With the majority of companies today relying on applications in an ever-changing business landscape, this has created a need for dynamic application development. At the same time, the need for speed to market in product development has pushed organizations to look for infrastructure and development environments that enable faster and more efficient deployment of new features. To this end, the robustness and ease of use of cloud services has allowed companies to focus on their core business.
With the infrastructure-as-a-service (IaaS) model, organizations don’t need to worry about procuring or maintaining on-premises infrastructure. Cloud customers can even use the provider’s data centers to spin up new server instances in practically every world region.
Platform as a service (PaaS) offers entire development environments with preinstalled packages and libraries, so that even software updates are taken care of.
Despite the many benefits of cloud, it comes with some unique security challenges, which if neglected, could lead to data breaches or regulatory penalties. In this article, we break down some of the most common obstacles to cloud application security.
Cloud application security vs. on-premises
Before diving into the challenges, it’s important to understand the similarities and differences between cloud and traditional on-premises environments when it comes to application security.
Secure coding
Let’s start with the main similarity: Both cloud and on-premises environments can be used to run the same source code. So no matter where you host your application, you should always keep secure coding best practices in mind. Following well-known AppSec standards like the OWASP Application Security Verification Standard (ASVS) and scanning your libraries and code for known vulnerabilities are key here.
In addition, adhering to the “everything as a code” (EaC) approach—which enables deployment and configuration of your infrastructure based on scripts—will allow you to take full advantage of all cloud has to offer. Of course, it’s important to remember that infrastructure code should also be subject to the same set of controls as your application code, such as code reviews and conducting security scans to identify misconfigurations.
Security hygiene
When it comes to application maintenance, ensuring good security hygiene is a must both in cloud and on-premises environments. Regularly patching applications and their infrastructure or restricting internet access to key system components will always help to reduce your attack surface and prevent data breaches. The only difference is that in cloud-native environments relying on services such as object storage like S3 or GCS, even a slight misconfiguration can expose your data to the entire world. With on-premises environments, however, there is usually another layer of protection (network segmentation). On the bright side though, cloud providers do offer services to notify of any insecure configurations or unpatched systems.
Application architecture
The main difference when it comes to application security in the cloud versus on-premises relates to the application’s architecture. Cloud encourages building applications using microservice architecture and technologies like containers, Kubernetes, or serverless components. The Big 3—AWS, GCP, and Azure—all offer services that make it easy to deploy and run containers on their infrastructure (e.g., EKS, GKE, Cloud Run, and Fargate).
These CSPs also provide services that allow you to store data efficiently (object storage and DBaaS) and to process or transfer data between services (e.g., SQS, Lambda, and Cloud Functions). So though cloud computing is still based on source code, understanding the intricacies of using cloud-native architecture and how different services interact is key. For example, Kubernetes and container security is a topic on its own, and securing communication between the different components requires expertise in identity and access management, encryption, and authentication.
Still, security is one of the pillars of cloud computing: The major cloud service providers all offer ready-to-use services enabling you to properly secure and test your application and its infrastructure. For example, you can deploy a web application firewall (WAF) to a cloud environment in just 15 minutes. In short, cloud doesn’t require huge upfront investments in security; rather, you can quickly deploy a pay-as-you-go security solution.
Application security challenges & opportunities
Let’s take a look at some important considerations security teams need to keep in mind when it comes to securing your apps in the cloud.
Get that shared responsibility model right
Every cloud provider has a “shared responsibility model” for each of the services available on their platform. And understanding exactly which security aspects your CSP takes care of and what falls on you, the customer, is crucial.
While evident that physical security is always the cloud provider’s duty, when it comes to patch management, for example, it is not so straightforward; and responsibilities can differ from one service to another. You don’t want to wake up one day to discover your systems haven’t been patched for three years because your administrator didn’t fully understand the provider’s shared responsibility model.
The same applies to regulatory compliance. So if you’re in a regulated industry, make sure that all of the application’s components are compliant with regulatory requirements.
Container and Kubernetes security
Though containers and Kubernetes (K8s) aren’t a purely cloud technology, they are extremely popular in the cloud. While containerization technology brings important security benefits such as workload isolation, issues such as non-patched containers, misconfigured containers, misconfigured Kubernetes, improper network segmentation, and container escape can seriously impact your environment.
Thus, if you’re migrating to the cloud and your architects suggest containerizing your applications, you must ensure they are properly secured. This will usually require in-depth analysis and significant investment, but it is worth the effort, as vulnerabilities in containerized environments could result in complete compromise of your cloud infrastructure.
Security tools in the cloud
Securing your applications in the cloud is made easier thanks to the general availability and transparent licensing model of security tools. As previously noted, It only takes a few minutes to deploy a WAF, which offers protection from common web and volumetric attacks. In addition, you can enable vulnerability scanning of your infrastructure (containers or virtual machines) from the web console. GCP also offers the option to scan your application for the OWASP Top 10 vulnerabilities such as XSS and SQL injection.
One of the greatest advantages of these tools is that you pay as you go. Thus, if running a small application, you can enable all of the features mentioned here for no more than a few hundred dollars per month most likely. Moreover, there is no long-term commitment, so if you’re not satisfied with the results, you can simply disable them. This gives you the flexibility to secure your application in the most cost-efficient way. These tools do, however, require some maintenance and fine-tuning, so you can’t just “enable and forget.”
A cloud-native DevSecOps environment
Finally, cloud providers give you tools that allow you to build application source code in the cloud and deploy it to the cloud environment. Because everything happens in the cloud, you can easily use native integrations and access controls to achieve a fully secure and auditable environment.
Depending on your proficiency and needs, you can either build a simple CI/CD pipeline with restricted permissions or a fully fledged CI/CD pipeline with code and container scanning, image signing and verification, usage of software dependencies tested independently by Google, or even developers’ workstations hosted in the cloud. As noted, the licensing model encourages you to test these tools, so you can easily pick those that are most compatible with your environment and company culture.
Cloud application security done right
With security baked into the cloud by design, cloud application security should be much easier than on-premises application security. The wide range and availability of both native and third-party security tools, well-documented features, and default security alerts cloud offers all help you to detect vulnerabilities and misconfigurations.
Still, even the best tools and documentation won’t be enough if your developers aren’t trained to write secure code or your compliance team misinterprets regulatory requirements. Thus, education, proper training, and collaboration are all key to getting cloud application security right.
Automate cloud and application vulnerability management for full visibility and oversight across your environment, and at scale. The Vulcan Cyber® risk management management platform lets you focus on the vulnerabilities that matter most, while keeping everyone on the same page. Get a demo today, and start owning your risk.
