Many in IT (especially the vendors) believe that once applications are out of the building and into the "cloud," there's less to worry about. Well, maybe, maybe not. One thing's for sure -- it's not that simple. To the dismay of many, cloud computing doesn't make your application security responsibilities magically disappear.
I hear about management concerns over mobile devices and telecommuting. Some claim "they're just too risky." Yet many of these people are willing to give up control of their business applications and sensitive data to the cloud without question. It's a naïve approach. Regardless of where the computing takes place, you're going to have security issues in the same old areas: technology, people, business processes.
Here are some cloud computing security misconceptions and considerations that you don't want to overlook.
- Practically every aspect of cloud-based applications is affected -- not just generic HTTP traffic going over ports 80 and 443. From user authentication to transaction processing to back-end data access and even Web services exposures. There's a lot to consider -- and secure. Interestingly, this is not much different than the application security concerns in our "old-school" data center configurations. Just don't overlook the details involved.
- What about co-mingling? Is your sensitive data going to be mixed in with other people's systems? Shared Web servers have always made me nervous in the past. If one site is compromised it can put all of the other sites hosted on that server in jeopardy as well. With cloud computing, practically every component of the OSI layers 1 through 7 is shared -- not just the application layer -- so the attack surface can be exponentially increased.
- Penetration testing and source code analysis is still going to be required. Albeit, I could foresee some of the service providers offering "security assessments as a service" -- at least at the OS and network levels -- looking at everyone's systems across the board. Once you get to layer 7 though, every application is unique and so are the security issues. No generic scans here.
- Forensics investigations and any e-discovery requests can be complicated by the complexities of the cloud. This is especially true when servers are brought up and decommissioned on the fly -- possibly without you even knowing about it. Security audit logging and monitoring systems will need to be enhanced, and incident response processes will undoubtedly have to be updated.
- There's a common argument that things such as data leakage and system monitoring are simplified when everything's in one place in the cloud. I just don't see how that's really any different from the average application environment today. Most applications have a front end, back end, and some stuff in between. Unless you've got a really unique configuration that makes calls to applications and databases around the Internet, you still have everything in pretty much the same data center location. Thus the same security issues apply.
- Security in the cloud is often intangible. Unlike security controls within the perimeter, you often don't see it working or even know if it's enabled. This can create both a false sense of security and anxiety about whether or not things are actually locked down.
- I've seen certain cloud vendors tout their prehardened secure virtualization builds. This is no different than what hosting providers have been offering for years so don't count on this being a "value add."
- Regardless of how much things are supposedly "locked down" in the cloud, there are still client-side considerations and there always will be as long as we're using clients in the current sense. You can't overlook endpoints and all the security complexities that go along with them.
- Usability is still a concern. Are your service provider's controls going to get in the way of your users transacting business? Do they set things up in a "deny all" fashion by default? Or, is everything enabled from the get-go? What's it going to be like dealing with them on these issues? Security vs. convenience is a battle we'll fight until the end of our days, but sometimes it's so obvious it gets overlooked, much to the dismay of the people that matter most.
Given the downsides, I'm not saying don't buy into cloud computing. Just don't take the vendor hype too seriously. SSL and VPNs are not going to be the answer to security in the cloud. Nor is encrypting sensitive databases. Private clouds certainly reduce the exposure that public clouds present, but not all application traffic and transactions are Internet-bound. So you'll still have to consider internal threats. That takes us back to the fact that we have to approach this with some good old-fashioned common sense and layer security in everywhere it's feasible -- not just in the cloud.
You've also got to ask yourself how much you trust what your service providers are telling you. I see situations in my work all the time where a business partner is supposed to be doing X, Y and Z with security (either contractually or by law), yet they've conveniently overlooked the things that matter. In other words, talk is cheap. The lawyers and legislators can draw up their requirements all day long but that doesn't mean what needs to be done is actually getting done.
No matter what the cloud vendors promise, there's no such thing as off-the-shelf application security. Cloud computing -- regardless of how and where it's implemented -- is not natively secure. So whether you're writing, porting or fully outsourcing your applications to the cloud, never, ever assume that all's well in securityland. Just because things are more out of sight doesn't mean they can be out of mind. Application security is just not that simple.
About the author: Kevin Beaver, CISSP, is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. Kevin has authored or co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.
This was first published in February 2009