Securing Procurement in the Cloud of Tomorrow

In recent surveys of CIOs, the terms that feature consistently at the top of their agenda are “Cloud Computing” and “Security”, often in the same context. As Cloud Computing becomes more ubiquitous, it is not surprising that there is renewed focus on Cloud Security. GEP was the first provider in the Source-to-Pay software industry to harness the true power of Cloud Computing through GEP SMART, a unified Source-to-Pay platform developed fully on Microsoft’s Windows Azure platform.

This journey has required us to engage with the world’s leading cloud computing provider and co-develop processes, mechanisms and thought leadership on the full potential of Cloud Computing while building world-class security measures for this emerging technology. This paper is aimed at sharing these best practices with a broader audience and helping other companies leverage full value from Cloud Computing.

A New Framework on Cloud Security

A lot of discussion on Cloud Security focuses incorrectly on data access concerns only. An holistic view of cloud security needs to address the following interlinked elements:

1. Choosing The Right Cloud Computing Model

Cloud computing is a model for enabling ubiquitous, convenient, on-demand access to a shared pool of configurable computing resources. Organizations can choose from 3 models while deploying cloud solutions: IaaS, SaaS and PaaS. Infrastructure as a Service (IaaS) represents on-demand compute and storage; Software as a Service (SaaS) vendors host applications in the cloud; and Platform as a Service (PaaS) is a cloud-based application development platform.

Software as a Service may be the best known aspect of Cloud Computing, but developers and organizations all around the world are leveraging Platform as a Service, which mixes the simplicity of SaaS with the power of IaaS, to great effect. From the start, we at GEP were struck by the enormous potential of the platform-as-a-service (PaaS) cloud model to generate an entirely new level of value for our customers. We could virtually eliminate the complexity of buying and managing the hardware and software infrastructure underlying GEP SMART™ and focus on driving innovation. We could also provide the very highest levels of availability, security and business continuity. For the first time, developers can focus on application expertise for their business, not managing complex hardware and software infrastructure. Our approach to cloud security is shaped by this choice and for organizations using IaaS or SaaS, the security strategy would need to be refined to reflect the operating model.

2. Selecting The Right Cloud Computing Partner

The second biggest decision driving security aspects in a cloud environment is the choice of the cloud computing partner. We evaluated several leading cloud providers and finally selected Microsoft’s Windows Azure platform as the right fit for our current and future needs. Microsoft has decades-long experience in building enterprise software and running some of the largest online services in the world. It has leveraged this to implement and continuously improve security-aware software development, operational management, and threat mitigation practices that are essential to the strong protection of data in the cloud.

Microsoft also has experience in designing, managing, and securing world-class data centers in diverse locations around the world that few can match. These centers are designed and constructed with stringent levels of physical security and access control, power redundancy and efficiency, environmental control and state-of-the-art recoverability capabilities. And they are the same data centers that run many of the world’s largest online services. (The physical facilities have achieved broad industry compliance, including ISO 27001 and SOC / SSAE 16 / SAS 70 Type II and within the United States, FISMA certification.) What’s more, Microsoft Azure is the seedbed of an entire ecosystem of third-party developers, eager to innovate and improve a vast range of related, performance-enhancing applications — from middleware to specialized business components.

These capabilities were critical to our vision of developing GEP SMART as the leading S2P cloud platform and enabled us to implement an industry-leading cloud security strategy.

3. Cloud Security Strategy

According to the Cloud Usage: Risks and Opportunities Report by Cloud Security Alliance (CSA), 26% of respondents don’t have security policies or procedures in place to deal with data security in the cloud. This is a generous response and other studies indicate that close to half the major Fortune 500 organizations have not updated their data security strategies to reflect the cloud computing shift.

