May 26, 2015
Cloud development has already proven to be one of the most revolutionary changes to ever affect the software industry. With a growing demand for IaaS, PaaS and SaaS (Infrastructure, Platform and Software as a Service) applications, development teams are increasingly setting their sights on cloud-based projects – but in many instances, failing to account for the threats posed by the new paradigm.With each of the myriad benefits of cloud development comes a host of serious risks and vulnerabilities. In order to protect your applications from attack, and secure sensitive data, it’s essential for your development teams to be well-versed in the unique security challenges posed by cloud development.
1) Data Breaches
Data breaches caused by XSS, XSRF, SQL injection and similar are a serious concern for any form of web application development, but within the cloud environment, the risks of this type of attack are amplified.If a malicious third-party successfully gains access to an application’s database, all of the customer data within is put at risk. In a multitenant cloud environment, it’s highly likely that multiple applications will share the same underlying database infrastructure. In addition to putting huge volumes of sensitive data at risk, this framework also introduces multiple opportunities for third-parties to gain access to the database.Even if your own application is relatively secure, a vulnerability within another application sharing the same database will grant access to your own data.
2) Multi-Tier Security
Cloud developments need to be able to withstand attacks on all levels of its multi-tier architecture. In the event of an attacker successfully accessing or deleting sensitive data, it’s important to build-in the ability to identify and trace the attack, and either roll-back the malicious action, or restore the lost data from a previous backup.It’s also essential to explicitly address both Data-in-Transit and Data-at-Rest security. Data-in-Transit security is a particular concern for cloud developers, often requiring the protection of multiple communication channels, including:
- Physical systems (including server-to-server and server-to-client communication)
- Physical resources
- Virtual machines
- Virtual network interfaces
When encryption is used to protect data, it’s important for developers to choose a cryptographic method that complies with necessary data regulation, and balances the need for security and rapid access to information.
3) Data Compliance
All of the security measures undertaken during development will need to comply with a multitude of privacy- and data-protection laws. Often, these laws will vary from country to country, and identifying the relevant laws your application needs to adhere to can prove to be as much of a challenge as actually adhering to them.
4) Denial of Service
Cloud development’s multi-tier architecture also increases the possibility of denial of service (DoS) attacks. A successful DoS attack against any single layer of the architecture can often be enough to cripple the entire application – with each additional layer of infrastructure amplifying the risks and likelihood of a successful attack.To minimise the likelihood of this happening, it’s essential to understand and effectively implement the defences on offer from cloud providers – especially traffic management and load balancing.
5) Attribution of Responsibility
One of the most overlooked risks posed by cloud development is something of a non-technical problem. Cloud development often blurs the lines of responsibility between internal development teams and external cloud software & platform vendors, with different aspects of security falling under the remit of multiple teams.Without effective communication between all parties, it’s extremely easy to overlook crucial aspects of cloud security, and assume that the onus for protecting the application is somebody else’s responsibility. In order to effectively protect your cloud development projects, it’s essential to identify and account for each of the aforementioned aspects of security – and avoid assuming that somebody else will protect your application.