By Brian Soby, director of security, Taulia Inc.
Many companies are seeing the benefits of migrating their business processes from legacy on-premise deployments to on-demand deployments in the cloud. But for many organizations, there are as questions as there are benefits that come with such a migration.
While on-demand products come with increased scalability, easier deployment, and greatly reduced operational costs, there are unique challenges in moving to the cloud that require a careful selection of on-demand products and vendors.
The Search for Security
Securing your critical business data in the cloud is key among the challenges of moving to the cloud. But knowing what to look for in an on-demand product can give you confidence when selecting the right solution for your company. Important areas to evaluate are a product’s lineage, how it stores critical data, whether security is integral to the product lifecycle, and transparency by vendor with respect to customers evaluating a product’s security.
As customers increasingly realize the benefits of moving to the cloud, many vendors of on-premise products have tried to meet this demand by hastily converting existing products to support on-demand delivery. Unfortunately, cloud security concepts like multitenancy are rarely effective as afterthoughts—and they need to be built into the core design of a product. Since architectural changes to existing products are painful and time-consuming and often come in the form of superficial security filters haphazardly inserted into the software. The result is a weak and inconsistent security model separating your data from vulnerability.
Another consideration when assessing cloud systems is the protection given to data “at rest”—meaning data stored as files, in databases, and in other forms within the product. While encryption through the use of secure socket layer (SSL) is widely recognized as an absolute requirement for securing data in transit, a critical companion requirement is the encryption of data after it has been stored within an application. Encryption of data at rest comes in two forms that should be used together: low-level encryption of file systems and application-level encryption of critical data elements. File system encryption is commonly called “full disk encryption” (FDE) and should be applied to any system that may contain your data.
This type of encryption prevents your data from being exposed if storage media is reused, lost, or stolen. Even with FDE applied, vulnerabilities like SQL injection or XML entity injection can leave security gaps for critical data elements like banking information. These classes of vulnerabilities potentially allow attackers to read data out of databases or files, after it has been decrypted by the file system. Application level encryption would effectively mitigate these attacks by keeping your data encrypted until accessed by an authorized user.
Bringing Your Business Onboard
Because on-demand products are generally updated by the vendor instead of the customer, it’s also important to evaluate how security is built into the overall lifecycle of a product. The first lifecycle component is for the vendor to provide a secure software development program to their developers and quality engineers.
An effective training program goes beyond standard security awareness, and covers the specific security issues associated with web applications and the product’s technology stack. Beyond training, security testing needs to be part of the software release process. Testing should incorporate automated static analysis with security specific rulesets, along with the inclusion of security tests into the products test suite.
Many product test suites focus on functional “positive” tests that are intended to verify that an application behaves in an expected way when provided with valid input. Security tests are different in that they’re largely “negative” tests to verify that an application will not perform an unintended behavior when provided with deliberately manipulated input. After product deployment, ongoing security assessments are also a key element of security. Vendors should be able to provide evidence of independent security assessments performed by firms specializing in application security. The assessments should compliment internal security assessments and go well beyond basic automated scans and largely involve skilled security analysts directly evaluating systems.
Transparency is Key
In addition to providing any certifications or third party assessments of a product, vendors should be open to customers performing their own logical security assessments, free of unreasonable restrictions. Best practices around customer security assessments are for vendors to provide accounts in functional, non-production environments and to allow any tests other than large-scale denial of service attempts. The inability or unwillingness of vendors to accommodate logical customer assessments should be an immediate red flag that a product has a weak security posture and prospective customers should be wary.
With proper diligence, companies can greatly benefit by moving data and business processes to the cloud. Properly designed and maintained on-demand products can be more secure than their on-premise counterparts while providing increased scalability and lower operational costs. Companies that understand the key security criteria for cloud software can realize these benefits, while keeping their critical business data protected.
This article was syndicated from Business 2 Community: What to Look For When Moving Your Business to the Cloud