At GEP, we strongly urge our clients to develop a formal cloud security policy that drives aspects of user and data management. For GEP SMART, we have taken the following layered approach to data security:

In order to achieve the highest degree of protection and meet the regulatory compliances GEP needs to secure client data in SQL Server or Azure SQL Databases, Microsoft Azure provides multiple layers of data protection. This includes encrypting data while at rest, in motion or in use, authenticating only authorized users and limiting user access to the appropriate subset of the data. Additionally, the Microsoft Azure Cloud provides continuous monitoring and auditing of activities to help in the detection of potential threats and provide a record of critical events in case of a suspected breach. These rich security capabilities are each balanced by the ability to quickly implement features and mitigate security risk without compromising developer productivity or a customer’s experience.

4. Cloud Security Processes – Data Security

These steps of cloud model, partner and strategy need to be translated into world class security processes supporting the elements of data security, infrastructure security and ongoing monitoring.

The primary elements of GEP’s data security processes are encryption, authentication & authorization, dynamic data masking and row level data security.

4.1 Data Encryption:

Encryption is the process of taking data and changing it in a way that makes it unrecognizable to anyone but who are permitted to read it. Different encryption methods have different strengths.GEP uses the SQL Azure capability of Encryption at three levels.

Encryption-In-Transit: All connections to the Azure SQL Database require encryption at all times while data is “in transit” to and from the database. In GEP SMART, we specify the parameters to encrypt the connection and not trust the server certificate. To do otherwise could mean the connection would not verify the identity of the server and may be susceptible to “snooping” & “man-in-the-middle” attacks. Microsoft has phased out usage of the old protocols such as SSL 3.0 and TLS 1.0 and has implemented the latest TLS 1.2 protocol security.

Encryption-At-Rest: Although many organizations usually encrypt data while in transit, it is not usually encrypted while stored in a database server. GEP ensures that data is specifically encrypted in the server, so even if the data is later moved to external storage or sent over insecure transports, the privacy, integrity and confidentiality of the data is always preserved. For data at rest, Azure offers a wide range of encryption capabilities up to AES-256, giving us the flexibility to choose the solution that best meets customer needs. GEP uses Transparent Data Encryption (TDE) on all customer data at rest. TDE protects customer data on disk at page and log levels by performing real-time I/O encryption and decryption of the SQL Azure database. TDE encrypts the storage of an entire database by using an AES 256 symmetric key known as a database encryption key. In individual databases the database encryption key is protected by a server certificate. The server certificate is unique for each database. Microsoft Azure automatically rotates the certificate on a 90 day basis. One of the major benefit of TDE is that the SQL Azure engine handles all of the encryption and decryption workload without impacting the application.

Encryption-End-To-End: In addition to encryption at transit and at rest, we utilize the capability to encrypt each column of data by using Cell level Encryption (CLI). Data can be protected end to end in this way. For CLI the application is aware of columns that are encrypted and there may be considerable impact/overhead on performance if all the data is encrypted. Therefore, by default GEP does not use CLI on all the cells but applies this security policy according to the sensitivity of data stored in the cells.

4.2 Authentication and Authorization

GEP operates SQL Azure for SQL Server authentication and Active Directory Authentication. GEP SMART’s active directory is integrated with Azure AD and SQL Azure is integrated with Azure AD. Thus a cloud solutions provides the option of integrated AD authentication helping us to incorporate specific user authentication policies.

As a best practice, GEP SMART uses a unique account to access. This allows us to limit the permissions granted to the application and reduces the risk of malicious activity in case the application is subjected to a SQL injection attack. GEP’s developers do not have access to any of the client databases. This determines the security principles for authentication, including:

• SQL Server logins: Used to authenticate access to SQL Azure at the server level.
• Database users: Used to grant access to SQL Azure at the database level
• Database roles: Used to group users and grant access to SQL Azure at the database level.
• Contained database user model: Access to master and system databases are restricted and then authentication occurs directly at the user database.
• Granular permissions in SQL Azure allows us to control which operations we can perform on individual columns, tables, views, procedures and other objects in the database.
• Impersonation and module-signing are used to securely elevate permissions temporarily.

4.3 Dynamic Data Masking

GEP SMART utilizes SQL Azure’s in-built functionality for dynamic data masking of sensitive data, tables and columns. Dynamic Data Masking prevents the abuse of sensitive data by hiding it from users who are not authorized to view it.

