Software Security for the Cloud - Same Pig, Shiny Lipstick

Wednesday, August 03, 2011

Rafal Los


Software Security for the Cloud SMB- Same Pig, Shiny Lipstick

Heard an interesting sales pitch recently. A public cloud vendor making the case that their Public Cloud was the best place to move your SMB applications. 

If you think the pitch cited one of the reasons as being better security... you'd be correct.  I can hear many of you groaning as I write this.

Understanding the Challenge

First and foremost, there is still a lot of ambiguity around the whole idea of cloud computing.

There have been several cartoonists lately who have captured the moment of startling revelation when an unsuspecting and wide-eyed IT person is told that a cloud is just a mess of computers working together, indistinguishably, and that mess of computing power may just all be concentrated in a data center in North Carolina, or California, or Toronto... you get the idea. 

Forrester defines cloud computing as "A standardized IT capability, such as software, app platform, or infrastructure, delivered via Internet technologies in a pay-per-use and self-serviced way". 

The focus is on pay-per-use, and self-service which means there is a lot of wiggle room when defining exactly what a Cloud is and isn't.

Without going into too much detail, the customer needs to understand what kind of cloud (public, private, hybrid) they're getting into, and what type of service (IaaS, PaaS, SaaS) they're buying off on. 

Each of these has their pros and cons, and as the post pointed out - each can be brought to different levels of security capability. The bottom line here is this - migrating to a cloud architecture doesn't magically make your applications secure... although for many SMBs this is a better option than trying to tackle this problem alone.  Let's talk this through...

Software Security in the 'Cloud'

As you take a rational look at the applications in your SMB business, take note of the state of security of them as well.  Many of your applications are probably purchased and not built by you. 

The rest are an amalgamation of built-in-house, outsourced, or COTS-custom applications which have varying degrees of security assurance associated with them. 

So for many of the SMBs out there this means that the only recourse if they're security-conscious is to start doing black-box testing on the code before they launch into production. 

This clashes with the SMB's ability to staff and purchase  to meet the demands of security testing requirements... so you're in a tough place.

You could, of course, simply let someone else handle the testing for you, which turns out to be the most popular option.

This means trusting a 3rd party with the applications that run your business, and then working with that 3rd party to make sure you've communicated the appropriate requirements, and then working with your cloud provider to make sure this is all sanctioned. 

Speaking of cloud providers... here's a few things I'd like to point out about testing in the cloud...

  • Make sure you've got permission from your provider to test your own applications. Just because you own the instance or portion of that multi-tenant environment doesn't generally give you permission to run security-related tests against it. Remember, multi-tenant environments can be finicky about allowing someone to test their security, even if you're renting the space out
  • Speaking of testing, remember bandwidth. Although most cloud providers nowadays won't ding you for the extra bandwidth for security testing, make sure you've planned and scoped the work out ahead of time. Security testing an application running on a cloud environment can clog pipes, and create all sorts of troubles if you're not careful in planning.
  • Make sure you understand the environment's architecture. It may not be entirely prudent to test from the Internet, as you'll undoubtedly cross devices which are shared by other cloud customers, and if you happen to trigger a fault in one of them, you can cause a quite serious issue across the board for the provider and their customers. Think twice, plan, and then test.

Some Advice

So, if you're planning on moving your applications out to the cloud, first and foremost check with the provider of that software package (if you haven't built it) to make sure it's architected appropriately, and can handle the type of architecture you're deploying on. 

Second, don't forgo the security testing, just because you're in the cloud.  Emphasize it, but be deliberate about your testing ... you don't want to cause chaos in the cloud provider. 

Lastly, if at all possible (and we're talking about software you've built) take care to employ a software developer and architect that understand cloud architecture and specific needs. They are different than hosting these applications on a server in your back room... and can cause you more pain than you're experiencing now if you're not careful.

Moving to the cloud can be a blessing in that it allows you to pay for only the capacity and computing power your critical SMB applications require... except where you're not careful. 

Then you've got a problem on your hands...and it can get worse.  I'm working on putting together some lessons learned posts, which could see the light of day shortly.

Good luck!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Information Security
Cloud Security Application Security Small Business Managed Services Software Security Assurance SMB vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.