Skip to main content

Security in Cloud : why is it important?


With the entry of Cloud with a promise of reducing infrastructure cost, enhancing security by leveraging shared infrastructure, etc, organizations are slowly moving to Cloud to get the advantages of it. With multi-fold advantages, one big concern stays as-is - “Security”. Security in on-prem world is of multiple layers - Network Security, Infrastructure Security, and Application Security. However, in Cloud the security is of multiple layers but with multiple dynamic moving parts. Also, because of the nature of Cloud the regulatory bodies are strict on ensuring regulatory compliances and bringing in additional regulatory requirements. 

There are multiple challenges in the cloud - 
  1. Slowly the penetration and the attack surface is changing, particularly in cloud environment. The various workloads have different needs - some are public facing in a public subnet and remaining are in private subnet with a strict firewall for inter subnet communication. 
  2. Earlier, the penetration point was only on the perimeter network. Organizations used to secure the perimeter only and claim the security. Now the hackers if get into the network, then they can spread from workload to workload or within the workload it can move east-west. 
  3. When such workload changes its position, the attack surface also changes and the threat also moves along with the workload. 
  4. So, it has become extremely important that security is built as part of application. 
  5. A business application changes its position and so, the security model so that application owners won’t have to worry about security. 
  6. So, organizations also looking for programmable security as an integral part of applications as hiring and building security experts is one of the major challenges 
  7. Security should be programmable so that application developers, DevOps and Ops can understand the security requirements and from time to time can change the configurations required and continuously monitor to ensure the application is secure 
With Cloud, the security needs become multi-fold because of following reasons - 
  1. Deployment of Business Applications are not static and they change their positions in the network or expand with business demand. For e.g. the workload for an e-retail store will need to add more web servers during the peak demand and considering the demand and region, the web servers may need to be added to a separate subnet. 
  2. As the application changes its configuration, the threat landscape associated with it changes along with the change in the application’s position in the network. 
  3. New threat vectors emerge as the application position changes or the kind of softwares associated with the application changes.
    • For e.g. the application moves from a private subnet to a public subnet and hence, the threat landscape changes
    • The application adds application server layer as a new application layer or changes messaging layer from RabbitMQ to Kafka and the threats associated with it change. 
  4. Because of the nature of cloud, new threat vectors always keep on emerging. 
Public cloud vendors like AWS, Azure, Google Cloud’s protection is mainly for underlying infrastructure, but not necessarily for the business applications running on it, the access granted to those applications, the data managed by those applications, and the connections from those systems other systems in the same public cloud or similar or to their private cloud running in their premise. Attackers do not care where their target is located - whether public cloud infrastructure, private cloud or in a closed private network . Their only objective is to gain access to the network; navigate to a target, be it data, servers or network; and then execute their end goal. So, from attacker's perspective there is no difference between public cloud or private cloud/on-prem managed systems. From customer's perspective, the public cloud deployment is nothing but an extension of your data center, and the steps to protect it should be no different than those you take to protect your own private data center/cloud or own managed private network of computer systems. The speed of the public cloud deployment and managed by the cloud provider is sometimes leading to security shortcuts where little to no security is being used. Generally, it is believed that the use of native security solutions or point security solutions are sufficient to address the security needs in public cloud as these cloud providers have certified their infrastructure from security point of view. The reality is that these point security products only act on specific issues, more in a reactive mode than preventive mode. Considering the dynamism and agility associated with cloud, public cloud should not be treated with the same security needs as on-prem data center. I hope, as public cloud deployments increase in volume and scope, more diligence is needed to the security model around business applications running on public cloud. It should include complete visibility and control at the individual instance level, business application level and the prevention of known and unknown threats & vulnerabilities, with an objective to alert customers/users about security issues in a more reactive manner. As you go through my next set of articles on usage of Machine Learning/Deep Learning, BigData Analytics and Security Intelligence, you will realize that such frameworks will need to be leveraged by Information Security or Cloud Security teams for implementing predictive security postures across public, private and SaaS cloud infrastructures. 

So, Security for Cloud should be 
  1. Dynamic 
  2. Built along with the application 
  3. Programmable Security 
  4. Easy to understand for Developers, DevOps and Ops 
  5. Completely automated 
Components of Cloud Security - 
  1. Automated recommendations for various applications 
  2. Automated configured or built 
  3. Configurable or programmable security 
  4. Automated security configurations based on network model 
  5. Security Analytics 
  6. Anomaly detection 
  7. Security events for developers, DevOps and Ops
Labels:

Comments

  1. jonathanSeptember 24, 2017 at 5:31 AM

    Thanks for sharing informative informative blog on application security requirements. I found this blog very useful.

    ReplyDelete

Post a Comment

Popular posts from this blog

Office 2013 Installation Error : Code 1603

Wanted to share one error that I got while installing Microsoft Office Professional 2013 for which I had to spend almost 3 days to find the root cause. I also googled and found that many people have also faced the same issue but did not get if anyone had the solution. Sharing the solution that worked for me. Thanks to Dhaval Metrani, my colleague, who also helped me with this. If you get the following error in the log file (in the %temp% folder) while installing Office 2013 Failed to install product OSMMUI.msi ErrorCode: 1603  and the detail log shows ERROR: The network address is invalid then the same is because of Task Scheduler service is not enabled on the machine. 1603 is a generic error and some people have mentioned that the same could be related to deleting/renaming  %programdata% /Microsoft Help but the solution seemed to be related to Task Scheduler when the exact error was related to 'Network address invalid'. By default in Windows 7 and Windows Vista ...
6 comments
Read more

Working with ExtJS and Java

If you are new to extjs then for you ExtJS is a cross-browser Javascript framework for building RIA (Rich Internet Application) based web application. It allows to use any server based technologies for building your application. In my application, I am using ExtJS 3.0 as client side technology, Java (JSP+Hibernate) as server side technology and MySQL 5.x as database. Here I will tell you how to setup the above tools and technologies. ExtJS Setup Download latest version of ExtJS from http://extjs.com/products/extjs/download.php . I am using ExtJS 3.0 in my application. If you are using 3.0 version then you can view the API Documentation online at http://extjs.com/deploy/ext-3.0-rc2/docs/ and you can download the API documentation from download page if you are using any older version than 3.0 Extract the contents to any local folders in your disk. ExtJS IDE Setup It is difficult to remember all ExtJS components and its functions, so we need an IDE for development. Although there are few...
3 comments
Read more

jQuery Intellisense support in Eclipse 3.4.2

To have jQuery Intellisense feature in Eclipse, I tried to find out the way in Google and everyone suggested to use modified version of Eclipse WTP. After doing some research I found out another way of having jQuery Intellisense in Eclipse i.e. integrating Spket IDE with Eclipse. I am using Eclipse 3.4.2 Ganymede version. Download Download and Install Spket IDE and jQuery Download Spket plugin for Eclipse using Eclipse Update Manager, from Spket update site - http://www.spket.com/update/ Once the Spket IDE is installed then download jQuery from http://jquery.com/ and save in your local disk. Configure The steps to configure jQuery Intellisense are: Open Eclipse IDE Select the menu item Window > Preferences... to open the workbench preferences. Select the Spket > JavaScript Profile preference page to display the installed JavaScript Profiles. Click the New.. button. In the Name field, type jQuery (you can type anything) as the name for the new profile. Then click OK . Click th...
6 comments
Read more