SQL Azure simplifies the configuration of data masking and is controlled by policies at the table and column levels for a defined set of users. Data masking is applied in real time to query results based on the policy. Multiple masking functions are available for various sensitive categories such as bank account, SSN, etc. Azure data masking is enabled on customer data with minimal impact on application performance.

4.4 Row-Level Data Security

Row-Level Security provides fine-grained access control over specific row of data in a database table. RLS in SQL Azure enables GEP to control access to rows in a database table based on the characteristics of the user or application executing a query (e.g., group membership or execution context).

Row-Level Security (RLS) simplifies the design and coding of security in GEP SMART. RLS enables us to implement restrictions on data row access. For example ensuring that users can access only those data rows that are pertinent to their department, or restricting a customer’s data access to only the data relevant to their access. The access restriction logic is located in the database tier rather than away from the data in another application tier. The database system applies the access restrictions every time that data access is attempted from any tier. This makes your security system more reliable and robust by reducing the “surface area” of your security system.

4.5 Data Privacy

Only GEP controls the data within the GEP SMART application and GEP finalizes the region/datacenter where the data will reside based on the customer requirement. We define customer data as all data, including text, sound, video, or image files and software that are provided to GEP by its clients, through use of GEP SMART.

GEP uses client data only to provide the services agreed upon, including purposes that are compatible with providing those services. We do not use customer data or derive information from it for advertising or share with any other party. Our commitment to the privacy of customer data is backed by Microsoft’s adoption of the world’s first international code of practice for cloud privacy, ISO/IEC 27018. The British Standards Institute has independently verified that Azure is aligned with the ISO 27018 code of practice for the protection of personally identifiable information in the public cloud. Adherence also provides transparency about our policies regarding the return, transfer, and deletion of personal information you store in our datacenters.

Such clear and stringent data privacy measures are critical to ensure data integrity in the B2B application space and GEP is actively encouraging other providers to follows its lead.

5. Security Processes – Infrastructure Security

The prior steps of the cloud model, partner and strategy need to be translated into world class security.

5.1 Availability

By using Microsoft SQL Azure as our platform, GEP is able to protect and create highly available solution. By default, Azure helps GEP keep 3 copies of data within the region. Azure creates automatic asynchronous replication of database by default.

GEP uses the Azure capability of “multiple online secondary” and “readable online secondary” databases of our customer data. In case of region wide failure we can easily bring the customer data from another region with minimum RPO (Recovery Point Objective) and RTO (Recovery Time Objective). GEP also maintains a backup solution to store backup in an offsite location.

5.2 Physical Security

A common question from customers using hosted services is, “Can somebody physically steal my data?” The answer is “Very unlikely if not impossible”, because numerous factors stand in the way of anybody attempting such a feat. Azure datacenters deploy ISO-compliant safeguards such as locked server cages and racks, Smartcard readers, 24x7 monitoring by security staff, and other mechanisms designed to prevent data compromise by physical means.

• Entering the Datacenter: Attested by multiple security and compliance audits, Microsoft employs rigorous operations and processes to prevent unauthorized access, including 24x7 video monitoring, trained security personnel, key-locked server racks (that house compute, storage, and networking hardware), smart cards and biometrics controls. Any access that is granted is logged.
• Stealing a Disk Drive: To target your business specifically, a trespasser would have to know which datacenter, building, floor, room, and server rack on which your data resides. In addition, Azure Storage data is written to disk in small chunks using striping. Thus, a customer’s data likely spans across multiple disks (and large files, such as databases, may span multiple drives). At this point, the person would need to know which disk enclosure and drive(s) to pull out. A thief (even randomly grabbing disks) would also need your secret Azure Storage keys to read the media.
• Copying Data onto Removable USB Media: As with disk theft noted above, using removable media means discovering which storage device has the desired data. Azure nodes are physically protected and include headless operation, hardware passwords, and hardening techniques to prevent local code execution. Similarly, server clusters do not support optical media, and physical ports are blocked from access; any attempts to connect in this way generates security alerts.
• Network Sniffing (physical connection via wired, wireless, or remote tap): Azure’s internal routers do not connect to any Internet-facing endpoints and run in a highly restricted mode to block any nonauthenticated connections. There is no wireless access to any Azure production network systems or infrastructure, effectively eliminating the threat of mobile device exploits. And, Microsoft’s Global Foundation Services (GFS) group operates Azure in ISO 27001-compliant datacenters, with security controls to lock down physical network access ports.

