Be it Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), cloud environments pose an increased threat to applications data and security practices need to give due consideration to the nuances that exist in cloud environments.
The steps to secure an application on a cloud computing infrastructure and the types of potential vulnerabilities depend on the cloud deployment models. Private cloud vulnerabilities closely match traditional IT architecture vulnerabilities but public cloud infrastructure, however, requires an organizational rethink of security architecture and processes. A secure cloud implementation must not only address the risks of confidentiality, integrity, and availability, but also the risks to data storage and access control.
Some of the common security considerations of applications in a cloud environment can be classified into following categories:
- Application Lock in
SaaS providers typically develop a custom application tailored to the needs of their target market. Customer data is stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read and export data records. However, if the provider does not offer a ready-made data ‘export’ routine, the customer will need to develop a program to extract their data. SaaS customers with a large user-base can incur very high switching costs when migrating to another SaaS provider and end-users could have extended availability issues.
- Vulnerabilities related to Authentication, Authorization, and Accounting
A poor system design could lead to unauthorized access to resources or privileges escalation, the cause of these vulnerabilities could include:
- Insecure storage of cloud access credentials by customer;
- Insufficient roles management;
- Credentials stored on a transitory machine.
Weak password policies or practices can expose corporate applications and stronger or two-factor authentication for accessing cloud resources is highly recommended.
- User Provisioning and De-provisioning Vulnerabilities
Provisioning and De-provisioning can cause concern for the following reasons:
- Lack of control of the provisioning process;
- Identity of users may not be adequately verified at registration;
- Delays in synchronization between cloud system components;
- Multiple, unsynchronized copies of identity data;
- Credentials are vulnerable to interception and replay;
- De-provisioned credentials may still valid due to time delays in the roll-out of a revocation.
- Weak or lack of encryption of archives and data in transit
Unencrypted data or use of weak encryption for archived or data in transit pose a great threat to the authenticity, confidentiality, and integrity of the data.
Organizations are recommended to define encryption approaches for applications based on a host of factors such as data forms that are available in the cloud, the cloud environment, and encryption technologies to name a few.
- Vulnerability assessment and Penetration testing process
The type of cloud model will have an impact on the type or possibility carrying out penetration testing. For the most part, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) clouds will permit pen testing. However, Software as a Service (SaaS) providers is not likely to allow customers to pen test their applications and infrastructure. Customers normally have to rely on the testing carried out on the infrastructure as a whole and this might not suit the security requirements of some.
- Lack of forensic readiness
- Sanitization of sensitive media
Shared tenancy of physical storage resources means that data destruction policies can be hampered for example; it may not be possible to physically destroy media because a disk may still be used by another SaaS customer or the disk that stored your data may be difficult to locate.
- 8. Storage of data in multiple jurisdictions
Data store in different or even multiple jurisdictions could leave the company vulnerability to unfavorable regulatory requirements. Companies may unknowingly violate regulations, especially if clear information is not provided about the jurisdiction of storage.
- 9. Audit or certification not available to customer
The cloud provider cannot provide any assurance to the customer via audit certification
For instance, some CP is using open source hypervisors or customized versions of them (e.g., Xen ) which have not reached any common criteria certification, which is a fundamental requirement for some organizations (e.g., US government agencies).
Cloud is surely going to be the next big thing and is going to change the way businesses work. Security is the biggest concern for the cloud applications but reducing the vulnerable aspects of a Cloud system can reduce the risk and impact of threats on the system.