I've read that "hybridized" apps are enabling employees to take mission-critical enterprise apps off premise. What are the primary security risks of hybrid cloud apps, and what controls should be put in place to mitigate these issues?
Hybridized applications allow designers and developers to move parts of the application stack to the cloud while keeping other components on-premises. Private and sensitive data is typically stored on-premises while the user interface layer runs in the cloud. Business logic may run either on-premises or in the cloud, depending on security considerations.
There are a number of considerations organizations must take into account when it comes to hybrid app security. First, you will have to consider how you will authenticate requests for data and ensure it is delivered securely.
Organizations can no longer depend on enterprise network access controls when an application component is moved off premises. For example, in the past, a database server and application server might have been configured on the same subnet. Because of firewall configurations on the subnet, you might make the assumption that all requests are coming from the legitimate application server. If the application server moves to the cloud, you will need to ensure that queries come from a trusted server; SSL certificates can authenticate servers (though SSL has come under fire recently). IP address restrictions may also be used to prevent the database server from responding to any requests not from a trusted server.
To mitigate hybrid cloud app security risks, data transmitted between the cloud and on-premises servers should be encrypted since the data stored within the on-premises database server is considered sensitive. In addition, all channels of communication should be encrypted. This may require some code changes if the application was previously designed assuming data is transmitted as cleartext.
Also consider the implication of multiple logging systems: Components in the cloud might use vendor-specific services, such as CloudTrail, while the on-premises servers use syslog messaging. If you are using a security information and event management, you will want access to logs from all application components.
Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Learn the latest on hybrid applications and hybrid security
AWS and VMware shops clear hybrid cloud migration hurdles
Dig Deeper on Legacy Application Modernization for the Cloud
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading