This article is intended for software development and IT teams who want to securely build and deploy applications in cloud computing environments, specifically PaaS and IaaS.
Cloud computing mostly brings security benefits to applications, but as with most areas of cloud technology, it does require significant changes to existing practices, processes, and technologies that were not designed to operate in the cloud. At a high level, this balance of opportunities and challenges include:
Opportunities
- Higher baseline security. Cloud providers, especially major IaaS and PaaS providers, have significant economic incentives to maintain higher baseline security than most organizations. In a cloud environment, major baseline security failures completely undermine the trust that a public cloud provider needs in order to maintain relationships with its customer base. Cloud providers are also subject to a wider range of security requirements in order to meet all the regulatory and industry compliance baselines needed to attract customers from those verticals. These combine to strongly motivate cloud providers to maintain extremely high levels of security.
- Responsiveness. APIs and automation provide extensive flexibility to build more responsive security programs at a lower cost than in traditional infrastructure. For example, changing firewall rules or deploying new servers with updated code can be handled with a few API calls or through automation.
- Isolated environments. Cloud applications can also leverage virtual networks and other structures, including PaaS, for hyper-segregated environments. For example, it is possible, at no additional cost, to deploy multiple application stacks on entirely separate virtual networks, eliminating the ability for an attacker to use one compromised application to attack others behind the perimeter firewalls.
- Independent virtual machines. Security is further enhanced by the use of micro-service architectures. Since cloud doesn’t require the consumer to optimize the use of physical servers, a requirement that often results in deploying multiple application components and services on a single system, developers can instead deploy more, smaller virtual machines, each dedicated to a function or service. This reduces the attack surface of the individual virtual machines and supports more granular security controls.
- Elasticity. Elasticity enables greater use of immutable infrastructure. When using elasticity tools like auto-scale groups, each production system is launched dynamically based on a baseline image, and may be automatically deprovisioned without human interaction. Thus, core operational requirements mean you never want to allow an administrator to log into a system and make changes, since they will be lost during a normal auto-scale activity. This enables the use of immutable servers, where remote administration is completely disabled.
- DevOps. DevOps is a new application development methodology and philosophy focused on automation of application development and deployment. DevOps opens up many opportunities for security to improve code hardening, change management, and production application security, and even to enhance security operations in general.
- Unified interface. A unified interface (management interface and APIs) for infrastructure and application services (when using PaaS) provides a more comprehensive view and better management compared to the traditional disparate systems and devices (load balancers, servers, network devices, firewalls, ACLs, etc.), which are often managed by different groups. This creates opportunities to reduce security failures due to lack of communication or fullstack visibility.
Challenges
- Limited detailed visibility. Visibility and the availability of monitoring and logging are impacted, requiring new approaches to gathering security-related data. This is especially true when using PaaS, where commonly available logs, such as system or network logs, are often no longer accessible to the cloud user.
- Increased application scope. The management plane/metastructure security directly affects the security of any applications associated with that cloud account. Developers and operations will also likely need access to the management plane, as opposed to always going through a different team. Data and sensitive information are also potentially exposable within the management plane. Lastly, modern cloud applications often connect with the management plane to trigger a variety of automated actions, especially when PaaS is involved. For all those reasons, management plane security is now within scope of the application’s security and a failure on either side could bridge into the other.
- Changing threat models. The cloud provider relationship and the shared security model will need to be included in the threat model, as well as in any operational and incident response plans. Threat models also need to adapt to reflect the technical differences of the cloud provider or platform in use.
- Reduced transparency. There may be less transparency as to what is going on within the application, especially as it integrates with external services. For example, you rarely know the entire set of security controls for an external PaaS service integrated with your application.
Overall, there will be changes to application security due to the shared security model. Some of these are directly tied to governance and operations, but there are many more in terms of how you think and plan for the application’s security.