For many organisations, an increasing proportion of the applications that they rely on for their day-to-day business operations are hosted in the cloud. This stands to reason: the cloud offers a range of benefits from cost to flexibility and scalability, which makes it an attractive option at a time when the need to ‘do more with less’ is high on the corporate agenda.
[easy-tweet tweet=”The Cloud offers a range of benefits from cost to flexibility and scalability” hashtags=”cloud, tech, IT”]
However, moving legacy applications to the cloud comes with its own set of security challenges. The way that an application is used and hosted in the cloud could be significantly different from how the original application was deployed on-premise. With shared tenancy and multiple users using the same stack, organisations need to assess and remediate new vulnerabilities. Planning the journey, and understanding and mitigating these security risks, is key.
Cloud computing has fast become the de-facto model of computing for many key applications and services. In fact, it is estimated that, by 2018, 50% of the applications running in public cloud environments will be considered mission-critical by the organisations that use them. The cloud evolution and all the benefits that come with hosted applications and services – reduced operating costs and an ‘on-demand’ consumption model – now mean that the cloud-first, or cloud-only, approach to applications will soon be the default option.
As with any significant change, there are security risks. Yet where the focus for cloud security has typically been on the controls and checks in place protecting the infrastructure on the cloud provider side, organisations must also consider security from the perspective of the design and architecture of the application that’s running in their cloud. Migrating apps to the cloud introduces new issues arising from inter-connections and interactions between components, authentication, logging and key management. A critical part of the path to migration is identifying any missing or weak security controls or flaws in the application itself that could increase the risk of a breach.
[easy-tweet tweet=”A critical part of path to migration is identifying any missing or weak security controls” hashtags=”tech, cloud, security”]
Organisations need to start by assessing their strategy including:
Defining the boundaries
One of the issues to resolve is defining the lines of responsibility. For on-premise applications, the organisation is wholly responsible for security. In the cloud model, responsibilities shift to the cloud provider, so it’s important to know exactly what these are and where the ‘hand-off’ is. Many network and application level security assessments become strictly cloud provider activities – or they can only be conducted if the provider permits the action. Some assurance activities that were typically conducted by security consulting firms are now responsibilities of cloud providers.
For example, with a SaaS (Software as a Service) model, in which the cloud provider runs the infrastructure and application for the customer, they also own the majority of security responsibility and control. In the IaaS (Infrastructure as a Service) model, the customer runs and manages virtual machines in a software-defined environment. This means that the customer has the greatest security control and responsibility.
A full security assessment can help to identify the specific areas of risk. This will not only ensure that the application works optimally in the cloud, but also that there are no new risks as a result of the migration.
[easy-tweet tweet=”The cloud platform layer controls testing applications” hashtags=”cloud, tech, security”]
This should include a configuration review: assessing the cloud platform layer controls and testing applications for vulnerabilities, remediating what is found. Performing deeper testing, combining static testing (SAST) and dynamic testing (DAST) and code review will identify the risks. Reviews of the design and architecture of the application, along with threat modelling, will identify where the risks are and where action needs to be taken. This may highlight issues such as how authentication and authorisation is designed for the application, analysing the encryption mechanism and key management design. It will determine if you are protected against targeted threats such as malicious insiders, or an external cyber criminal.
Ultimately, the responsibility for the security of the application rests with the organisation. As more of us make the journey to the cloud, ensuring that application security has been addressed and that any flaws in design or architecture have been remediated – must become a core part of the migration strategy.