Organizations eager to move their in-house developed applications to the cloud to save money and increase efficiency need to carefully consider how appalication security changes in a cloud environment, experts say.
When you go to the cloud, you have to consider that application is going to be going to a somewhat hostile environment.
Dennis Hurst, founding member of CSA and security specialist, Hewlett-Packard Co.
One of the top cloud application security issues is lack of control over the computing infrastructure. An enterprise moving a legacy application to a cloud computing environment gives up control over the networking infrastructure, including servers, access to logs, incident response and patch management, said Russ McRee, security researcher and manager of incident response at Microsoft Online Services.
“You’re giving that over to someone else who’s providing it for you. While that can have extraordinary cost savings and removes the administrative burden, it also moves the level of control way up the stack,” he said.
“In your infrastructure, you understand what’s happening,” said Michael Sutton, vice president of security research at Sunnyvale, Calif.-based Web and email security company Zscaler Inc. and a member of the Cloud Security Alliance, a nonprofit that promotes best practices for cloud security. “In this case, you don’t know. It’s just a cloud managed by someone else and they may not be willing to share with you how things are set up.”
Most applications are built to be run in the context of an enterprise data center, so the way they store and the way they transmit data to other systems is assumed to be trusted or secure, said Dennis Hurst, a founding member of CSA and security specialist at Hewlett-Packard Co.
“When you go to the cloud, you have to consider that application is going to be going to a somewhat hostile environment,” he said. “All the components that have traditionally been very trusted and assume to be running in a safe environment now are running in an untrusted environment. More things have to be considered: the Web interface, data storage, data transfer.”
Different threat model
According to the CSA’s Domain 10: Guidance for Application Security V2.1, released last summer, the flexibility, openness and public availability of cloud computing infrastructures challenge many fundamental assumptions about application security. The lack of physical control over the networking infrastructure might mandate the use of encryption in the communication between servers of an application that processes sensitive data to ensure its confidentiality, the CSA advised.
Risks that a company may have accepted when the application was in-house must be reconsidered when moving to a cloud provider, said Chris Wysopal, co-founder and chief technology officer at Burlington, Mass.-based application security company Veracode Inc., which is a CSA member.
For example, if an application is logging sensitive data to a file on the server and not encrypting it, a company might accept that risk because it owns the hardware, he said. “Now we move to the cloud and there is no local file system ... it’s logging to some shared storage array and now you need to encrypt it.”
“The threat model changes so a lot of vulnerabilities that were low are now high, and you need to fix them,” Wysopal added.
A company hosting an application in its own data center might ward off a denial-of-service attack with certain infrastructure or could take the draconian action of blocking the attacking IP addresses, McRee noted. “What if the ability to mitigate that attack is handled by your cloud provider and you have zero visibility? You need to re-account for how the risk or attack can be mitigated.”
The changed threat model needs to be addressed in the Security Development Lifecycle, a concept developed by Microsoft that is globally applicable, McRee said. “That’s really key,” he said. “You’re still going to want to apply all the same principles, understand the inherent nature of the application, how data flows, and threat model every aspect of it. Work it over and over again until you’re certain all the standard SDL requirements can be met.”
Tools and services
In a cloud environment, an enterprise can’t necessarily use the same tools and services they deployed internally for security, such as a Web application firewall, Zscaler’s Sutton said. For example, a company that’s deployed a Web application firewall as another level of security for a legacy app when exposing it to the Web, no longer has that option.
“In the cloud, you don’t own and manage that infrastructure, so you can’t just walk into the data center and drop a box in,” he said.
The CSA’s cloud application security guidance noted that Infrastructure as a Service vendors were starting to offer cloud application security tools and services, including WAFs, Web application security scanning and source code analysis. The tools are either specific to the provider or third-party, the report noted.
McRee recommends that companies moving applications to a cloud environment make use of any APIs that might provide strong logging. “As an application owner, make good use of the APIs. … You can leverage that kind of information for security-related activity,” he said.
With the loss of control in moving an application to a cloud provider, organizations need to fully understand what’s provided in the service-level agreement, McRee said. “Make sure you voice what you want even if they tell you they can’t provide it,” he said, noting that providers will extend themselves, depending on the customer.
The CSA’s guidance noted that application security must be “represented as a clearly articulated set of actions and guarantees within the SLA. This can include providing documentation of security measures taken by the vendor, as well as allowing for reasonable security testing related to ongoing activities such as logging, audit reports and periodic validation of security controls.”
Moving a legacy application to a cloud environment can be an opportunity to improve security, HP’s Hurst said.
“A lot of applications that were deployed when application security wasn’t as much of a focus as it is today,” he said. “There’s a tremendous opportunity to reconsider the application to do proper threat modeling, proper assessments. … All the things we really should have been done originally.”