By Bill Pennington, Chief Strategy Officer, WhiteHat Security
Cloud computing is becoming a fundamental part of information technology. Nearly every enterprise is evaluating or deploying cloud solutions. Even as business managers turn to the cloud to reduce costs, streamline staff, and increase efficiencies, they remain wary about the security of their applications. Many companies express concern about turning over responsibility for their application security to an unknown entity, and rightly so.
Who is responsible for application security in the new world of cloud computing? Increasingly, we see third-party application providers, who are not necessarily security vendors, being asked to verify the thoroughness and effectiveness of their security strategies. Nevertheless, the enterprise ultimately still bears most of the responsibility for assessing application security regardless of where the application resides. Cloud computing or not, application security is a critical component of any operational IT strategy.
Businesses are run on the Internet, and as cloud computing expands that means that a host of new data is being exposed publicly. History and experience tell us that well over 80% of all websites have at least one serious software flaw, or vulnerability, that exposes an organization to loss of sensitive corporate or customer data, significant brand and reputation damage, and in some cases, huge financial repercussions.
Recent incidents on popular websites like YouTube, Twitter and iTunes; hosting vendors like Go Daddy; and the Apple iPad have exposed millions of records, often taking advantage of garden-variety cross-site scripting (XSS) vulnerabilities. The 2009 Heartland Payment Systems breach was accomplished via a SQL Injection vulnerability. Thus far, the financial cost to Heartland is $60 million and counting. The soft costs are more difficult to determine.
Across the board, organizations will have the opportunity to prioritize security on the most exposed part of the business, Web applications, and often the most seriously underfunded. The following issues must be understood in order to align business goals and security needs as the enterprise transitions to cloud computing.
1. Web Applications are the Primary Attack Target – Securing Applications Must be a Priority
Most experts agree that websites are the target of choice. Why? With more than 200 million websites in production today, it follows that attackers would make them their target. No matter the skill level, there is something for everyone on the Web, from random, opportunistic attackers to very focused criminals focused on data from a specific organization. In one of the most recognized cases, an attacker used SQL injection to steal credit /debit card numbers that were then used to steal more than $1 million from ATMs worldwide.
And yet, most organizations believe that application security is underfunded, with only 18% of IT security budgets allocated to address the threat posed by insecure Web applications, while 43 percent of IT security budgets were allocated to network and host security.
While businesses are fighting yesterday’s wars, hackers have already moved on. Even more puzzling, application security is not a strategic corporate initiative at more than 70 percent of organizations. And these same security practitioners do not believe they have sufficient resources specifically budgeted to Web application security to address the risk. As more applications move to the cloud, this imbalance must change. IT and the business must work together to prioritize the most critical security risk.
2. The Network Layer has Become Abstracted
Prior to cloud computing, organizations felt a certain confidence level about the security of applications that resided behind the firewall. To a certain extent, they were justified in their beliefs. Now, we see the network layer, which had been made nearly impenetrable over the past 10 years, becoming abstracted by the advent of cloud computing. Where once there was confidence, there is now confusion among security teams as to where to focus their resources. The short answer is: Keep your eye on the application because it is the only thing you can control.
With cloud computing, the customer is left vulnerable in many ways. First, the security team has lost visibility into the network security infrastructure. If the cloud provider makes a change to its infrastructure, it naturally changes the risk profile of the customer’s application. However, the customer is most likely not informed of these changes and therefore unaware of the ultimate impact. It is the customer’s responsibility to demand periodic security reports from its cloud vendor and thoroughly understand how their valuable data is being protected.
3. Security Team Loses Visibility with Cloud Computing: No IPS/IDS
One of the main concerns of security professionals anticipating an organizational switch to cloud computing is loss of visibility into attacks in progress, particularly with software-as-a-service (SaaS) offerings. With enterprise applications hosted by the cloud service provider, the alarm bells that the security team could rely on to alert them of attack, typically Intrusion Prevention or Intrusion Detection Systems, are now in the hands of the vendor. For some, this loss of visibility can translate into loss of control. In order to retain a measure of control, it is critical to understand the security measures that are in place at your cloud vendor and also to require that vendor to provide periodic security updates.
4. Change in Infrastructure is a Great Time to make Policy Changes/New Security Controls
Any time there is a change from one infrastructure to another, it presents businesses with an impetus to review its security policies and procedures. In fact, a move to cloud computing can be an excellent opportunity to institute new security policies and controls across the board. A credible case can be made to review budgets and allocate more funds to application security. Where previously application security was a second-tier spending priority, it now rises to the top when SaaS comes into play.
This is a great time to pull business, security and development teams together to develop a strategy.
5. Cloud Security Brings App Security more in line with Business Goals – Decision Making Based on Business Value and Appropriate Risk.
For many organizations, application security is an afterthought. The corporate focus is on revenue, and often that means frequently pushing new code. Even with rigid development and QA processes, there will be differences between QA websites and actual production applications. This was not as critical when the applications resided behind the firewall, but now managers must take into account the value of the data stored in an application residing in the cloud.
Ideally, the security team and the business managers would inventory their cloud (and existing Web) application deployments. Once an accurate asset inventory is obtained, the business managers should evaluate every application and prioritize the security measures based on business value and create a risk profile. Once these measurements have occurred, an accurate application vulnerability assessment should be performed on all applications. Only then can the team assign value and implement an appropriate solution for the risk level. For example, a brochureware website will not need the same level of security as an e-commerce application.
Once an organization has accurate and actionable vulnerability data about all its websites, it can then create a mitigation plan. Having the correct foundation in place simplifies everything. Urgent issues can be “virtually patched” with a Web application firewall; less serious issues can be sent to the development queue for later remediation. Instead of facing the undesirable choice between shutting a website down or leaving it exposed, organizations armed with the right data can be proactive about security, reduce risk and maintain business continuity.
Ultimately, website security in the cloud is no different than website security in your own environment. Every enterprise needs to create a website risk management plan that will protect their valuable corporate and customer data from attackers. If your organization has not prioritized website security previously, then now is the time to make it a priority. Attackers understand what many organizations do not – that Web applications are the easiest and most profitable target. And, cloud applications are accessed via the browser which means the website security is the only preventive measure that will help fight attacks.
At the same time, enterprises need to hold cloud vendors responsible for a certain level of network security while remaining accountable for their own data security. Ask vendors what type of security measures they employ, how frequently they assess their security and more. As a customer, you have a right to know before you hand over your most valuable assets. And, vendors know that a lack of security can mean lost business.
There may be some hurdles to jump during the transition from internal to cloud applications. But, by following these recommendations, an organization can avoid pitfalls:
1. You can’t secure what you don’t know you own – Inventory your applications to gain visibility into what data is at risk and where attackers can exploit the money or data transacted.
2 Assign a champion – Designate someone who can own and drive data security and is strongly empowered to direct numerous teams for support. Without accountability, security and compliance will suffer.
3 Don’t wait for developers to take charge of security – Deploy shielding technologies to mitigate the risk of vulnerable applications.
4 Shift budget from infrastructure to application security – With the proper resource allocation, corporate risk can be dramatically reduced.