Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/11/2019
10:30 AM
Hillel Solow
Hillel Solow
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Security of Cloud Applications

Despite the great success of the cloud over the last decade, misconceptions continue to persist. Here's why the naysayers are wrong.

A decade or so ago, cloud computing was the hot topic in IT and related business circles. As with any emerging technology, people were skeptical and suspicious, and they had lots of questions about how the cloud worked, whether it was right for their organization, if their data was protected, and so on. As time passed, people became increasingly comfortable with the cloud and began to capitalize on its potential.

One major benefit of the cloud that was understood in its early years is that enterprises can leverage it to get their applications up and running faster, with more manageability, more scalability, less maintenance, and fewer IT resources. Yet despite this recognition — which helped propel the cloud industry beyond the $100 billion mark in just 10 years — there are still lingering misconceptions about deploying applications in the cloud. The most prevalent misconception being that the cloud is a less secure place to deploy applications than deploying them in a private, on-premises data center. Here's why this notion persists.

While this myth is not grounded in empirical evidence, people connect logically with the idea that things that are under their direct control are more secure than things that someone else controls — in this case, cloud providers. Many enterprises still invest heavily in their own data centers because they believe that running their sensitive business logic and placing their sensitive data in the public cloud means that others — whether rogue employees of the public cloud or other malicious actors — will have an easier time stealing their crown jewels. I get it.

The reality, however, is that the vast majority of the evidence proves the opposite is true. Most of the major system hacks and data leaks in the past few years have not been on data or business logic in public cloud deployments. With the occasional exception of misconfigured public storage buckets, almost all data leaks happen on infrastructure and software managed internally by enterprises, not by cloud providers. But even when presented with this information, the myth of applications being less secure in the cloud continues to hamper business and its subsequent growth.

By not deploying their applications in the cloud, enterprises are missing out on immeasurable advantages. There are obvious cost reductions for most businesses in moving away from owning and operating data centers. There is also significant business value in the flexibility that the public cloud offers enterprises. Public cloud providers significantly reduce the friction, time, and cost of building new functionality and applications, especially complex solutions that employ cutting-edge technologies such as data science, machine learning, artificial intelligence, and blockchain. How can people be made to see the light?

The industry is working hard to educate the masses in this area, but more efforts are required. Validated use cases for regulated sectors such as banking and healthcare are needed; simplification of certifications when building on trusted public cloud building blocks can help as well. Most importantly, a clear blueprint of what cloud-native application security is, and what it enables, is critical so that enterprise customers can have confidence that they are using the right tools and processes to avoid risk.

Additionally, the shift to more cloud-native application technology stacks — such as the move to serverless applications — can accelerate this process to improved application security. Enterprises deploying sensitive serverless applications that have adopted the right approach to minimize risk and maximize security are finding these applications to be the most secure applications they are operating.

Whether an enterprise is using it to deploy applications or store data, the cloud — believe it or not — is simply more secure and more reliable than servers run in-house. Like any other decision when it comes to adopting new technology, enterprises should do their homework when selecting a cloud provider, understand what they're offering, what their assurances are, and how they provide security. Once your enterprise makes the leap to deploying applications in the cloud, you'll wonder why it took so long and why you were so worried.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Hillel Solow is the chief technology officer and co-founder of Protego. Prior to this he was chief technology officer in Cisco's IoT security group, where he worked on innovative security solutions for new technology markets. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jwdtx
50%
50%
jwdtx,
User Rank: Apprentice
7/11/2019 | 1:43:30 PM
Citations Needed
The author makes a number of claims about the superiority of security in a cloud environment, but fails to provide citations with hard data. The recent Magecart attacks against 17000 AWS sites is an example of how organizations are struggling with securing cloud apps. Contrary to the author's assertion that serverless apps will improve application security, WhiteHat Security has reported that DevOps teams are producing code with more vulnerabilities than teams building "monolithic" web apps.
hsolow
50%
50%
hsolow,
User Rank: Author
7/11/2019 | 7:55:36 PM
Re: Citations Needed
Hey @jwdtx,

Thanks for your feedback. 

The Magecart attacks are an interesting point, but I think that drawing conclusions about application security from the issue of S3 public bucket misconfiguration is somewhat spurious. I agree that there are specific areas like this one where better processes and defaults are needed to put these attacks behind us. Overall, however, cloud seems to still be on top. (See https://resources.infosecinstitute.com/where-is-your-data-safer-in-the-cloud-or-on-premise for example).

When it comes to my claim that serverless stands to make application security better, this is something we at Protego have spent a lot of time on. The ability to apply fine-grained IAM role decisions are the function level, for example, is an incredibly powerful tool. Yes, you need tools and automation to keep up, but if you do, you have made a huge leap forward.

Finally, you seem to have conflated DevOps with serverless. I don't contest that the move to DevOps has brought a renaissance of bad habits. In Protego we see an increase in susceptibility to SQL injection in many customers' applications, for example. But organizations do DevOps on-prem, with EC2s, and with containers, as well. The move to serverless, on the other hand, create new opportunities to do better at defending these challenges and limiting their blast radius.

Let me know if I've won you over... :-)

Hillel
jwdtx
50%
50%
jwdtx,
User Rank: Apprentice
7/11/2019 | 8:55:56 PM
Re: Citations Needed
Thanks for the response, Hillel. This is some of the information I desired. Whether on prem or in the cloud, it seems everyone is struggling to develop secure applications and protect their data. Being a security professional, I guess I am naturally skeptical. Cheers!
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/14/2019 | 8:11:46 AM
Re: Citations Needed
 

This also depends on if it is SaaS, IaaS or PaaS, if the user is responsible for a lax security environment at their site, IaaS will also be lax as well (ask Accenture Federal Services and Attunity). But if SaaS is used and the vendor is responsible for the environment and application (i.e O365, SalesForce, VMware Airwatch), then there are much more stringent controls because the large cloud environments have adopted FedRAMP security practice. FedRAMP has initiated more stringent cloud aspects by looking at the systems from top down (auditing is part of the FedRAMP montra). They look at numerous areas that may not be part of onsite cybersecurity practices - continuous monitoring, application and system inventory, SIEM implementation, WAF, NGFW and hardware inventory, private key management, admin document mgmt.).

Todd
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...