The IT world is advancing at an astonishing pace. Just a few years ago data was stored physically on databases and software was managed manually. But today more and more organizations are gravitating towards cloud based solutions for their computing needs. While being extremely convenient, cheap and hassle-free, insecure programming can lead to a plethora of vulnerabilities and loopholes that can spell disaster if exploited maliciously.
Due to the relative freshness of the cloud platform, the security aspect has not yet materialized. OWASP, a pioneer in the application security field, is not waiting. The security experts from one of the world’s leading application security platforms have come up with a Top 10 Cloud Security Risks list, but it must be noted that this benchmark is still in its pre-alpha stage.
The following article will touch on the top 5 security topics that cloud developers must take seriously before dealing with their customer’s sensitive data and also provide important development tips.
1 – Accountability and Data Ownership
More and more organizations are using public clouds to host their business services. This automatically introduces a wide range of risks that increase in severity according to the sensitivity of the business data stored on the specific cloud. When the stored data includes credit card information, criminal records, health-related data and salary logs, the stakes rise exponentially.
Many providers employ a multi-tenancy storage architecture, where multiple consumers’ data is stored in one place. When this storage architecture is not stable, cross data harvesting can occur. Cloud providers also often nominally delete data when requested by the organizations. This is an insecure practice, as it leaves traces and can allow hackers to reconstruct the deleted data.
To to avoid security issues with sensitive data, developers should make sure that:
- Data is stored securely and breach-response procedures are in place.
- Industry-specific security standards such as PCI DSS and HIPAA are enforced.
- Up-to-date data encryption is used with all data- at rest and in transit.
- Secure storage of encryption keys is enforced.
- All consumers’ data is isolated and no unauthorized access is possible.
2 – Multi Tenancy and Physical Security
Due to the huge amounts of organizations using clouds to run their businesses, more and more of them have multiple “tenants”. In other words, multiple businesses today are sharing the same resources – computing, networking, storage, services and functionality related components. While reducing costs for the providers, many new security risks are entering the picture.
Security risks arise due to inadequate logical security controls in between physical resources (CPU, networking, databases, etc). Malicious or ignorant tenants can also cause unintentional damage when poor logical controls are used by the cloud provider. Security issues also arise when infrastructure is misconfigured or when bad architecture leads to single points of failure.
Developers can tackle the aforementioned issues by taking the following steps:
- Encrypting the data with strong tenant-owned key management.
- Multi-tenant architecture should prioritize logical segregation and strengthen common services.
- Virtual Private Cloud (VPC) – Using VPCs to securely partition public clouds.
- Have audit-ability of admin access enabled at all layers of the stack (OS, networking, databases, etc).
3 – Infrastructure as a Service (IaaS) Security
The first kind of cloud services that organizations are using today are virtualized hardware solutions, known as IaaS. These offerings can include virtual server spaces, network connections, IP addresses, storages and load balancers. This requires the IaaS vendors to provide data centers and maintain them, while making sure the infrastructure components are safe.
Data within an application cannot be secure if the infrastructure components that make up the platform of the application are insecure. The problems can lie in default configurations of the various system and network devices, enabling of vulnerable services that consumers don’t really use and also porous network protocols or exploitable open ports.
Compromised services can also be used by hackers as “hop-off points” to other services. A compromised web service (for example, with SQL injections) can lead to a compromised back-end database.
Developer tips for optimized IaaS security:
- Hardening of operating systems, applications and configurations.
- Tiering of the solution architecture to avoid being used as hop-off points.
- Isolation of infrastructure components such as network ACLs.
4 – Platform as a Service (PaaS) Security
Platform as a Service (PaaS) services typically involve the delivery of a computing platform and solution stack as a service. For example, developers can use .NET, Java and other programming language environments via the website interface. Unfortunately many PaaS services come with security risks due to coding malpractices and errors in the development stages.
Organizations often use PaaS services that suffer from a lack of provisions in the SLA and/or don’t meet compliance demands. The software used is also often developed insecurely.
Developer tips for optimized PaaS security:
- Use containerization to separate applications saved on the same server.
- Perform Pen Testing after adding third-party components to the platform.
- Prevent users from getting root access to the Linux containers used for isolation.
- Develop apps with high code integrity and use hardening procedures for the OS.
- Monitor all Intra-VM network traffic at all times when VMs are in use.
5 – Software as a Service (SaaS) Security / Application Security
On-Demand Software providers are highly sought after today as they enable enterprise IT organizations to cut support and maintenance expenses. Customer Relationship Management (CRM) is a large SaaS market today, but organizations also use SaaS solutions for Enterprise Resource Planning (ERP), Human Resource Management (HRM) and Content Management (CM) services.
The OWASP Top 10 touches on the most common application layer vulnerabilities that exist today. Cloud providers should make sure that their developers are taking the steps needed to produce robust software so that it withstand assaults from malicious attackers. One way to eliminate vulnerabilities early is to use a SAST methodology called Static Code Analysis (SCA).
Implementing SCA/SAST early in the development process can help mitigate many application layer vulnerabilities that can potentially result in high profile breaches with millions of dollars in damages to organizations and clients alike. The automation of the security process helps create a secure Software Development Life Cycle (sSDLC), an effective way to develop robust software.
Other benefits of scanning code early in the Software Life Cycle (SLC) include:
- Integration into the developer environment and raising their AppSec IQ.
- Treating of security issues just like QA bugs and reducing remediation times.
- Reducing friction between security managers and development team leaders.
- Improvement of security awareness and making developers security champions.
- Better ROI – lesser post-release breaches and less need for maintenance/patches.
Cloud Security is Essential for a Secure Cyberspace
Whether it’s SaaS, PaaS or IaaS, secure coding is absolutely non-negotiable. With the huge migration to the cloud, providers simply can’t afford to implement insecure applications and software. Cybercrime is rising and this can be countered only by securing the foundation of this upcoming platform – the application code. Cloud security now is now a must.
More and more InfoSec experts around the world are advocating the implementation of multiple solutions to bolster cloud security. The most common combo’s include the scanning of the application code during development with SCA and Pen Testing before release (or after integrating new third-party components). Throwing in firewalls for good measure is also an effective tactic.
Only clear clouds can ensure a safe cyberspace. Stay safe.