5.3 Network Security

The distributed and virtual networks in Azure help ensure that GEP SMART private network traffic is logically isolated from traffic belonging to other customers. A customer subscription can contain multiple isolated private networks (and include firewall, load-balancing, and network address translation):

• Deployment network: Each deployment is isolated from other deployments at the network level. Multiple VMs within a deployment are allowed to communicate with each other through private IP addresses.
• Virtual network: Each virtual network is isolated from other virtual networks. Multiple deployments (inside the same subscription) can be placed on the same VNET, and allowed to communicate through private IP addresses. GEP uses VNET and deploy GEP SMART within the VNET developed in the cloud.

By default, Virtual Machines inside the private network do not receive inbound traffic from outside of the deployment. The administrator defines an input endpoint that specifies which ports on which VMs should receive inbound traffic initiated from outside a deployment’s isolated network - enabling traffic from the Internet and other deployments or customers inside Azure.

6. Ongoing Testing and Monitoring

With the foundation of a world-class cloud platform partner, a leading cloud security strategy and mechanisms to manage data and infrastructure security, GEP and Microsoft actively engage in testing and monitoring these elements to ensure we stay ahead of the curve.

An important part of developing a more secure application is to understand the threats to it. GEP follows Microsoft recommended classification to categorize threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege (STRIDE).

GEP handles proactively each of the threats starting at SDLC to deployment of application. The sections below briefly describe these threats and how they are mitigated in GEP SMART. The following figure shows the overall threat areas GEP handles as part of application development.

6.1 Spoofing

To spoof is to impersonate a user or process in an unauthorized way. At its simplest, spoofing can mean typing in a different user’s credentials. A malicious user might also change the contents of a cookie to pretend that he or she is a different user or that the cookie comes from a different server. In general, we prevent spoofing by using stringent authentication. Any time someone requests access to non-public information, we make sure they are who they say they are. We protect against spoofing by keeping credential information safe. For example, we do not keep a password or other sensitive information in a cookie, where a malicious user can easily find or modify it.

6.2 Tampering

Tampering means changing or deleting data without authorization. One example is defacing a Web page, where the malicious user gets into the site and changes files. An indirect way to tamper is by using a script exploit. A malicious user manages to execute code (script) by masking it as user input from a page or as a link. A primary defense against tampering is GEP uses Windows security to lock down files, directories, and other OS resources. GEP SMART runs with minimum privileges. We help guard against script exploits by not trusting any information that comes from a user or even from a database. Whenever we get information from an untrusted source, we take steps to be sure it does not contain any executable code.

6.3 Repudiation

A repudiation threat involves carrying out a transaction in such a way that there is no proof after the fact of the principals involved in the transaction. In a Web application, this can mean impersonating an innocent user’s credentials. GEP helps guard against repudiation in GEP SMART, by using stringent authentication. In addition, we use the logging features of Windows to keep an audit trail of any activity on the server.

6.4 Information Disclosure

Information disclosure simply means stealing or revealing information that is supposed to be private. A typical example is stealing passwords, but information disclosure can involve access to any file or resource on the server. The best defense against information disclosure is to have no information to disclose. For example, if you avoid storing passwords, malicious users cannot steal them. An alternative to storing passwords is to store only a hash of the password. When a user presents credentials, GEP hashes the user’s password and compare only the hashes of the two. As always, GEP uses authentication to help ensure that only authorized users can access restricted information. If clients must expose sensitive information, we encrypt the information when stored and use Secure Sockets Layer (SSL) to encrypt the information when sent to and from the browser.

