Hackers are testing the limits of cloud security practically every day. Developers and cloud managers can no longer simply add layers of security around enterprise applications to keep them secure. Besides, with the scaling of enterprise IT environments and their digital transformations, enterprises now have increased access to applications creating a new attack vector for hackers to exploit. The pressure on enterprises, thus, is high to implement better security at the application layer in the cloud.
The cost of not doing this, can be stratospheric. A perfect example of the loss that a breach entails is when Home Depot was the target of a cyberattack that exposed its payment terminals and let out details of 56 million credit and debit card numbers. At a possible $194 per compromised record, can you imagine the enormity of the financial risk? It makes complete sense to protect your organization against breaches by applying the right tools and best practices.
But long gone are the days when you could just set up fences around applications and call it a day. It’s time to reinvent traditional approaches to app security in the cloud. Let’s look at some of these.
Begin with basic security
For apps designed for the cloud, developers need to focus on auditing, authorization, auditing, integrity and confidentiality. Authorization keeps a check on what an authenticated user can access and do. Auditing ensures that a user cannot perform a transaction or an activity without it being logged for compliance. Integrity safeguards the data from accidental/ intentional modifications. Confidentiality ensures that user data remains protected and cannot be accessed by an unauthorized user.
Before figuring out how to protect data, developers need to identify app data and classify that data – both structured and unstructured – on the basis of how it is being accessed and by whom. Classifying enterprise data provides the intelligence needed to assess the risks and costs associated with data loss or theft, such as loss of IP or regulatory penalties. An automated data classification engine can simplify and speed up this process. The next step is to see who is using this data. Is it being shared? Can anyone on the same team access the same level of data? Cloud managers need to consider file and folder permissions, user locations and roles, and devices being used. Malicious behavior by both employees and third-party attackers should also be considered. In the end, the cloud management team needs to balance data protection with accessibility. Secure data management tools and policies provide automated backups and disaster recovery, automated updates, governed access, and the ability to scale with the business.
Identity and Access Management
Identity and access management (IAM) is a newer form of application security that needs to be coded right into the applications. This is important because on the one hand, developers must handle the multiple user identities and credentials requesting access to these applications, while on the other the organization must regulate what the applications themselves can access within your IT environment. IAM helps developers balance these two needs by better managing user identities and access permissions. Developers can allocate a single digital identity to each user, authenticate their log in, authorize access specified resources, and monitor and manage each user throughout their lifecycle. IAM ensures that new vendors, employees, and partners have the right permissions that are deprovisioned should they switch to another location, department or organization. Applying IAM within cloud applications will back-fill into the organization as it modernizes security approaches and technologies to align with an increasing use of the cloud.
Real-time Data Encryption
Protecting app data is the next important aspect of application security in the cloud. A very effective method is encrypting data “in flight”, i.e. securing data while it is moving between systems and is at its most vulnerable. However, this is a complex process that involves a lot of coding time, and can be expensive if not handled smartly. Developers must also secure data that is “at rest” or in a storage subsystem making it the most practical option, as well as data that an application frequently accesses, modifies and uses. Developers can also create a session policy that lets them monitor sessions between internal and external users. They track each session between users and limit specific activities that are against application security and compliance standards.
Protect from within with DevSecOps
The latest approach to cloud application security, DevSecOps is a step away from adding security layers around an app. Instead of securing the perimeter, developers code end-to-end security within the app itself, thus reducing time-consuming manual security checks. DevSecOps also introduces a new culture of app security being everyone’s responsibility and not something that’s bolted on at the end by a single team.
Establish Cloud Governance Policies
Setting the right combination of cloud governance policies is as important as any coding and tool, and falls under the mandate of cloud managers who must ensure they have security standards for all users to abide by when working within the cloud environment. This requires the use of monitoring mechanisms to ensure all established cloud security policies are adhered to. Some best practices include enforcing higher authentication standards such as multi-factor authentication, stricter rules for virtual machines/ containers/data repositories, etc., and clearly defined roles for application access management. On the flipside, cloud managers must think before taking an app to the cloud. Each time an app is connected to the cloud it exposes the organization to security risks. So cloud managers must keep a close check on what vendors are being granted access to their IT ecosystem.
Despite analysts sharing upbeat reports about a higher number of organizations moving their applications to the cloud, most businesses are wary due to the security risks associated with this technology. However, the cloud can potentially offer the same kind of security that any traditional on-premise environment, and perhaps even with some added capabilities. There is no perimeter in the cloud world. Following cloud application security best practices along with the right kind of technology, will minimize organizational vulnerability to malicious attacks while providing your security team with the visibility and control they need to do their job.
If you are planning to move your applications to the cloud or are already in the cloud and want the best possible security, reach out to Xencia’s cloud security advisory team. We can help build your cloud strategy and support the development of governance, security, and compliance policies.