Understanding Application Security in the Cloud

Whether in or out of the cloud, application security is a crucial part of any IT strategy. There are, however, a number of new concerns to be aware of when deploying applications in the cloud. Developers must be aware of the challenges posed to application security by the open, flexible and publicly accessible nature of cloud computing. Application security represents Domain 10 of the CSA's (Cloud Security Alliance) Guide to the CCSK (Certificate of Cloud Security Knowledge).

Organizations planning to use their applications in the cloud ought to consider the following adjustments in their software development strategies:

Account for multi-tenancy in application architecture and design; programming standards; and security capabilities.

• Be prepared for decreased control over the physical network and computing infrastructure.
• Be prepared for diminished ability to monitor and access customers' data in transit and at rest.

Influences on Application Security

The three models or layers of cloud computing (IaaS/Infrastructure as a Service; PaaS/Platform as a Service; and SaaS/Software as a service) present different threats to the application's runtime environment. There are also a number of different areas which have an impact on application security:

A) Application Security Architecture

B) Economics

C) Metrics

D) Tools and Services

E) Vulnerabilities

F) Software Development Lifecycle

A) Application Security Architecture – Running an application in the cloud affects the operation of other systems, including Identity and Access Management (IAM) systems, security token services, Public Key Infrastructure (PKI) systems, and other application tiers (e.g. databases). Dependencies on these systems render configuration management more complex than with traditional deployment.

B) Economics – With cloud computing, risk management and security assurance do not represent one-time costs. Rather, the cost continuum of these areas must be considered in light of the goals of the organization.

There are two main elements of application security which must be carefully considered from a cost/benefit perspective: 1) Using cloud service providers for development/testing of applications which are built by or acquired/modified by customers and 2) Running cloud-based applications built by/acquired by the customer or service providers, in order to support the customers' businesses.

C) Metrics – The metrics of cloud computing extend beyond performance characteristics and billing. They may include monitoring of evolving security risks and forensic investigation. The CSA lists four major groups of metrics that are applicable to cloud computing and cloud application environments: 1) Compliance and Governance; 2) Identity and Access; 3) Vulnerabilities and Patching; 4) Data Security.

D) Tools and Services – Cloud computing brings with it a new set of challenges regarding the tools and services involved in building and maintaining applications. New tools/services may include: development and test tools; application management utilities; coupling to external services (e.g. IAM

systems, logging services, system profilers, etc.). It is then necessary to understand who provides, owns, operates, and assumes responsibility for each of these tools/services.

E) Vulnerabilities – These vulnerabilities may be associated with operating systems; web applications; tools; and machine-to-machine, Service Oriented Architecture (SOA) applications. In any case, vulnerabilities are always evolving.

F) Software Development Lifecycle – Cloud computing will impact all stages of the software development lifecycle, including application architecture, design, development, quality assurance, documentation, deployment, management, maintenance, and decommissioning.

With traditional deployment, both the development and deployment environments are contained within the enterprise. Trust is created within the enterprise's computing infrastructure. However, working with a cloud platform significantly alters the trust boundary relationships between the development environment and the application's runtime environment.

Major Concerns When Selecting Vendors

When selecting a vendor to host applications, there are a number of major areas of concern. The CSA has developed the following questions, which apply to all cloud service models (i.e. IaaS, PaaS and SaaS):

1. Which Secure Development Lifecycle activities does the vendor carry out in developing the service's software:
   - Design and Architecture (i.e. threat modeling, secure design reviews)

   - Coding and Implementation (i.e. manual secure code reviews, static code analysis, manual security testing, tool-base security testing)

1. Which software development design and coding standards does the vendor apply during the Secure Development Lifecycle?
2. How are tenants' application components protected from attacks from other tenants?

Summary

This article introduces the issue of application security, which represents Domain 10 of the CSA's Guide to the CCSK. An organization's approach to application security must be significantly modified to respond to the differences in a cloud environment, namely multi-tenancy, decreased control over the physical network and computing infrastructure, as well as a diminished control over customer data. The article also looks at five key areas which have an impact on application security: application security architecture; software development lifecycle; economics; metrics; tools and services; and vulnerabilities.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

• Provider Selection (Domain 8)
• Application Security (Domain 10)
• SDLC Impact and Implications (Domain 10)
• Differences in S-P-I Models (Domain 10)