SECURITY

INNOVATION

Securing Applications
IN THE CLOUD
Table of Contents

OVERVIEW 3

CLOUD THREATS AND VULNERABILITIES 5

“BIG DATA” SECURITY RISKS 9

BUILDING AND DEPLOYING SECURE CLOUD APPLICATIONS 13

ADDENDUM: DEALING WITH SAAS HOLES 15

Securing Applications
IN THE CLOUD
 Overview

I
t’s clear when you read the latest statistics on cloud computing that what
started out as a trend has become a transformative influence on today’s
business. The cloud offers the promise of improved scalability, availability,
cost-savings, and other benefits – all which help organizations focus more
on business excellence and less on operational efficiency.

While the cloud undoubtedly also offers tangible security benefits in

addition to operational advantages, risks still remain. The cloud does not
prevent security risks such as hacking or malicious insider behavior.

Entrusting sensitive corporate data to a third party also raises privacy

and regulatory concerns. Although the cloud provider is responsible for
managing the data, the client is accountable for that data’s security and
privacy. This means that organizations are subject to the various regulations
that mandate the implementation of security controls and processes. Many
of these regulations require the use of data encryption for certain types
of data – and security assessments for applications that store, transmit, or
process that data.

Examples of regulations include:

• Code reviews – PCI/PA-DSS
• Encryption – HIPAA, FISMA, GLBA, GDPR
• Regular security assessments – almost all regulations

As organizations shift control of their infrastructure and data to the cloud,

it is critical that they rethink their application and infrastructure security
efforts. This can be accomplished by ensuring applications are designed
with security in mind and take advantage of built-in cloud platform
security controls.

3 Securing Applications in the Cloud

 Overview

This whitepaper examines cloud risks primarily from an application

security lens, and sheds some light on common cloud service provider
(CSP) myths that can create a relaxed sense of security including:

Myth Myth Busted

Cloud providers take care of Although CSPs offer security measures for protecting
security and regulatory compliance. customer data, the owners of the data (you) are
ultimately responsible for breaches and compliance.
Application attack surfaces need to be reduced as
much as possible.

Cloud computing services are Just because the infrastructure on which your
always available. application resides has high availability, that doesn’t
mean your application is scalable. Redundancy and
resilience must be built into the cloud application
itself to ensure availability.

Cloud computing data is Data in the cloud must be backed up just as it would
always available. with any other deployment model. You also have
the same encryption challenges with respect to the
data you own and how your application processes it.
Backup and encryption are as critical in the cloud
as with any other deployment model.

Securing Applications in the Cloud 4

 Cloud Threats and Vulnerabilities

A
pplication threats vary for each platform, and the cloud is no
different. Cloud applications ultimately are vulnerable to the full
range of application threats as defined by the Open Web Application
Security Project (OWASP) and Common Weakness Enumeration (CWE).

Cloud developers, though, also need to consider other threats:

ABUSE OF CLOUD RESOURCES

Highly available cloud resources, such as Apple’s iCloud, Microsoft’s

SkyDrive, and Amazon’s Cloud Drive, have become commonplace. They
provide relative anonymity, ease of access, and robust sharing capabilities,
all of which result in vulnerabilities that are very attractive to hackers. The
user registration processes of these services often are not even as secure
as those required by most major retail sites. This lack of security is attractive
to cyber criminals, who often conduct Botnet and DDOS attacks, exploit
CAPTCHA controls (those designed to distinguish human from machine
input), hijack network traffic, or crack passwords and keys.

To mitigate these vulnerabilities and threats, make sure your team:

• Uses transport layer security (TLS), with strong encryption algorithms (e.g.,
Advanced Encryption Standard (AES)) for identity and access management
(IAM) and for communication and data transfer
• Implements Public Key Infrastructure (PKI) for all data exchanged between
users, partners, and suppliers
• Monitors logs and network connections for potential exploits
• Encrypts stored passwords

