Solving cloud application security problems before they happen
Should security-conscious businesses be running applications in the cloud? In addition to frequently cited concerns (data sovereignty, management console points of failure and so on), the nature of cloud models has a number of architectural, and therefore security implications.
Cloud-based applications are by their nature distributed, benefiting from elastic infrastructure (processing, memory and storage) which can be scaled according to demand. Applications built for the cloud are increasingly architected based on the principle that hardware failure may (and sometimes does (http://www.policymic.com/articles/10526/amazon-crash-causes-instagram-and-netflix-to-blackout-is-cloud-computing-ready-for-prime-time)) happen.
From a security perspective, such distributed processing models have benefits – for example they can reduce the risk of distributed denial of service (DDoS) attacks. However they also increase the potential attack surface of an application and inevitably result in more complexity – which is the enemy of good security.
Different cloud providers have taken different paths to dealing with the security challenges of distributed applications. For example Microsoft Azure and Amazon AWS favour a more proprietary stack model which concentrates on incorporating security features into the platform, leaving developers to secure the upper layers of the application.
Meanwhile, vendors of open source stacks such as CloudStack or OpenStack try to bake a comprehensive set security features into the both platform and application layers of the stack (note that this remains a work in progress for both CloudStack (LINK: http://www.internetnews.com/blog/skerner/apache-cloudstack-open-source-cloud-updated-for-security-and-bug-fixes.html) and OpenStack (LINK: http://www.esecurityplanet.com/network-security/openstack-hardening-security-for-open-source-cloud-platform.html)).
In none of the approaches can architects assume that security is already taken care of – lower level security features can be ignored, circumvented or indeed rendered useless by poorly written application code, for example. In other words, application creators still need to take responsibility for the security of the application, whatever features the platform might provide.
As we know from previous technology roll-outs however, the risk is that application security is treated as something to be dealt somewhere towards the end of the development process. In cloud terms, this means finding out whether or not the security features provided by the selected platform are suitable, at some point after them being necessary. By which point, of course, it may be too late.