Application Security on Cloud-The cloud model has motivated industry and academia to adopt cloud computing to host a wide spectrum of applications ranging from high computationally intensive applications down to light weight services.
Developers and IT departments are being told they need to move applications to the cloud and are often left on their own to navigate the challenges related to developing and managing the security of applications in those environments.
What’s more important and elemental is to examine if the web application being used is more vulnerable because of the way it was built, and then deployed in the cloud – versus focusing on cloud security risks from an environmental or infrastructure perspective.
Lack of visibility with respect to resources in cloud computing can create a number of security and compliance issues. Security questions can span from whether information transferred between systems in the cloud is safe, to what type of data is best stored in the cloud, to how do I control who accesses my data?
In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk because essential services are often outsourced to a third party. Cloud computing shifts control over data and operations from premise to their cloud providers. The security problem becomes more complicated under the cloud model as new dimensions have entered into the problem scope related to the model architecture, multi-tenancy, elasticity, and layers dependency stack. Cloud computing is available in SPI model stack which is SaaS, PaaS, IaaS and each presents different levels of responsibility for security management.
Cloud Computing security is fundamentally about three goals/objectives:
CIA – Confidentiality Integrity and Availability
Confidentiality (C): Confidentiality refers to keeping data private.
Integrity (I): Integrity is a degree confidence that the data in the cloud is what is supposed to be there, and is protected against accidental or intentional alteration without authorization.
Availability (A): It refers to availability of Information.
How different is this from application security in the traditional enterprise/non-cloud environment? Of course, with the cloud you have the additional aspect of shared or outsourced environment.
Traditional security or transport layer security is performed at the physical, link, Network and transport layer, commonly known as layers 1-4. There are a number of technologies used to secure these layers such as FWs, intrusion detection/prevention, encryption, anti-virus etc.. This security is ok, when an application is inward facing, typically used on an organizations intranet that can only be access by internal employees and possibly business partners, depending on how that security is set up, such as a federation.
When an application is outward facing or being put in a cloud solution, message layer security performed at the session, presentation and application layers (layers 5-7) in addition to traditional security should be required. End to end solution meaning that access control and payload are secured from the requester to requestee.
While it is true that traditional application security issues still apply in the cloud, and that you still need to take advantage of established processes associated with requirements, design, and implementation and testing, organizations can’t simply repackage what they know about application security. Applications in the cloud require special care. IT teams can’t be content to use mitigation techniques only at the network or operating system level anymore.
It’s imperative to understand the inherent (and non-storied) threats facing applications in virtualized environments. Common vulnerabilities associated with multi-tenancy and cloud provider services, like identity and access management, must be examined from both a security and compliance perspective.
Organizations lose control over physical network or computing systems, even local storage for debugging and logging is remote. Additionally, auditors may be concerned about the fact that the cloud provider has access to sensitive data at rest and in transit.
Inherent threats are not only present in the virtualized deployment environment, but also in the way applications for the cloud are developed in the first place. Consider the choices many architects and designers are forced to make when it comes to developing and deploying applications in the cloud. Because they are now in a position where they are relying on external controls put in place by the provider, they may feel comfortable taking short cuts when it comes to building in application security features.
“Cloud security is not bad, it is just different”. It seems that what we hear a lot is the word “uncertainty“which can be translated into actual meaning “I don’t know how?”.
As opposed to traditional internal application infrastructures, in the cloud the trust boundary shrinks down to encompassing only the application itself, with all the users and related storage, database and identity management systems becoming “external” to that application. In this situation, “trust no one” takes on great significance to the IT organization. With all these external sources wanting access to the application, how do you know what request is legitimate? How can we make up the lack of trust? It boils down to establishing an additional layer of security controls. Organizations must encrypt all sensitive data stored or transmitted and treat all environmental inputs as untrusted in order to protect assets from attackers and the cloud provider itself.
Best practices aimed at building protection must be incorporated into the development process to minimize risks. How can you help applications become more secure? It starts with a seatbelt – in the form of application level security controls that can be built into application code or implemented by the cloud services provider itself.