5 Securing Applications in the Cloud

 Cloud Threats and Vulnerabilities

INSECURE APIs MALICIOUS INSIDERS

Application programming interfaces (APIs) from Insider threats are dangerous because these
cloud service providers may not be secure. attackers often know how the system is configured
When these code modules are included in your and its weaknesses. An external attacker has
application, significant vulnerabilities may be to breach external perimeter controls, such as
introduced including easily exploited API keys firewalls, to gain access to systems and data while
employed by web and cloud services to identify an internal attacker typically already has access to
third-party applications using the services. these systems and data.
Anonymous access, reusable tokens/passwords,
clear-text authentication, open transmission To secure against malicious insiders, you should:
of content, and rigid access controls that can’t • Ensure that the CSP conducts detailed human
be customized easily also can expose your resource assessments of all participants and
applications to risks. audit contracts
• Confirm that if a breach does occur, the CSP
To protect against API attacks, consider has a notification process to allow the other
implementing managed APIs that provide several participants to audit and respond appropriately
protections, such as those that help control access • Have a strong service level agreement (SLA) in
to resources, optimize delivery of API workloads, place that specifies what can/cannot be accessed
and provide insights around API usage and quality by CSP personnel
of service. Additional considerations include: • Use TLS to ensure that supplier and third-party
• Audit managed API log files on a regular basis connections and data exchange are encrypted
• Enforce strict access control mechanisms (based • Implement mutual authentication for supplier
on least-privilege and need-to-know) and third-party connections to application data
• Segregate duties and responsibilities • Ensure that audit policies are in place and
• Implement lockouts for repeated incorrect followed strictly for auditing system logs
password entry

Securing Applications in the Cloud 6

Cloud Threats and Vulnerabilities

SHARED TECHNOLOGY DATA LOSS

VULNERABILITIES AND LEAKAGE

In the cloud’s multi-tenant environment, you Most large organizations go to great lengths to
share network, server, and other system ensure the security of data in their enterprises. By
components with other customers. Hackers moving data to public cloud storage, organizations
constantly seek ways to penetrate and exploit forfeit a great deal of control over data loss
systems within the unique cloud framework, prevention. Remember, legally you are responsible
so vulnerabilities in another tenant’s application for protecting the sensitive data you collect,
or services potentially may affect your process, and store, so it’s important that your CSP’s
applications and data. data handling practices meet your organization’s
and regulatory data protection requirements.
Mitigation of these cloud-specific risks requires a This includes understanding where and how the
“defense-in-depth” approach to security. Multiple provider encrypts your data, and which personnel
steps include: have access to your data.
• Set the default configurations for your system
services (e.g., webservers, databases) and Consider the following best practices to ensure
applications to their most secure levels data security:
• Consider host-based firewalls and • Create policies that identify any sensitive data
virus protection that should not be stored in the cloud
• Opt for dedicated server environments • Ensure that your CSP uses strong data
if possible encryption for data at rest and data in transit
• Monitor the environment for attempts to gain • Encrypt data at rest using your own encryption
unauthorized access – including regular reviews keys, if possible
and secure management of log files • Ensure that your CSP has deployed appropriate
• Use strong authentication and practice the perimeter and internal defenses and that they
principle of least privilege – meaning that your are configured properly
users, applications, etc. are given access only to • Perform penetration testing on any application
those systems and/or information that or infrastructure that your company will be using
is necessary for them to perform their jobs • Implement data loss prevention and monitoring
or purpose tools backed by an SLA, and audit the monitoring
• Enforce SLAs for patching and vulnerability system logs regularly
remediation
• Use vulnerability scanners to detect intrusions
• Implement Security Information and Event
Management (SIEM) tools for monitoring
security events

7 Securing Applications in the Cloud

 Cloud Threats and Vulnerabilities

ACCOUNT, SERVICES, PROVIDER RISK

AND TRAFFIC HIJACKING PROFILE

Session and account hijacking often are the Even if you and your organization are well-aware
result of phishing attacks, malware, and fraud. of the features and functionality offered by your
These come in many forms and combinations: CSP, it’s important to consider other risk-related
• Phishing attacks might try to induce users into questions, such as:
providing credentials, using cross-site request • What are the details of the CSP’s internal security
forgery (CSRF) attacks or by installing malware policies and procedures, OS hardening, patching,
• Malware, once installed, may try to harvest auditing, and logging?
stored credentials or abuse active sessions • Who audits compliance with the CSP’s security
• Cross-site scripting (XSS) and CSRF policies and procedures – and are you able to
vulnerabilities in web applications may be used obtain this report?
by attackers to exploit users • How are data and related logs stored, and who
has access to them?
In a common scenario, attackers steal the • What information will the vendor disclose in the
session ID of a user, allowing the attackers to event of a security incident?
impersonate the identity of the victim. While this
attack may have occurred outside the cloud, once These questions often are overlooked or not clearly
attackers gain access to a compromised account, answered, leaving customers with an unknown risk
they have all the privileges of the real account profile that may include serious threats. To mitigate
holder. In a cloud environment that relies on overall risk, be sure to enable OS/server-level
shared resources via trusted users, an attacker firewalls for handling sensitive data and insist on
can cause significant damage through privilege annual third-party security assessments.
escalation, XSS, and CSRF.

