5 Security Issues You Should Know About When Securing Cloud Applications
The concept of using remote web servers to host and manage data and applications, in other words, Cloud computing, is a paradigm shift in how we use computing at work (and home). Cloud computing has had a rocky road to acceptance, but it is now embraced by just about everyone with 95% of respondents to the RightScale ‘2017 State of the Cloud Report’ using Cloud computing. Out of this revolution in computing has come a number of methodologies to manage and control the broad brush of ‘Infrastructure-as-a-Service’. New movements like DevOps have promoted the use of collaboration between IT teams and software developers to optimize and streamline operations. But always, lurking in the background is security, like an old-fashioned villain from a silent movie. Security of Cloud applications is something that needs a good grounding but also needs to be recognized as an evolutionary process too. The way that a modern business operates, the pace of projects, and the ever-changing requirements list that we need to meet makes baselining security very difficult. Security as a process is probably the better way to describe how to secure Cloud applications. Like the software it means to protect, security decisions have to be extensible, and adjustable.
With the caveat of an ever-changing landscape in mind, I will outline 5 key areas that should be in the back of your mind when looking at bringing Cloud applications onboard.
When you first design a new software product, it is all very exciting. You come up with an idea, research the market and then work out a set of design requirements and goals. Once that design is specified, with accompanying wireframes, and detailed mechanisms, the build process can begin. When a software designer, architect, and a team of developers start to build a product it is a bit like building a house. The designer needs to create a robust and solid design. The architect shows where the ‘windows’ and ‘doors’ need to go and how to place them so as to make the most of the structure. The developers can then start to ‘build the house’, floor-by-floor – connecting the different parts together. If you build a house, you need to make sure the walls won’t fall down when it gets windy, and you want to make sure the doors have a latch. So similarly, when software developers build their code they need to apply the concept of secure coding.
The practice of secure coding has never been more important in a world where cyber attacks are ever-present. Malware attacks work because of vulnerabilities in software, most notably the infamous ‘buffer overflow’. Following an ethos of secure coding is an essential part of a Cloud application developer remit. As a customer who uses a web application, you can find out how secure the underlying code is by asking for a code analysis performed by a third party company who specialize in this. This analysis will pick up on vulnerabilities in the code.
If you want to know more about what secure coding is OWASP offer a reference guide that explains the principles of secure coding.
2. Encryption – At Rest
Of the almost 7.1 billion data records breached since 2013, only 4% of those were encrypted. That means 6.8 billion records were exposed without any protection. Encryption of data is a fundamental that seems to be missing from Cloud security 101.
Encryption needs to cover the whole data lifecycle to be effective. That is both in transit and at rest. In this section, I’m looking specifically at the ‘rest’ side of the equation, i.e. data storage.
Encryption of data at rest in Cloud applications is one area that seems to be falling through the net as a recent report found. SkyHigh analyzed 12,000 Cloud service providers finding that less than 10% offered encryption of data at rest. With many enterprises now using Cloud services, like DropBox and Trello, often for storing and sharing highly sensitive and proprietary data, not being able to encrypt that data leaves it highly vulnerable.
It is important to use encryption at rest, but it is also important to ensure that the encryption keys used to apply the protection, are also secured. Management of encryption keys is something that needs to go hand-in-hand with your security policy on encryption of data. For further details on Cloud service key management, you can read this paper by NIST on the issues and challenges.
3. HTTPS – Encryption in Transit
Encryption of data during transit is another vital part of the security review of Cloud applications. Going back to the SkyHigh survey, thankfully this area is better managed than the protection of data at rest, with most Cloud vendors offering this. Getting data securely from A to B via an Internet connection is handled by the secure version of the Hypertext Transfer Protocol (HTTP). It can be thought of as a layering of the Secure Sockets Layer (SSL) protocol, over HTTP. You also need a digital certificate as part of your website configuration to perform the encryption using the public/private key pair of the certificate (in a nutshell). Misconfiguration is common, mainly because of forgetting to apply HTTPS across all web pages. I have come across this error on some well-known brand site’s, which ask you to enter login credentials into a non-HTTPS page (the rest of the site being HTTPS) – if a user did this, their credentials could easily be hijacked.
4. Privileged Authentication in the Cloud
Authentication is a big topic but I’ll focus here on administrator authentication to Cloud web servers/databases, especially concerning the public Cloud. Administration login to databases has become a thorny issue since breaches such as Target Corp. which involved the theft of privileged access credentials. In a report last year by analysts Forrester, they found that 80% of breaches involved privileged credentials. Privileged credential exposure can be both a technology and a human problem. Spear phishing is a known exploit to help steal sysadmin credentials. And if we are talking Infrastructure-as-a-Service, privileged credentials may allow access to multiple virtual hosts. Two-factor authentication and risk-based authentication measures are a best practice method of dealing with the vulnerability of privileged access credentials. They can’t prevent legitimate users (aka insiders) from missing their credentials, but dealing with insider threats is another topic altogether.
5. API Security
One of the best things about Cloud computing is its connectivity to other web services using Application Programming Interfaces (APIs). The API economy has allowed us to add more features and functionality to web applications – APIs are the lego brick of the software world, with more and more web based offerings opening up their services via an API. API-based services let us reach out into cyberspace to build bigger and better web-based offerings. As businesses, we can take advantage of a greater number of features, and often have more choice in the way things work creating new models of business.
API security is where many security issues collide. The open nature of an API interface means that certain aspects of security are vitally important to get right at the design and coding stages. These include:
- Secure coding – the API must be built using secure coding to reduce vulnerabilities that can be exploited
- Encryption – to be able to protect any data handled via the API
- Digital signatures – used to provide non-repudiation and integrity of the data exchange
- Authorization and authentication – usually done using a protocol like OAuth 2.0 which uses tokens to perform authorization and authentication
Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies