Technical Field
This disclosure relates generally to deploying applications in a “cloud” compute environment.
Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. An example application might be one that provides a common set of messaging functions, such as email, calendaring, contact management, and instant messaging. A user would then access the service directly over the Internet. Using this service, an enterprise would place its email, calendar and/or collaboration infrastructure in the cloud, and an end user would use an appropriate client to access his or her email, or perform a calendar operation.
Cloud compute resources are typically housed in large server farms that run one or more network applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines.
Software as a Service (SaaS) refers to the capability provided to the consumer is to use a provider's applications running on a cloud infrastructure. SaaS applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). In this model, the consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
With ever-increasing numbers of users of SaaS technologies, monitoring SaaS applications is becoming more important. Monitoring security of a SaaS application differs significantly from traditional application monitoring because of its multi-tenancy nature, the fact that the application can be accessed from a variety of devices, the fact that the application can be accessed from anywhere, and further because security intelligence tools use HTTP/HTTPS mechanisms to detect anomalies (from the SaaS application/user activity logs). These differences make consumption and monitoring of logs from SaaS environments very difficult for traditional device-based log management solutions, such as SIEM-based systems. Primarily, this is because the event processing model of these log management solutions are tuned towards device monitoring.
Because application states do not fall into the normal event-based models, there are significant performance bottlenecks in monitoring SaaS logs by known log management solutions. These known approaches are also deficient in that they are rule-based and thus lack to capability to monitor dependencies across SaaS applications. Further, SIEM solutions typically rely upon HTTP to fetch logs, but HTTP is stateless and thus less useful for anomaly detection where states change dynamically and need to be monitored separately. Prior techniques are also problematic because they require querying of the state of application resources and business objects using a large number of API calls, which are computationally intensive and costly.
There remains a need to address the problems and deficiencies of current approaches to SaaS security monitoring.