Deploying Securely into the Cloud!
Thinking of Cloud - prepare for rain
If you are like nearly every other company in the world, you are either
deploying into a cloud environment or seriously thinking about it. The economic
benefits of using cloud based technologies along with easy access and minimal
infrastructure management overhead makes this approach one of the hottest topics
out there. After knowing all these benefits, the only question that mostly
remains unanswered is, can you deploy an application to the cloud securely. And,
the answer to this is YES!
As one of our team member puts it:
“Deploying a business application into the
cloud is similar to parking your car in a dark alley known for thefts.”
Just like any other technology solution, cloud computing has its share of
security challenges. These must be carefully considered prior to preparing your
application for the cloud. Following guidelines will help you in doing just
One of the biggest challenges associated with Cloud solutions is that your data
storage service in the cloud can potentially be accessed by other parties. These
parties may not have the credentials to access the data, but sharing of same
platform allows potential exposure if not secured correctly. Traditionally this
presents a much lower risk in non-shared corporate environments, as the systems
are exclusively owned and accessed by only one organisation.
Cloud services also present a number of challenges relating to the
virtualization and shared environment of the operating systems. During any cloud
project, the word “shared” comes up all too often, and although identity/access
controls are typically deployed, the shared risk still remains and needs to be
considered as a part of the solution.
Therefore; as a first step of any cloud project, the type of application and
sensitivity of data being transmitted or stored in the cloud should be reviewed.
Such understanding will help to identify the level of risk associated with the
project. For high risk (i.e. personal/sensitive data systems) security would
need to be extensively considered; however for lower risk systems such as
marketing web sites that contain non-sensitive or non-critical information, the
need for security controls is much lower.
With common shared services, the need to introduce security from within is more
important than ever before. Here are our top five tips for deploying into the
- Protect your data, as if it was available to "unauthenticated" users
Identify and rate the sensitivity of the data you transmit and store in the
cloud. If this data is sensitive then you need to protect it in transit as well
as at rest. Protection such as storage encryption, limiting what data is stored,
hash records and so on, can be implemented to protect the data. Financial and
other forms of high-risk information shouldn’t be stored in a cloud solution.
You should consider using a secure storage repository on a local corporate
network connected to the cloud solution as one way to mitigate storing high risk
data in the cloud.
- Treat every user as "untrusted"
In corporate networks, there is an element of certainty that a user is coming
from a trusted environment, therefore systems tend to “trust” them and allow
greater or easier access. In cloud solutions, systems and users can be accessing
the solution from nearly anywhere and on any device, so the ability to have a
“trusted” connection is next to impossible. The application platform should
treat all users with the lowest possible form of trust (i.e. no trust), and use
identity checks and other authentication processes to validate the identity of
the user and the security of the device connecting to the solution.
- Don't trust "security of the cloud" marketing
Most of the cloud providers heavily promote the need for security, and
technologies they’ve implemented to secure their cloud hosting platform.
Unfortunately these approaches don’t provide an adequate level of protection and
therefore instil a false sense of security that their services are already as
secure as they can be. We highly recommend you to understand the security
features offered by the cloud providers and configuring these for the maximum
security as needed by the business. However, ensure that additional security
controls (where required) are implemented such as authentication, access
control, data validation and data encryption.
- Audit/Log Everything
Corporate environments have firewalls to stop unwanted traffic. Cloud providers
don’t have the similar protection. When deploying a cloud based solution, there
is a critical need to capture and act upon potential security breaches within
the application. Not only is a successful auditing program needed for the
solution, but a method of ensuring audit logs are reviewed and acted upon should
- Don't rely on hardware/firewalls!
It’s common knowledge that hardware appliances and firewalls provide great
protection for corporate networks, and network level threats. However over 80%
of attacks across the Internet are at the application stack. This means you need
to protect Port 80 and SSL!, and a network based firewall provides limited help.
WAF devices and other application aware appliances can help with the problem,
but there’s never been a silver bullet, and we certainly can’t see one currently
coming to the market any time soon. This means you need to build security within
Although the above five recommendations are just good common security practice,
in our experience these are the most critical areas when trying to secure a
cloud deployment. Our research team has helped many organisations to move the
simple to sensitive applications into the cloud. Consideration should always be
given to ensure that relevant security controls are implemented in line with the
risk associated with the application deployment. Always remember you are
deploying into a “shared environment” so you can’t trust anyone.
"Build Security in, instead of trying to bolt it on."