It is no secret that today's most opportune hackers consider web applications to be the preferred means to either load malware onto end-user PCs or to plunder the potential gold mine that are corporate databases. And now that the cloud is becoming more of a trusted environment to store and serve these enterprise applications, one can only deduce that the bad guys will be following right along.
Organizations moving their applications out of the data center and into the cloud typically are doing so to save on costs, while increasing scalability and streamlining their IT administration. According to a survey released in February by Mimecast, an email management firm, 70 percent of IT decision-makers who already use cloud computing said they plan to move additional applications to the cloud over the next year.
“This shows that respondents that have used cloud-based solutions have seen their business and operational value and want to expand that success to other application areas,” said the survey, which polled 565 people responsible for IT operations and budget at organizations in the United States and Canada.
But while consumer confidence in the cloud clearly is on the rise, the risks posed to applications are not any different in a shared server setting than they would be in a corporate data center.
Seventy-five percent of cyberattacks are generated through internet applications, according to web security firm Cenzic. And popular application exploit techniques, such as SQL injection and cross-site scripting – the most dangerous programming errors, according to the recently published CWE/SANS Top 25 list – are just as viable in a cloud setting, experts say.
Financial services, energy, government and retail verticals seem the most hamstrung by security concerns, concluded the Mimecast survey. In total, 46 percent of respondents who have not yet considered cloud-based applications cited security as the main reason.
“The cloud doesn't do any magic for you,” says Lars Ewe, CTO and vice president of engineering at Santa Clara, Calif.-based Cenzic. “It exposes the application much in the same way as if you hosted it yourself.”
Since the technology burst on the scene, organizations have been more willing to move non-mission-critical applications, such as customer relationship management (CRM) platforms and email, to the cloud. However, they have been less inclined to hand over control of their enterprise applications containing the most sensitive of personal and proprietary property, says Jai Raju (right), technology and innovation head for insurance at New York-based Tata Consultancy.
One recent study by Burton Group, recently acquired by Gartner, might shed some light on why businesses remain reticent to embrace the concept of the cloud. One of the best known, widely used and most profitable cloud infrastructure providers is Amazon's Elastic Compute Cloud (EC2), which lets companies rent virtual space on which they can run their applications.
But Drue Reeves, vice president and research director for Burton Group Data Center Strategies, argues in a November report that EC2 is not suitable for applications storing data that is too sensitive for a shared environment. He points out that EC2 is effective at network and physical security, offering a “preconfigured firewall that is defaulted to block all ports,” as well as distributed denial-of-service mitigation techniques. However, he says, the service falls short in other areas, notably by failing to offer an audit that its security claims have been verified by a third-party, athe failure to disclose its architecture and operational security procedures, and the fact that it doesn't integrate with identity management. In addition, EC2's Simple Storage Service (S3), an online storage service, does not encrypt data objects, forcing customers to use their own masking solution, Reeves says.
Amazon Web Services (AWS), in a 2008 white paper that describes its security processes, admits that issues around security and privacy are “more sophisticated” in a cloud setting versus a nonpublic-facing data center with dedicated servers. But, the paper says that “ensuring the confidentiality, integrity and availability of [a] customer's systems and data is of utmost importance to AWS, as is maintaining trust and confidence.”
Still, the burden of cloud application security ultimately falls on the organization that owns the application, says Bill Trussell, managing director of information security at TheInfoPro, an IT research firm.
“They would be held accountable and responsible for making security provisions if they were the ones creating that application and delegating the infrastructure piece to a cloud provider,” he says.
Businesses are by no means helpless on this front. For one, they can assure secure applications are being moved over to the web by implementing stringent coding practices, including scanning for vulnerabilities and conducting penetration tests, experts say. Also, they must ensure that the service-level agreements they ink with cloud providers contain specific wording around security, such as rules prescribing the keeping up with patches and protecting against common web attacks.
Yet there are real risks associated with taking an application out of an organization's control that go beyond even Reeves' concerns. The cloud environment is, by its very definition, shared, meaning gaining unauthorized access to one application can net an attacker access to others sharing the same server.
“In the cloud, in theory, there is very little physical segmentation of the backend,” Trussell says. “It's all logical segmentation. A weak application sitting on my left [combined with] a vulnerability on the backend could be used to come into my application, in spite of the fact that I made all the [proper] provisions.”
As attackers better understand how to compromise virtualized environments, cloud computing models could be ripe for the taking, says Cenzic's Ewe.
“While you might be in your own virtual machine and isolated from other environments on that cloud server, more and more research is being done on the underlying virtualized layer,” he says, citing advances such as “blue pill” technology, developed by Joanna Rutkowska, which can theoretically hide virtual machine malware from detection.
Meanwhile, a solution such as a web application firewall (WAF) can help combat the risks of common internet attacks once programs go live in the cloud, says Georg Hess (left), CEO of San Francisco-based security firm Art of Defence. Hess' company recently partnered with Amazon to offer customers a small software plug-in that can be added to an Amazon Machine Image, which creates a virtual machine within Amazon's EC2. The plug-in enables customers to leverage WAF technology that offers security beyond the network layer and is scalable to protect virtualized resources.
“Security is and has always been about layers, and this is underlined by applications being moved to the cloud,” Hess says. “Traditional software is exposed like never before and often cannot be patched in real time to accommodate actual security needs. One layer that fills this void is a WAF. Rather than a replacement for secure developing, a WAF is able to defend the cloud application until a patch can be made, tested and deployed.”
Hess can foresee another potential problem brewing. As Windows Azure, Microsoft's recently launched cloud platform, gains a market foothold, the software giant likely will ask some of its software partners to customize their offerings, such as enterprise resource planning (ERP) systems, so that they can go live in the cloud.
Such a move would work technologically while benefitting end-users who no longer would have to install and manage the software, Hess says. But security challenges could result if the partners do not do a robust enough job of securing the applications and implementing preventive measures, such as input validation, which vets applications so they don't accept malformed data that can lead to an attack.
Clearly, the cloud still has a lot of growing up to do before it receives across-the-board acceptance as a trusted platform. In the meantime, some organizations, especially more established companies with copious legacy applications and assets, may want to consider a more expensive, but potentially more secure setup known as a private cloud, Raju says. The setting still offers the host-based structure and efficiency that a public cloud can, but it sits behind the corporate firewall, thus lending more control.
No matter what, how to best manage enterprise applications is a personal one.
“At the end of the day, it comes down to risk management,” Cenzic's Ewe says. “The reality is, very few applications are flawless. Security tends not to be black and white, but more of a discussion of shades of gray. And you want to understand what shade you're in and whether that's business acceptable.”
Does the cloud provider offer security testing?
What are its patching processes like?
Does it offer a web application firewall?
How mature is it?
Does it allow you to see an architecture diagram to identify vulnerable areas?
Have you drafted a stringent service-level agreement?
How much does the service cost? Have you weighed the business risk?
Are your system components compatible with applications going to the cloud?
– Dan Kaplan