Examples of these controls can include encryption at rest, encryption in transit, point-to-point and message contents, auditing and logging, or authentication and authorization.
In an IaaS environment, it may not be an option to have the provider manages these controls.
Using PaaS APIs to establish these controls, for example, is that in most cases the service provider has tested and debugged the API to speed time to market for the application.
In SaaS environments offer no choice to the developer, as the SaaS provider will be totally in control of how data is secured and identity managed.
Each environment, IaaS, PaaS or SaaS, requires its own checklist to ensure the applications are ready for prime time.
Security testing must be done at the application level, not the environmental level. Threat modeling and design phases need to take additional cloud environmental risks into account. And, implementation needs to use cloud security aware coding patterns in order to effectively eliminate vulnerability classes such as Cross-Site Scripting (XSS) and SQL Injections. Standards such as OWASP Top 10 and CWE/SANS Top 25 are still applicable for testing IaaS and PaaS applications, and many SaaS extensions.
The following security measures represent cloud security areas to be concerned about.
Security Areas in Cloud Computing
Build and maintain a secure cloud infrastructure.
Ø Implement N/W security
Ø Implement virtualization security
Ø Ensure physical security
Ensure confidential data protection.
Implement strong access and identity management.
We need to understand over here:
“The service model may adjust the defined roles & responsibilities in collaborative information security governance and risk management (based on the respective scope of control for user and provider).”
“The deployment model may define accountability and expectations (based on risk assessment).”
Cloud Computing is a “newsworthy” term in the IT industry in recent times and it is here to stay!
Cloud Computing is not a technology, or even a set of technologies — it’s an idea. Cloud Computing is not a standard defined by any standards organization.
Basic understanding for Cloud: “Cloud” represents the Internet; Instead of using application installed on your computer or saving data to your hard drive, you’re working and storing stuff on the Web. Data is kept on servers and used by the service you’re using; tasks are performed in your browser using an interface / console provided by the service.
A credit card and Internet access is all you need to make an investment in technology. Businesses will find it easier than ever to provision technology services without the involvement of IT.
There are many definitions available in the market for Cloud Computing but we have aligned it with NIST publication and with our understanding. NIST defines cloud computing by describing five essential characteristics, three cloud service models, and four cloud deployment models.
NIST’s Architecture of Cloud Computing
“Cloud Computing is a self service which is on demand, Elastic, Measured, Multi-tenant, Pay per use, Cost-effective and efficient”. It is the access of data, software applications, and computer processing power through a ‘cloud’/a group of many on line/demand resources. Tasks are assigned to a combination of connections, software and services accessed over a network. This network of servers and connections is collectively known as “the cloud.”
Cloud service delivery is divided among three fundamental classifications referred as the “SPI Model,”
Cloud Service Models – IaaS, PaaS, SaaS
Software as a Service is a model of software deployment where an application is hosted as a service provided to customers across the Internet. By eliminating the need to install and run the application on the customer’s own computer, SaaS alleviates the customer’s burden of software maintenance, ongoing operation, and support. Salesforce is very popular Customer Relationship Management (CRM) software that is offered only as a service.
PaaS model makes all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet. Google App Engine (GAE) is an example of PaaS. GAE provides a Python environment within which you can build, test and then deploy your applications.
Infrastructure as a Service (IaaS) is the delivery of computer infrastructure as a service. Rather than purchasing servers, software, data center space or network equipment, clients instead buy those resources as a fully outsourced service. Amazon Web Services (AWS) is one of the pioneers of such an offering. AWS’ Elastic Compute Cloud (EC2) is “a web service that provides resizable compute capacity”.
There are four deployment models for cloud services regardless of the service model utilized (SPI).
Public clouds refer to shared cloud services that are made available to a broad base of users. Although many organizations use public clouds for private business benefit, they don’t control how those cloud services are operated, accessed or secured. Popular examples of public clouds include Amazon EC2, Google Apps and Salesforce.com.
Private cloud describes an IT infrastructure in which a shared pool of computing resources—servers, networks, storage, applications and software services—can be rapidly provisioned, dynamically allocated and operated for the benefit of a single organization.
Hybrid Cloud represents composition of two or more cloud deployment models (private, community, or public) that remain unique but are bound together by uniform or proprietary technology that enables data and application portability.
Community Cloud represents infrastructure is shared by several organizations and supports a specific community that has shared concerns. E.g. FDA compliance needs specific controls where audit requirements can’t be met by other deployment models.
Cloud computing brings efficiencies and savings. The diverse benefits of cloud computing are undoubtedly worth pursuing. Cost-cutting is at the top of most companies’ lists of priorities in these challenging economic times. Having turned from revolutionary possibility into increasingly well-established custom, the cost of ‘outsourcing to the cloud’ is now falling dramatically.
In only paying for the resources used, therefore, operating costs can be reduced. After all, in-house data centres typically leave 85%-90% of available capacity idle. Cloud computing can lead to energy savings too, removing from individual companies the costly burden of running a data centre plus generator back-up and uninterruptible power supplies. Thus it results in reduction of CAPEX & OPEX.
Cloud Computing is in its formative years, but expect it to grow up quick. The prospective of Cloud Computing is mind boggling and the technology and business options will increase exponentially.
Still question remains, how Clouds are beneficial to the enterprises?
Focus on core business
Cloud computing increases the profitability by improving resource utilization. Pooling resources into large clouds drives down costs and increases utilization by delivering resources only for as long as those resources are needed.
Cloud computing is particularly valuable to small and medium businesses, where effective and affordable IT tools are critical to helping them become more productive without spending lots of money on in-house resources and technical equipment.
Ease of availability
Real-time collaboration capabilities
Gain access to latest technologies
We can leverage the sheer processing power of the cloud to do things that traditional productivity applications cannot do. “For instance, users can instantly search over 25 GB worth of e-mail online, which is nearly impossible to do on a desktop.
To take another example, each document created through Google Apps is easily turned into a living information source, capable of pulling the latest data from external applications, databases and the Web. This revolutionizes processes as simple as creating a Google spreadsheet to compare stock prices from vendors over time, because the cells can be populated and updated as the prices change in real time.
Cloud computing offers almost unlimited computing power and collaboration at a massive scale for enterprises of all sizes.
“Salesforce.com has 1.2m users on its platform. If that’s not scalable show me something that is. Gmail is SaaS and how many users are on that?”
Multi-tenancy enables sharing of resources and costs among a large pool of users, allowing for:
Centralization of infrastructure in areas with lower costs (such as real estate, electricity, etc.)
Peak-load capacity increases (users need not engineer for highest possible load-levels)
Utilization and efficiency improvements for systems that are often only 10-20% utilized.
Sustainability comes about through improved resource utilization, more efficient systems, and carbon neutrality.
But, are there any issues with Cloud Computing?
The benefits of cloud computing will not be realized if businesses are not convinced that it is secure. Trust is at the centre of success and providers have to prove themselves worthy of that trust if hosted services are going to work.
CIA (Confidentiality, Integrity, Availability)
IT Security Standards – There are multiple standards for security protocol for IT systems that have yet to be implemented into cloud computing.
Regulatory compliance— the vendor will be required to participate in internal and external audits. They will need to find a way to accommodate auditors from all firms using their service. [FDA Compliance is not feasible yet.]
Let’s consider Facts and Figures before jumping into minor details of Cloud Computing. Compare the annual cost of Amazon EC2 with an equivalent deployment in co-located and on-site data centers by entering a few basic inputs (Ref: Amazon EC2 Cost Comparison Calculator).
Cloud isn’t a technology hullabaloo but ultimately a powerful business disruption, a real game changer. The central theme of a Public Cloud is provisioning and management of IT resources by a 3rd party while Private Clouds offer an organization a solitary point of control for security, manageability, privacy, governance, audit and compliance. CIA (Confidentiality, Integrity & Availability) concern is a major road block in the path of Public Cloud Business case and Private Cloud Business case wins over. Need of the ‘Business’, dictate terms.