All posts by duncanhughes

Application security in the cloud: Who is responsible?

We’ve all heard about the benefits of cloud infrastructure: improved productivity, cost savings, efficiency, agility and a host of other buzzwords that paint cloud as the be all, end all for IT.

Most organisations today either already run workloads in the cloud or plan to experiment with cloud in the very near future. And it’s up to businesses to decide whether they choose cloud infrastructure provided by public cloud providers like AWS, Microsoft Azure and Google Cloud Platform, or cloud infrastructure maintained by their organisation’s IT team.

In compliance heavy businesses, such as financial institutions, a new trend has emerged: organisations are running an isolated virtual private environment on public cloud infrastructure.

Securing the app

No matter where an application is hosted, securing the application delivery remains the primary concern. And it’s security that is causing a great deal of confusion in the industry. It raises the question: who owns application security in the cloud? Is it the cloud service provider or application teams?

Some believe that applications are secure simply because they’re deployed in the cloud, which would make application security the sole responsibility of the cloud infrastructure provider.

Others feel that security is the responsibility of the application owners – and as such, applications should not be deployed in the cloud due to security risks or unless security is properly baked in.

Blurred lines

It is well documented by public cloud providers like AWS and Azure that application security is a shared responsibility between the cloud infrastructure providers and the application owners. However, the lines are blurred and the division of ownership is not clearly defined.

Applications deployed in cloud infrastructure are accessed via the network. In this case, viewing the security responsibility from the network infrastructure point of view makes more sense.

This chart (below) shows the division of ownership between cloud providers and app owners.

In this example, the cloud providers control and manage the physical infrastructure resources, hence it’s their job to make sure the application that runs on that infrastructure is secure.

However, with virtual and software-defined networks (SDNs), application owners define the virtual networks as per application architecture, referred to infrastructure as code. Thus virtual network security resides with the application owners. Traditionally, application owners have an established set of best practices, and setting up network security is a no-brainer. Because the network is part of the infrastructure, cloud providers will provide tools for virtual network security and also for the implementation.

Cloud providers, however, have no visibility into what happens at the application layer and have no way to help the application owners in this area. The application security layer is the responsibility of application owners.

Before we can evaluate a solution for application security, we need to understand the following challenges:

  • Security monitoring – there are numerous questions about the solution’s capability, but monitoring the security should not be one of them. Security monitoring is imperative; it’s a must-have
  • Application vulnerabilities – these are susceptible to attackers looking to exploit and attack an application, either to gain complete control over it, deform it or steal data. OWASP analyses such vulnerabilities and exploits, and regularly publishes a list of its top 10 identified vulnerabilities
  • Malware and ransomware – another well-known security problem that impacts a lot of users and should be addressed prior to deploying an application in the cloud
  • Bots – approximately 30 percent of traffic comes from non-useful bots (i.e. bad bots). While some people don’t consider them a security issue, yet, bad bots can waste 30 percent in server resources, resulting in  a huge loss of productivity
  • Application layer DDoS attacks (volumetric or protocol exploits) – are also a concern as DDoS attacks evolve in size, scope and sophistication. DDoS protection is a serious consideration for both application owners and cloud infrastructure providers

Solving these challenges

Fortunately, there are solutions available to overcome the security challenges associated with cloud applications.

Web Application Firewalls (WAFs), for example, can handle the common vulnerabilities listed by OWASP. And IP reputation and other signature databases have been created to combat malware and bad BOTs.

Many Application Delivery Controllers (ADCs) bundle application security solutions with load balancing and other key application services. Having a complete set of application delivery tools along with security and visibility in a DDoS resilient architecture can create a complicated deployment architecture. Consider a solution that unifies all aspects of the application traffic management, application security with traffic and security analytics into a single system and layers central management and control on top of it. This type of solution will alleviate most of your cloud application security concerns.

Read more: Report argues ‘concerning’ lack of understanding over IaaS shared responsibility models