The cloud offers the promise of improved scalability, availability, and IT infrastructure security. According to the 2016 Gartner Application Security Hype report, Cloud Service Providers (CSPs) are beginning to offer stronger network and infrastructure security environments than many organizations are able to offer on-premises, but such efforts do not prevent cybersecurity risks such as hacking or insider malicious behavior. As a result, when organizations shift control of their infrastructure and data, they have to rethink their application security efforts.
Major cloud infrastructure providers like Amazon and Microsoft use an amalgam of IDS, Firewalls, IPS and application-level controls to provide layers of defense; however, organizations building software applications still need to make informed design decisions to take advantage of these built-in features. More importantly, just because an application is sitting on a 3rd-party infrastructure doesn't mean any less diligence needs to be put into the security of its design, development, and testing. In fact, organizations need to integrate security throughout their application development process in the same way as if they were deploying on their own servers. It is easy to gain a false sense of security when deploying your applications to a 3rd-part CSP.
When moving applications to the cloud, lost control of data is typically the biggest threat. To mitigate this, organizations have to think about data flow and how the design of the cloud infrastructure can work for, or against, data protection.. This means designing software applications with new threats in mind, such as:
- Misconfigurations within the cloud infrastructure.
- Ensuring that encryption mechanisms are put to good use
- New storage model attack vectors
Many organization have hundreds (or even thousands) of applications that run their business. Migrating to the cloud can be a daunting task that requires different levels of effort, team by team – some software applications will need to be re-written, some modified, and some can be migrated "as is." Categorizing applications based on risk, complexity, longevity, End-of-Life (EOL) plans, and other factors will help you determine which is which.
Typically, applications are not any more or less secure in the cloud so migrating them as-is often makes sense, especially older applications, to avoid the effort of a large re-architecting exercise. Newer applications could potentially be modified to take advantage of authentication, “secrets” (e.g. encryption keys) storage and management, autonomous monitoring as well as other cloud services.
The get full security utility from today's CSPs, applications need to be rewritten. Most likely, this will be reserved for mission-critical applications. One of the biggest benefits of an application re-write is the availability of many built-in sub services such as logging and monitoring, which are actually quite easy to leverage for enhanced security and scalability.
Below is a summary of key security features of Azure and AWS that teams planning an application migration to the cloud can take advantage of:
Microsoft Azure:
- Security Center
- Prevent, detect, and respond to threats with increased visibility
- Key Vault
- Safeguard and maintain control of keys and other secrets
- Azure Active Directory
- Synchronize on-premises directories and enable single sign-on
- Azure Active Director B2C
- Consumer identity and access management in the cloud
- Azure Active Directory Domain Services
- Join Azure virtual machines to a domain without domain controllers
- Multi-Factor Authentication
- Safeguard access to your data and apps with an extra level of authentication
Amazon AWS
- Access Control AWS
- Identity and Access Management (IAM)
- Manage User Access and Encryption Keys
- Identity and Access Management (IAM)
- SSL/TLS Certificates
- AWS Certificate Manager
- Provision, manage, and deploy SSL/TLS Certificates
- AWS Certificate Manager
- Key Storage & Management
- AWS CloudHSM
- Hardware-Based Key Storage for Regulatory Compliance
- AWS Key Management Service
- Managed Creation and Control of Encryption Keys
- AWS CloudHSM
- Identity Management
- AWS Directory Service
- Host and Manage Active Directory
- AWS Directory Service
- Security Assessment
- Amazon Inspector
- Analyze Application Security
- Amazon Inspector
- Web Application Firewall
- AWS WAF
- Filter Malicious Web Traffic
- AWS WAF