Cloud computing and application security: Issues and risks

Many in IT (especially the vendors) believe that once applications are out of the building and into the "cloud," there's less to worry about. Well, maybe, maybe not. One thing's for sure -- it's not that simple. To the dismay of many, cloud computing doesn't make your application security responsibilities magically disappear.

I hear about management concerns over mobile devices and telecommuting. Some claim "they're just too risky." Yet many of these people are willing to give up control of their business applications and sensitive data to the cloud without question. It's a naïve approach. Regardless of where the computing takes place, you're going to have security issues in the same old areas: technology, people, business processes.

Here are some cloud computing security misconceptions and considerations that you don't want to overlook.

• Practically every aspect of cloud-based applications is affected -- not just generic HTTP traffic going over ports 80 and 443. From user authentication to transaction processing to back-end data access and even Web services exposures. There's a lot to consider -- and secure. Interestingly, this is not much different than the application security concerns in our "old-school" data center configurations. Just don't overlook the details involved.

• What about co-mingling? Is your sensitive data going to be mixed in with other people's systems? Shared Web servers have always made me nervous in the past. If one site is compromised it can put all of the other sites hosted on that server in jeopardy as well. With cloud computing, practically every component of the OSI layers 1 through 7 is shared -- not just the application layer -- so the attack surface can be exponentially increased.

• Penetration testing and source code analysis is still going to be required. Albeit, I could foresee some of the service providers offering "security assessments as a service" -- at least at the OS and network levels -- looking at everyone's systems across the board. Once you get to layer 7 though, every application is unique and so are the security issues. No generic scans here.

• Forensics investigations and any e-discovery requests can be complicated by the complexities of the cloud. This is especially true when servers are brought up and decommissioned on the fly -- possibly without you even knowing about it. Security audit logging and monitoring systems will need to be enhanced, and incident response processes will undoubtedly have to be ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchCloudComputing.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchCloudComputing.com

  As an existing member of the TechTarget network please activate your SearchCloudComputing.com account 

  By joining SearchCloudComputing.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Rate this Tip To rate tips, you must be a member of SearchCloudComputing.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Application security in the cloud Five requirements for deploying an application in a public cloud Oracle users balk at cloud computing Cloud computing's effect on application security Cloud development Five requirements for deploying an application in a public cloud Running a Web service on Google App Engine Introducing the key cloud computing platforms The IT clouds: IBM, Microsoft and Sun Amazon's EC2 and the open source cloud projects Platform as a Service: Google and Force.com Backup to the compute cloud Code sample illustrates how to write Azure applications for the cloud Introduction to Windows Azure for developers RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.