Securing Applications in the Cloud 8

 “Big Data” Security Risks

T
he Cloud Security Alliance’s Top Ten Big Data Security and
Privacy Challenges paper attempts to bring renewed focus on
fortifying Big Data infrastructures by highlighting the most critical
challenges that Big Data presents. These challenges are charted in
Diagram 1 and organized into four aspects of the Big Data ecosystem.1

Diagram 1. Big Data’s Critical Security Challenges

Infrastructure Data Data Integrity and

Security Privacy Management Reactive Security

Secure Computations Privacy Preserving Secure Data Storage End-point Validation

in Distributed Data Mining and Transaction Logs and Filtering
Programming and Analytics
Frameworks

Security Best Practices Cryptographically Granular Audits Real-time Security

for Non-Relational Enforced Data- Monitoring
Data Stores Centric Security

Granular Access Data Provenance

Control

1
[Source: Cloud Security Alliance]

9 Securing Applications in the Cloud

 Big Data Security Risks

6 1

SECURE DISTRIBUTED
of these challenges are of
particular importance to
application development teams:

SECURING NON-RELATIONAL
PROGRAMMING COMPUTATIONS DATA STORES

The speed and efficiency delivered by cloud As the name suggests, NoSQL databases are
applications are made possible by distributed not constrained by the traditional row-column-
programming frameworks, which support table relationship of SQL Relational Database
the separation and parallel processing of an Management Systems (RDBMSs). The largest
application’s procedural, logical, functional, and NoSQL database is Google’s Bigtable document
physical components. These frameworks make store. The dataset of a NoSQL database is
the processing and storage of large amounts of distributed over a multitude of storage devices and
data possible. is limited only by the amount of storage available.

One of the most popular frameworks used for Unfortunately, NoSQL databases are as vulnerable
creating cloud applications is Hadoop, an open- to code injection as SQL RDBMSs. Usually with
source project based on Google technology NoSQL, a JavaScript Object Notation (JSON) object
and maintained by Apache. A key component of gets passed to the server, which then needs to
Hadoop is MapReduce Framework. There are two be parsed. It is this parsing that can result in code
steps in the MapReduce Framework where the injection. Parameters also can be passed in a
data being computed is vulnerable to exploit – the request, received by a server, and then inserted
map step and the reduce step. Data is vulnerable into a NoSQL database, similar to a SQL attack.
because access is controlled at the client level, not
the file system level.

In order to reduce the risk, you must ensure

that all data is encrypted. If data encryption is
impractical with your application, use strong user
authentication to access the client.

Securing Applications in the Cloud 10

Big Data Security Risks

3 4

END-POINT INPUT CRYPTOGRAPHICALLY ENFORCED

VALIDATION AND FILTERING DATA-CENTRIC SECURITY

Your application’s input validation and filtering Contemporary PKI solutions for transport-
capabilities must be designed to avoid the risks layer protection are the optimal safeguard; for
associated with weak or non-existent input example, digital certificates that are distributed
validation. To accomplish this task, make via TLS. Attribute-Based Encryption (ABE) and
sure your team: homomorphic encryption technologies will help
• Properly validates and filters all input, rejects secure Big Data offerings in the future. None of
incorrect values, and ensures input validation these technologies, however, is mature enough
routines are coded correctly for production deployment. Developers, therefore,
• Conducts thorough static code analysis using must rely on proven, legacy cryptographic
popular Static Analysis Security Test (SAST) tools, algorithms. For now, PKI X.509 certificates can be
followed by manual code reviews to ensure that populated with metadata to specify their usage.
no input validation vulnerabilities were missed by
the tools
• Remediates all input validation vulnerabilities
before deployment
• Defines data type classifications (e.g., input
can be only integers; or, define a “white list”
of accepted input)
• Uses white listing where possible
• Reviews filtering algorithms since these can
introduce vulnerabilities
• Uses data validation frameworks available
with a specific programing language

