“Any design plan must take the posture that the system will be breached and that the data inside will be accessed,” says Mark Bower (right), VP of product management at Voltage Security. “This is particularly true for payment transactions, which are essentially cloud-based services to merchants.”
According to Bower, authentication should be tied to data encryption to limit exposure of the full live data – especially with new techniques, like format-preserving encryption.
“Encryption should also be used to protect live data from authorized users,” he says. “For example, to verify a transaction or to match a customer to an account, an operator may only need to see the last four digits of a Social Security number or the last section of a credit card number versus the complete field.”
By now, most organizations should be encrypting their sensitive information in a datacentric manner, which means sensitive material stays encrypted at rest, in transit and in use. If organizations are migrating to an IaaS where they're responsible for their applications, it may suffice to replicate the same technology in the cloud through standards-based APIs.
If purchasing software-as-a-service, organizations should discover how the provider will help them carry their encryption and, in particular, key management over into the cloud. For example, Voltage manages keys in the cloud for Voltage Cloud Service-based file and email encryption customers. Alternatively, enterprises may want to control their keys themselves with on-premise key servers for their applications in the cloud.
When considering application deployment to the cloud, the specific type of hosting environment will determine who and how security capabilities such as encryption and monitoring will be supported, says OWASP's Manico.
For example in the IaaS model, the organization acquiring the service is responsible for its own applications. With SaaS (software-as-a-service), the provider manages the applications for the consuming organization. SaaS also can manage security applications in the cloud for the consumer, as well as offer new security services to the consumer.
Visibility and maintenance
Fuzzing, static analysis and functional testing are also critical during key stages of development and after the application has been put into production. So design must include stages for testing the application during design, development and post-production to maintain the application's security posture.
That means design must include basic monitoring support, such as producing usable logs and registering changes to data and access, says Symantec's Phillips. “To build trust, monitoring is very important, so you must have a close view of your system and access logs, as well as activity that occurs around the data,” he says.
There are numerous tools and services to test web applications for SQL injections, XSS and other code-based and functional vulnerabilities. However, when it comes to visibility into applications in the public cloud, organizations must rely on monitoring tools supported by their cloud provider to monitor their own data, say experts. To keep an eye on their provider's network, they will need to rely mostly on contracts and annual audits.
Getting to secure design will take planning, time and coordination between business, development and security units. But the task is not impossible, many say.
“No one says secure by design is a quick architecture change that makes an application ready for the web or the cloud,” IBM's Danahy says. “If it were easy, there would already be a common secure design template that everyone can use.”