6.5 Denial of Service Attacks

A denial of service attack is to deliberately cause an application to be less available than it should be. A typical example is to overload a Web application so that it cannot serve ordinary users. Alternatively, malicious users might try to simply crash your server. IIS enables one to throttle applications, which means that it limits the number of requests it will serve. We are able to deny access to users or IP addresses known to be malicious. Keeping your applications online is a matter of running robust code. GEP tests our application thoroughly and responds appropriately to error conditions wherever required.

6.6 Distributed denial-of-service (DDoS) defenses

These are part of Microsoft Azure continuous monitoring and regular testing to improve cloud security controls and processes. Azure DDoS defense system is not only designed to withstand attacks from the outside, but from other Azure tenants as well. Azure uses standard intrusion detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to protect against these attacks.

1. Network-layer high volume attacks: These attacks choke network pipes and packet processing capabilities by flooding the network with packets. The Azure DDoS defense technology provides detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to help ensure that such attacks do not impact customer environments.
2. Application-layer attacks: These attacks can be launched against a virtual machines. Azure provides mitigation and actively blocks network traffic affecting individual customer deployments, when the system does not interpret the behavior of the application as that to be expected. In this case, similar to on-premises deployments, mitigations include:
   • Running multiple VM instances behind a load-balanced Public IP address.
   • Using firewall proxy devices such as Web Application Firewalls (WAFs) that terminate and forward traffic to endpoints running in a VM. This provides some protection against a broad range of DoS and other attacks, such as low-rate, HTTP, and other application-layer threats. Some virtualized solutions, such as Barracuda Networks, are available that perform both intrusion detection and prevention.
   • Web Server add-ons that protect against certain DoS attacks.
   • Network ACLs, which can prevent packets from certain IP addresses from reaching VMs.

6.7 Elevation of Privilege

An elevation of privilege attack is to use malicious means to get more permissions than normally assigned. For example, in a successful elevation-of-privilege attack, a malicious user manages to get administrative privileges to your Web server, giving himself or herself access to any data on the server as well as control over server capabilities. To help protect against elevation of privilege, we run the application in a least-privilege context if practical.

Finally, Microsoft and GEP regularly conduct penetration testing on Azure and GEP SMART security controls and processes. We also understand that security assessment is an important part of our customers’ compliance policies. So, we have established a policy for clients to carry out authorized penetration testing on GEP SMART applications hosted in Azure. Because such testing can be indistinguishable from a real attack, we coordinate these penetration tests closely with the client IT teams. GEP has also partnered with TrustWave for third party penetration testing. Each firm spent a significant amount of time examining the security & encryption implemented in the GEP application. These tests supplement the GEP internal security testing and help us validate the world-class security structures and processes implemented through GEP SMART and Windows Azure.

In Conclusion:

There is clear alignment among IT leaders on the benefits of cloud computing both for application buyers and sellers. However, there is also a high degree of concern about moving to a non-traditional mode of managing applications, data and infrastructure.

The biggest myth about Cloud Computing is that your data is not safe in the cloud. This is largely driven by the nonphysical aspect of the cloud and the loss of control IT departments feel when they decommission physical servers and datacenters. Several experts including GEP have tried to correct this myth, arguing that compared to most organizations cloud providers have greater expertise and spend vast amounts of capital in deploying industry leading security measures. How many IT departments can get their security budgets from a revenue base of $98Bn or claim access to 100,000 plus engineers, which is the capability that Microsoft leverages to enhance its Windows Azure platform?

As with most complex IT decisions, the questions of cloud security do not lend themselves to binary choices. Just as cloud computing services can offer unparalleled capability in scale and flexibility, similar capabilities can be leveraged for world class security. These need to be shaped by a comprehensive cloud security strategy and executed by integrating security and encryption at all steps of the software development life cycle. GEP has been able to leverage these capabilities to deliver GEP SMART as the leading Source-to-Pay platform with unparalleled security capabilities.