The App is King
Since the advent of computer networks, lessthan- scrupulous individuals have attempted to exploit gaps in security in order to gain access to (sometimes) valuable information. In response, the information security industry has evolved to protect the information assets of governments, businesses, and individuals. During this time, computing has undergone massive transformations that have changed how we must look at security.
Today, we find ourselves in the middle of the one of those transformations, with the advent and adoption of cloud computing. While only 1-2% of organisations are taking advantage of the cloud today, IDC forecasts that nearly 20% of organisations will be using the cloud by 2015. Combined with the growth of virtualisation, traditional physical infrastructure will be reduced from 85% to 35% of computing capacity.
Alongside the obvious benefits of cloud computing (elastic, on-demand computing capacity and reduced costs) comes a hidden cost that most security practitioners are well aware of – the cost of ensuring security in the cloud. "Securing the cloud” is perhaps one of the most overused buzz phrases of the past year, so let’s start by deconstructing what this actually means. In one sense, it’s as simple as protecting the integrity, availability, and confidentiality of the information that resides in the cloud, just as that information would be protected within the four walls of an organisation. The reality is that achieving those things in the cloud is much more difficult than within the enterprise, for the simple reason that the organisation using the cloud does not have direct control over the physical infrastructure that is hosting the data or delivering the service.
The real challenge, therefore, is extending enterprise controls to cloud services. Essentially, organisations must push their security policies out to the cloud, even though they don’t directly control the infrastructure. As a framework, this is enterprise-out, as the systems that reside today within the enterprise must be extended to cover the cloud. That is why securing the cloud is like security without training wheels.
Without direct control over the physical infrastructure, the application itself becomes the core vehicle through which security is delivered. Depending on how abstracted the cloud is, it may be the only way to deliver security.
In a physical world, it’s possible to monitor network traffic for attacks and cut off access from the outside world at the firewall. In a sense, physical infrastructure is a crutch that we rely on to make up for gaps in security elsewhere. New threat? Great. Throw a new security appliance in the mix!
In a cloud-based world, that paradigm breaks down completely. Security must be built directly into the application and operating system, and these pieces must be able to interface with enterprise systems such as Identity Management. That also means that secure coding practices are a must, SLAs with cloud providers are critical, and workloads (a combination of application, middleware, and operating system) must understand something about what information they provide access to, in order to determine where they can run (public or private cloud), and who should have access.
To make matters worse, we have to assume that the endpoints accessing cloud services are inherently insecure. Insecure endpoints raise a critical and unsolved issue. Most advanced attacks today use custom malware to exploit an insecure endpoint and eventually, an attacker uses that access to find their way to an endpoint that has access to valuable data. Within the four walls of an enterprise this is challenging but solvable.
Remember, we have access to the underlying infrastructure, so we can do things like inspect network traffic for suspicious traffic and segment networks to keep untrusted endpoints away. This becomes difficult if not impossible in the cloud – it’s now up to the application to find a way to verify that access is legitimate, even though the endpoint can’t be trusted.
In light of this, the application needs to have a certain level of intelligence. For example, a less sensitive workload might be fine with singlefactor authentication from any source IP. A more sensitive workload might require multi-factor authentication and only accept login attempts from trusted sources.
If the enterprise has an Identity and Access Management system in place, then that system needs to extend to services running in the cloud, so that provisioning and de-provisioning still takes place using the same processes as traditional services.
Auditing and logging in the application is also more important in the cloud. Audit logs from the physical infrastructure could be useless in reconstructing what happened in the event of a data breach. The application itself must provide an account of who has accessed it and what they did. Unfortunately, most applications were not written with this in mind, adding logging functionality in after the fact is often a difficult task. There is no question that enterprises will increasingly take advantage of cloud computing in the coming years. Without physical infrastructure as a backstop to security weaknesses, attackers will take advantage of the transition to cloud computing to steal valuable information.
To combat that threat, there needs to be a much greater focus on building intelligence and security directly into workloads. In the cloud, the application is the king.