Suppose an organization has been successfully using cloud computing services for the first time, outsourcing certain functions not critical to the organization. If the experience has been good, as it often is, it's natural to then consider the migration of one or more enterprise applications to a cloud environment.
Migrating an application to the cloud requires careful planning, especially in regard to security.
However, migrating an application to the cloud requires careful planning, especially in regard to the security of both the application and its data. When planning a cloud application migration, it is essential to first identify and profile the application's security requirements. In this tip, we'll explain how to conduct a security profiling exercise to ensure that application security is factored into the cloud migration plan.
Components of the profile
An application security profile is a detailed analysis of an application's security characteristics. This profile provides a comprehensive audit of critical security features and describes security attributes -- such as encryption, access control, error logging and handling -- that are specific to the application.
A profile should include the following information:
- Executive summary: Explains the profile's purpose and scope, also details the application configuration and its security attributes.
- Security metrics: Identifies the measurements used to categorize the application's security levels.
- Analysis results: Provides an explanation of the results of each security criteria analysis and how they relate to the application's confidentiality, integrity and availability; also identifies potential vulnerabilities and their effect.
- Recommended actions: Provides details on how to remedy identified vulnerabilities, address operational issues prior to migration, and identify risks of not addressing all security issues.
Developing the profile
It is best to begin by analyzing the business and technical requirements of the application. This helps determine if the application is a good candidate -- both operationally and financially -- for migration to a cloud, particularly from a security perspective. Among the initial criteria are the following:
- Access and login requirements of the application
- Need for security certificates
- Firewall requirements
- Encryption requirements
- Who will have access to the application
Next, determine if your application will be running in a public, private or a hybrid cloud. In addition to the general criteria for choosing the cloud -- resources available, pricing models and structures, application management services -- examine how that choice affects the security provisions. For example, if a public cloud service is selected, verify that the service provider can support enterprise security requirements with no modifications and no additional cost, or that it can add software and/or an appliance or make some other arrangement to ensure compatibility. In a private cloud, security is the organization's responsibility, so the security that the application in question requires must be provided. In a hybrid environment, the location where the application resides -- the private or public cloud -- should determine the security arrangements. However, security between public and private networks in a hybrid cloud must be considered to protect the application from possible cross-network security breaches.
Once you've determined the type of cloud, establish which of the following environments the application will use: Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). Choosing an environment can be challenging, as each comes with its own security considerations:
SaaS -- If an organization is looking to completely protect the integrity of the application and its data, be sure to check with the service provider on security policies for the SaaS-provided system to verify that adequate security will be delivered to the application and its data.
PaaS -- If using a multi-application platform, be sure to check how separation among virtual platforms and proper privilege management are supported, both among users and the applications themselves.
IaaS -- Similarly, be sure to carefully examine the cloud service provider's security policies for isolation of physical and virtual environments and compliance with security policies. Also examine how prospective providers audit these policies.
An application security profile requires the gathering and analysis of security-related information. Data captured over the course of 10 to 15 days of application usage will help size the application for deployment in a cloud and identify variances in daily and weekly usage patterns, including security.
More resources on cloud application migration
Read about how cloud providers can impact your cloud app migration
Check out our guide on cloud application migration strategies
Get the inside scoop on application migration tools
Primary application data can include: CPU usage statistics; memory usage statistics; storage performance data (e.g., throughput, latency and input/output operations per second); and network performance data (e.g., throughput, latency, connections per second and dropped connections).
Application security data can include the number of times the application was accessed, access was denied or that the firewall blocked suspicious code. Security data might also include errors in message headers, data signatures or token usage causing an error message. Security can also include encryption performance statistics, if encryption is used.
In addition to identifying potential risk areas associated with cloud migration, the profile's findings and data are compiled from an analysis of source code against a listing of potential flaws and vulnerabilities, industry-specific standards and good security practice.
Using the profile for migration planning and testing
Should the application migration proceed, after choosing its cloud model and environment, and gathering and analyzing all necessary data, the security profile can be applied to the application and then used to validate its security.
Specifically, the security profile is critical for identifying which security resources are needed to not only ensure the application and its data are available to authorized users, but also make sure it is not altered or compromised in any way -- or accessed by unauthorized people.
In addition, organizations can use the security profile data to plan and conduct tests of the cloud service provider's security provisions and to validate access and authentication procedures. They can also monitor data in transit to identify possible breaches as well as monitor traffic through firewalls to ensure they are configured correctly. In addition, organizations can validate that the application is protected from rogue systems and also secure the application from others running in the same environment.
As a part of the overall application profile, organizations will also be able to use the security profile to project the number and types of servers and infrastructure elements needed to migrate the applications, predict user activity (such as the total number of connected users or request and transaction rates), estimate the costs of required cloud resources and create benchmarks to assess post-migration performance.
About the author:
Paul Kirvan is an independent consultant, IT auditor, and technical writer/editor/educator with more than 22 years' experience in business continuity, disaster recovery, security, enterprise risk management and telecomm/IT auditing. He has more than 30 years of experience in technical writing and editing, technical training and public speaking. Kirvan has been directly involved with dozens of business continuity, security, IT audit, risk and telecom consulting engagements, ranging from operational audits and strategy definition projects to plan design and implementation, program exercising, execution and maintenance, and RFP preparation and response. Kirvan was recently a member of the board of the Business Continuity Institute and is currently a member of the board and secretary of the BCI's USA Chapter. He is also a Certified Information Systems Auditor (CISA), Fellow of the BCI (FBCI) and Certified Business Continuity Professional (CBCP).
This was first published in October 2013