The curtain riser of cloud based application came with a prologue of caveats. Based on the research conducted by CSA APAC, the CSA Cloud Vulnerabilities Working Group in 2013, the number of cloud vulnerability incidents more than doubled over a four year period, increasing from 33 in 2009 to 71 in 2011. A total of 172 unique cloud computing outage incidents were uncovered, of which 129 (75%) declared their cause(s) while 43 (25%) did not. Gamboling these threats and making our application safe is the need of the hour. The question is how?
Before we venture there let’s see actually what makes up the various strains of threats because enough security depends on who is going to attack you. Going back to the investigation, it reveals that the top three threats were “Insecure Interfaces & APIs” (51 incidents; 29% of all threats), “Data Loss & Leakage” (43 incidents; 25%), and “Hardware Failure” (18 incidents; 10%). These three threats accounted for 64% of all cloud outage incidents. Blaming the design issues would not solve the problem. Cloud has various features spreading the network like multiple user access and TCPs that provide measured verification of the boot and runtime infrastructure, Tokenization etc. but somewhere these designs are lagging to generate threats.
Securing an application is not a phase; it’s a process that goes right from the design phase till the final deployment. Jeopardizing the various security skills and tools with proper training would assess the available technologies to make the best decisions pertaining security. Identifying the various threats involved in the development stage will help to identify potential strengths possessed as well as the limitations. With the proper care taken during designing, it is easier to adapt coding pattern feigning all the vulnerabilities with tools that help identify flaws before the application goes live. This is to be followed even during the testing phase with use of various security and manual testing tools.
Having your application deployed on cloud would mean you are having loaned data centers too. Choosing the apt data center that not just ensures virtual but physical security as well is of prime importance. The next important aspect that one needs to consider is the network through which the data travels. It’s good if the data is encrypted with a strong encryption code which would prevent snooping. Assurance of excellent firewalls that follow strict protocols with a secure network design should be looked out for.
If you do your homework well, you will realize that the most of the efforts to securing the application would be encrypting and authentication. Arbitrating the sensitive data and functionality with authentication by implementing a more rigorous authentication process for internal applications, leveraging multifactor authentication and strong password complexity and length policies where possible in a multi-tenant environment. The use of encryption would help keep away malicious co-occupants and carefully vetting libraries and other third-party code components are sound practices to follow.
Irrespective of the available services and resources a provider can supply there still lies need to adopt different perspective as there are dynamic changes in threats all the time. But apart the above three are the most to be looked into. They however are interlinked all you got to do is join the dots.