Private Database feature of Oracle 11g or equivalent so that even with the Injection we cannot view the values of other tenants.
Protecting tenant specific data is the ultimate goal of the SaaS application and hackers can use SQL Injection among all techniques to penetrate the same and the above mentioned techniques will prevent the SQL Injection and make the application secure and speed up the Cloud Enablement in the minds of CIOs.
DevOps Summit, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development...
Sep. 4, 2015 07:00 PM EDT Reads: 1,644
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Sep. 4, 2015 06:45 PM EDT Reads: 447
SYS-CON Events announced today that DataClear Inc. will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. The DataClear ‘BlackBox’ is the only solution that moves your PC, browsing and data out of the United States and away from prying (and spying) eyes. Its solution automatically builds you a clean, on-demand, virus free, new virtual cloud based PC outside of the United States, and wipes it clean...
Sep. 4, 2015 05:30 PM EDT Reads: 503
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and a...
Sep. 4, 2015 04:15 PM EDT Reads: 533
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
Sep. 4, 2015 03:30 PM EDT Reads: 472
Organizations from small to large are increasingly adopting cloud solutions to deliver essential business services at a much lower cost. According to cyber security experts, the frequency and severity of cyber-attacks are on the rise, causing alarm to businesses and customers across a variety of industries. To defend against exploits like these, a company must adopt a comprehensive security defense strategy that is designed for their business. In 2015, organizations such as United Airlines, Sony...
Sep. 4, 2015 03:30 PM EDT Reads: 547
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Sep. 4, 2015 03:30 PM EDT Reads: 979
To assist customers with legacy Windows Server 2003 that is no longer supported by Microsoft, Racemi has introduced fixed price packages for upgrading and migrating Windows Server 2003 servers to either Windows 2008 R2 or Windows 2012 R2 and the choice of Amazon Web Services (AWS) or SoftLayer cloud. "We're extending a lifeline by upgrading the legacy servers to more modern Windows Server platforms while taking advantage of cloud computing," said James Strayer, vice president of product managem...
Sep. 4, 2015 02:12 PM EDT
All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades. With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo, November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Learn what is going on, contribute to the discussions, and e...
Sep. 4, 2015 02:00 PM EDT Reads: 236
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Sep. 4, 2015 01:45 PM EDT Reads: 656
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
Sep. 4, 2015 12:00 PM EDT Reads: 506
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of tech...
Sep. 4, 2015 12:00 PM EDT Reads: 300
U.S. companies are desperately trying to recruit and hire skilled software engineers and developers, but there is simply not enough quality talent to go around. Tiempo Development is a nearshore software development company. Our headquarters are in AZ, but we are a pioneer and leader in outsourcing to Mexico, based on our three software development centers there. We have a proven process and we are experts at providing our customers with powerful solutions. We transform ideas into reality.
Sep. 4, 2015 11:45 AM EDT Reads: 589
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of ...
Sep. 4, 2015 11:45 AM EDT Reads: 405
In 2014, the market witnessed a massive migration to the cloud as enterprises finally overcame their fears of the cloud’s viability, security, etc. Over the past 18 months, AWS, Google and Microsoft have waged an ongoing battle through a wave of price cuts and new features. For IT executives, sorting through all the noise to make the best cloud investment decisions has become daunting. Enterprises can and are moving away from a "one size fits all" cloud approach. The new competitive field has ...
Sep. 4, 2015 11:00 AM EDT Reads: 197
Introducing Containers & Microservices Bootcamp at @CloudExpo Silicon Valley | #Containers #Microservices
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on...
Sep. 4, 2015 11:00 AM EDT Reads: 436
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises ar...
Sep. 4, 2015 11:00 AM EDT Reads: 1,618
SYS-CON Events announced today that the "Second Containers & Microservices Expo" will take place November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Sep. 4, 2015 10:45 AM EDT Reads: 669
Moving an existing on-premise infrastructure into the cloud can be a complex and daunting proposition. It is critical to understand the benefits as well as the challenges associated with either a full or hybrid approach. In his session at 17th Cloud Expo, Richard Weiss, Principal Consultant at Pythian, will present a roadmap that can be leveraged by any organization to plan, analyze, evaluate and execute on a cloud migration solution. He will review the five major cloud transformation phases a...
Sep. 4, 2015 10:15 AM EDT Reads: 133
Mobile, social, Big Data, and cloud have fundamentally changed the way we live. “Anytime, anywhere” access to data and information is no longer a luxury; it’s a requirement, in both our personal and professional lives. For IT organizations, this means pressure has never been greater to deliver meaningful services to the business and customers.
Sep. 4, 2015 10:00 AM EDT Reads: 877