11 Securing Applications in the Cloud

 Big Data Security Risks

GRANULAR ACCESS For example, developers could use the logging

framework log4j with a J2EE Big Data application
CONTROL AND AUDITS and set the logging level to verbose. An application
with verbose logging allows an organization’s
Most organizations currently use Role-Based security team to record more information than is
Access Controls (RBAC) to handle authorization necessary for the purpose of troubleshooting and
rules for applications and networks instead of to enforce enhanced detective controls to discover
Attribute-Based Access Controls (ABAC) which malicious activity or a data breach. These granular
provide a more granular authorization model. audits may also help the privacy team validate their
RBAC, as its name implies, assigns access based jurisdictional privacy requirements.
on a user’s role. Due to the number of potential
roles that must be managed, often manually, RBAC
is not as well-suited to the dynamic environments 6
associated with cloud-based services. ABAC is
distinguishable from RBAC because it controls DATA
access to objects by implicitly evaluating rules
against the requesting entity’s actions, the PROVENANCE
attributes associated with objects relevant to the
request, and the environment in which the action Data provenance documents the inputs, entities,
is performed. systems, and processes that influence data of
interest, in effect providing an historical record of
Development teams also can build access controls the data and its origins. Proper implementation is
into application features – i.e., define user roles, complex, expensive, and usually makes sense for
permissions, and restrictions – as part of the highly sensitive data only.
application business logic. This, of course, would
have to be implemented as part of the software Much like granular access controls and audits,
development life cycle (SDLC). data provenance is tied to Big Data applications
that have an enhanced degree of data
Although the use of logging and SIEM classification and categorization for which
tools is now pervasive for forensic and additional metadata must be incorporated.
auditing/accounting purposes, developers With today’s globalization and jurisdictional
who deal with Big Data applications will need privacy laws, it is imperative that developers
to rely more on logging and system lockouts understand proper data capture techniques
after certain login attempts, inactivity timeouts, and the need to implement enhanced logging to
and session terminations to assist security execute the necessary granular access controls.
professionals with their day-to-day activities.

Securing Applications in the Cloud 12

 Building and Deploying Secure
Cloud Applications

M
ajor cloud infrastructure providers such as Amazon and Microsoft
use a combination of intrusion detection systems (IDS), firewalls,
intrusion prevention systems (IPS), and application-level controls
to provide layers of defense.

Organizations building software applications, however, still need to make

informed design decisions to take advantage of these built-in features.
More importantly, just because an application is sitting on a third-party
infrastructure doesn’t mean any less diligence needs to be put into the
security of its design, development, and testing. In fact, organizations
need to integrate security throughout their application development
process in the same way as if they were deploying on their own servers.
It is easy to gain a false sense of security when deploying your applications
to a third-party CSP.

Security engineering activities can be layered into any cloud application

development process. You already may perform many of the core
development activities shown in Diagram 2. There are analogous security
activities at each phase: for instance, when you would normally determine
your functional requirements, you also would determine your security
requirements. When you typically would apply design best practices, you
can perform threat modeling and apply security design best practices,
and so on.

Diagram 2. Adding Security Engineering

to the Cloud App Development Process

CORE SECURITY

Maintenance

Requirements and Analysis Functional Requirements Security Objectives

Non-Functional Requirements
Technology Requirements

Architecture and Design Design Guidelines Design Guidelines for Security Threat Modeling
Architecture and Design Review Architecture and Design Review for Security

Development Unit Tests Code Review for Security

Code Review
Daily Builds

Testing Integration Testing Security Testing

System Testing

Deployment Deployment Review Deployment Review for Security

Planning

2
[Source: Microsoft Patterns & Practices]

13 Securing Applications in the Cloud

 Building and Deploying Secure Cloud Applications

The loss of control of the data when moving applications to the cloud
typically is the biggest threat. To mitigate this, organizations have to
think about data flow and how the design of the cloud infrastructure
can work for, or against, data protection. Software applications must be
designed with new threats in mind:

• Misconfigurations within the cloud infrastructure

• New storage model attack vectors
• Ensuring that encryption mechanisms are put to good use

Many organizations have hundreds – even thousands – of applications

that run their business. Migrating to the cloud can be a daunting task
that requires different levels of effort, team by team. Some software
applications will need to be re-written, some modified, and some can
be migrated “as is.” Categorizing applications based on risk, complexity,
longevity, end-of-life (EOL) plans, and other factors will help you
determine the best route to take.

Typically, applications are not any more or less secure in the cloud, so
migrating them “as-is,” especially older applications, often makes sense
to avoid the effort of a large re-architecting exercise. Newer applications
potentially can be modified to take advantage of authentication,
“secrets” (e.g., encryption keys), storage and management, autonomous
monitoring, as well as other cloud services.

To achieve full security utility from today’s CSPs, most applications will
need to be re-architected and/or rewritten. This task most likely will be
reserved for mission-critical applications. One of the biggest benefits
of an application rewrite is the availability of many built-in sub-services
such as logging and monitoring, which actually are quite easy to leverage
for enhanced security and scalability.

Securing Applications in the Cloud 14

 Addendum: Dealing with SaaS Holes

Security gaps can occur in any application, on any platform. The cloud is
no exception, and as you make the shift to Software as a Service (SaaS)
and cloud applications, the awareness of security “holes” and their many
types is your key to defending against them.

ENGINEERING SAAS HOLES PRODUCT MANAGEMENT AND

MARKETING SAAS HOLES
Software often is written by people with little
training in application security, let alone cloud- Sometimes, the requirements of your applications
specific development skills. Unfortunately, and infrastructure work against good security
computer science and engineering programs, as practice. The user experience typically is the
well as the professional education that follows, primary factor that’s addressed in the application
focus on building software to do things – and do design and build. This emphasis on the user
not address how that software can be abused can take the focus off of important security
and how to defend it. The resulting security requirements, which, if incorporated properly,
gaps leave that software vulnerable to actually can save development time
exploitation by attackers. and money.

SALES SAAS HOLES MANAGEMENT SAAS HOLES

A CSP’s service typically comes with SLAs and A lack of good systems management and
other specifications that define uptime, service, monitoring can mean that your application gets
and even security. The problem, though, is that deployed on the wrong virtual image, in the wrong
sometimes, a CSP’s infrastructure does not carry place, or without the right configuration. A lack of
through with these specifications with respect to security priority, process, and information at the
security, and even may change after you contract management level can lead to groups not having
with them. Even with a service agreement, a “no security goals, or have poor coordination and
SaaS holes” rule if you will, a CSP’s liability often is execution on those goals.
limited to what you paid for the service. The cost
of a breach, though, can be far more.

15 Securing Applications in the Cloud

 Addendum: Dealing with SaaS Holes

Closing the Gaps Computer-Based Training

Fortunately, an awareness of cloud-based security Security Innovation has the industry’s largest library
gaps can help you deal with SaaS holes, increase of computer-based training with 100+ courses for
security, and make you more efficient. all major roles, technologies, and platforms. Our
Cloud Curriculum provides developers with a clear
When building and deploying applications that understanding of the risks and threats associated
will live in the cloud, the ultimate goal is to use with cloud computing. Courses include coverage
a secure SDLC, beginning with a gap analysis. of Big Data, cloud computing characteristics,
In addition to saving time and money, an SDLC service models, deployment models, and
addresses Engineering SaaS holes with secure regulatory requirements. Visit our website for a
design, coding, and test practices (and includes listing of our current cloud-specific computer-
training and reference materials on these). based training offerings.
An SDLC defends against Sales and Management
SaaS holes using threat models, attack surface Cloud Security Services
analysis, and deployment-stage specification Tap into our specific expertise in cloud
activities that help you understand the gaps you security with these cloud-dedicated services
face and where you’re facing them in order to from Security Innovation:
set concrete goals to prevent and defend against
them. Finally, an SDLC plugs Product Management Cloud Application Security Assessment
and Marketing SaaS holes by building security Analyzes data management/encryption, service
requirements in to the process. configurations, authentication and authorization
components, and ways to attack network and
HOW SECURITY INNOVATION storage models.

CAN HELP Cloud and Virtualization

Migration Planning
Moving your applications into the cloud means that Identifies adoption risks and recommends steps
you have to deal with a new world of security gaps, for establishing criteria for different classes of
but you don’t have to go it alone. With the right data and defining deployment standards.
help from a partner such as Security Innovation,
and a little patience and perseverance, dealing with AWS/Azure Configuration Review
SaaS holes can be a lot less painful than you think. Analyzes how cloud components have been
implemented in your unique configuration to
ensure each is used properly, efficiently,
and securely.

RESOURCES
1
Cloud Security Alliance. Top Ten Big Data Security and Privacy Challenges.
2
Microsoft Patterns & Practices.

Securing Applications in the Cloud 16

ABOUT SECURITY INNOVATION

Since 2002, Security Innovation has been the trusted partner for cybersecurity risk
analysis and mitigation for the world’s leading companies, including Microsoft,
Sony, GM, Disney, Google, and Dell. Recognized as a Leader in the Gartner Magic
Quadrant for Security Awareness Computer-Based Training for the third year in a
row, Security Innovation is dedicated to securing and protecting sensitive data in the
most challenging environments – automobiles, desktops, web applications, mobile
devices, and in the cloud. Security Innovation is privately held and headquartered in
Wilmington, MA USA. For more information, visit us at www.securityinnovation.com.