Deploying Securely into the Cloud!
January 2012
Thinking of Cloud - prepare for rain

If you are like nearly every other company in the world, you are either deploying into a cloud environment or seriously thinking about it. The economic benefits of using cloud based technologies along with easy access and minimal infrastructure management overhead makes this approach one of the hottest topics out there. After knowing all these benefits, the only question that mostly remains unanswered is, can you deploy an application to the cloud securely. And, the answer to this is YES!

As one of our team member puts it:

“Deploying a business application into the cloud is similar to parking your car in a dark alley known for thefts.”

Just like any other technology solution, cloud computing has its share of security challenges. These must be carefully considered prior to preparing your application for the cloud. Following guidelines will help you in doing just that.

One of the biggest challenges associated with Cloud solutions is that your data storage service in the cloud can potentially be accessed by other parties. These parties may not have the credentials to access the data, but sharing of same platform allows potential exposure if not secured correctly. Traditionally this presents a much lower risk in non-shared corporate environments, as the systems are exclusively owned and accessed by only one organisation.

Cloud services also present a number of challenges relating to the virtualization and shared environment of the operating systems. During any cloud project, the word “shared” comes up all too often, and although identity/access controls are typically deployed, the shared risk still remains and needs to be considered as a part of the solution.

Therefore; as a first step of any cloud project, the type of application and sensitivity of data being transmitted or stored in the cloud should be reviewed. Such understanding will help to identify the level of risk associated with the project. For high risk (i.e. personal/sensitive data systems) security would need to be extensively considered; however for lower risk systems such as marketing web sites that contain non-sensitive or non-critical information, the need for security controls is much lower.

With common shared services, the need to introduce security from within is more important than ever before. Here are our top five tips for deploying into the cloud securely.

1. Protect your data, as if it was available to "unauthenticated" users
   Identify and rate the sensitivity of the data you transmit and store in the cloud. If this data is sensitive then you need to protect it in transit as well as at rest. Protection such as storage encryption, limiting what data is stored, hash records and so on, can be implemented to protect the data. Financial and other forms of high-risk information shouldn’t be stored in a cloud solution. You should consider using a secure storage repository on a local corporate network connected to the cloud solution as one way to mitigate storing high risk data in the cloud.
    
2. Treat every user as "untrusted"
   In corporate networks, there is an element of certainty that a user is coming from a trusted environment, therefore systems tend to “trust” them and allow greater or easier access. In cloud solutions, systems and users can be accessing the solution from nearly anywhere and on any device, so the ability to have a “trusted” connection is next to impossible. The application platform should treat all users with the lowest possible form of trust (i.e. no trust), and use identity checks and other authentication processes to validate the identity of the user and the security of the device connecting to the solution.
    
3. Don't trust "security of the cloud" marketing
   Most of the cloud providers heavily promote the need for security, and technologies they’ve implemented to secure their cloud hosting platform. Unfortunately these approaches don’t provide an adequate level of protection and therefore instil a false sense of security that their services are already as secure as they can be. We highly recommend you to understand the security features offered by the cloud providers and configuring these for the maximum security as needed by the business. However, ensure that additional security controls (where required) are implemented such as authentication, access control, data validation and data encryption.
    
4. Audit/Log Everything
   Corporate environments have firewalls to stop unwanted traffic. Cloud providers don’t have the similar protection. When deploying a cloud based solution, there is a critical need to capture and act upon potential security breaches within the application. Not only is a successful auditing program needed for the solution, but a method of ensuring audit logs are reviewed and acted upon should also exist.
    
5. Don't rely on hardware/firewalls!
   It’s common knowledge that hardware appliances and firewalls provide great protection for corporate networks, and network level threats. However over 80% of attacks across the Internet are at the application stack. This means you need to protect Port 80 and SSL!, and a network based firewall provides limited help. WAF devices and other application aware appliances can help with the problem, but there’s never been a silver bullet, and we certainly can’t see one currently coming to the market any time soon. This means you need to build security within the applications!
    

Although the above five recommendations are just good common security practice, in our experience these are the most critical areas when trying to secure a cloud deployment. Our research team has helped many organisations to move the simple to sensitive applications into the cloud. Consideration should always be given to ensure that relevant security controls are implemented in line with the risk associated with the application deployment. Always remember you are deploying into a “shared environment” so you can’t trust anyone.

"Build Security in, instead of trying to bolt it on."