Security in the Cloud
So… You’re an aspiring killer Web app developer or you’re thinking of moving some systems to the cloud? Here are some of the security issues you need to consider.
Application Security
To begin, you need to build security into your application just like you would if you were running it on your own hardware. Many mistakes are made in the areas of user authentication and input validation.
Writing code to authenticate users is about as glamourless as it gets. So, my first advice to developers is to try and avoid doing it yourself. Where possible, use an existing system that already does the work for you. If you’re going to write your own, you really need to do some research. In summary, you need to address issues such as password complexity rules, aging and resets. Passwords should never be stored in the clear and it should never be possible for a user or administrator to view a password. Upon entry, passwords should immediately be transformed using a secure one-way function. In addition, you need to consider delay and lockout mechanisms for invalid authentication attempts and ensure that your application does not provide insight into why an authentication failed.
Failing to properly validate input is a fatal mistake, often leading to buffer overflows, stack smashing, and SQL injection. All data arriving at the application should be assumed to be hostile. Attackers will manipulate input fields, change hidden form fields in HTML documents and do all sorts of other unexpected things in an attempt to break your application.
Network Security
In your office or data centre you have control of the network. You can design multiple DMZs to separate data of different sensitivities and to create defense in depth. In the cloud, you loose much of the control you had over the physical network topography, making it much more important that every computer is capable of defending itself. If you’re designing for the cloud, every machine should have its own firewall and you should seriously consider encrypting all traffic between your machines in the cloud. Unless you can clearly demonstrate otherwise, you should assume that an attacker can directly probe each of your machines. And remember, not all hostile traffic will come from the Internet. A hacker may be renting computer time from the same vendor.
Physical Security
A related issue is that in the cloud you no longer have control over physical security. However, for smaller business, this may not be a bad thing. Amazon, for example, likely has much better physical security at their data centre than your small businesses would have. But this is one area where you might want to carefully consider your options, including encrypting all sensitive data to ensure it is protected in the event of a physical security incident.
Backups
One of the reasons we look to the large service providers is that they are often capable of providing very attractive levels of data integrity and availability, including backups. However, in the event of a natural disaster, fire, bankruptcy or contract dispute, you do not want to find yourself unable to access critical data such as a customer or subscriber list. You should therefore consider backing up your data (or at least the most important subsets of it) either to your own office or to another unaffiliated provider. Otherwise you are completely at the mercy of your cloud provider, which could be a financially perilous place to be.
Availability
A high level of availability can be achieved in cloud computing, but it takes some work. How much work depends on the cloud provider. For example, Amazon offers the ability to run in different ‘zones’, but you still need to architect your application to take advantage of it. Since cloud providers are heavy users of virtualization technologies, it is critical that you understand how to ensure that your ‘redundant’ virtual computers are not actually running on the same physical computer.
Jurisdictional Issues
Storing data in the cloud can result in complicated or unfavorable jurisdictional issues. For example, the laws in some jurisdictions make it very easy for law enforcement to obtain data without adequate judicial oversight and some cloud providers may not have any interest in contesting access requests, even when the requests may be unlawful. It is critical to understand where one’s data may be stored and to determine if additional security controls, like data encryption, are required to protect it. Some providers offer data storage in different countries to help resolve these issues and comply with applicable privacy legislation.
A Final Thought
If you just want to play in the cloud, but all means do so. But if you’re developing a serious application, or dealing with personal or corporate information, consider some expert security advice early in the design process. In many cases a security professional can help you build a secure system in the first place and save you a lot of money, time and frustration.
Amazon, Queen of the Cloud
Last week I introduced the concept of cloud computing. To recap, the concept is that one can simply buy computing and storage resources as needed rather than investing in hardware and Internet connectivity.
While a few companies have been talking about cloud computing, Amazon is doing it and selling it to anyone with a credit card under the Amazon Web Services banner. To get a better understand of the future of web application development, we’ll take a look at what they offer.
Amazon Elastic Compute Cloud (Amazon EC2) is a Web service that provides resizable compute capacity in the cloud. It is designed to make Web-scale computing easier for developers. To summarize, you upload one or more virtual machine images to Amazon. Then you use an API to start and stop instances of your virtual machines — and pay only for the time you use. Amazon offers several virtual computer ‘sizes’ starting at $0.10 per hour. There is no minimum commitment. You simply pay for what you use. If you design your application right, it can scale very quickly by spinning up additional instances as needed to handle the load.
Of course, almost any application requires storage space and that’s where Amazon Simple Storage Service (Amazon S3) comes in. Amazon S3 provides a Web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the Web. It’s storage on demand and, in Amazon tradition, it’s also pay-as-you-go with no minimums. The pricing model takes into account charges for storage, inbound traffic, outbound traffic, requests and whether storage is in the USA or Europe. For example, storage in the USA starts at $0.15 per GB, inbound traffic at $0.10 per GB, outbound traffic at $0.17 per GB, and requests are one cent per thousand. Prices to store data in Europe are slightly higher.
Amazon also offers a database service, a message queuing service to facilitate communication between computers in a distributed architecture and recently introduced the beta CloudFront service which looks like a very promising, easy-to-use content delivery service.
So what does this all really mean?
Amazon has removed many of the barriers to developing Internet-scale applications. Developers can start small with no capital investment and only pay for what they need, when they need it. They also have an unprecedented ability to scale applications quickly in response to increasing demand for them.
But this change also has some interesting security implications which I’ll discuss next week.
Applications in the Cloud
About a decade ago, if you wanted to put your application on the Internet, you started by buying a server. Then, you had two choices: Bring enough bandwidth to your office or put your server in someone else’s facility. Given the cost of Internet connectivity at the time, it was usually less expensive to rent rack space but, for smaller applications and low volume Web sites, some of us did very well with $100 per month ISDN lines.
Hosting providers understood this, too, and quickly started offering turnkey solutions that included both the server and Internet connectivity. For example… Today, that same $100 per month gets you a basic server in a commercial data center connected to the Internet. From a business perspective, it makes a lot of sense: There’s no capital outlay, no hardware maintenance cost, and the fact that it’s a pure expense is often a tax advantage.
Hosting providers also responded to the demand for something between shared Web hosting and a full server. Leveraging virtualization technology (most commonly, open source Linux), the Virtual Private Server (VPS) market was born, giving small businesses and individuals their own virtual server starting around a $30 per month price point.
For many small businesses, a rental VPS server is a great solution. However, if you’re setting out to develop the next Web 2.0 killer application, your major challenge is scalability. If you’re lucky and your app is an amazing success, how will you handle the load? Will it become the next Facebook, or will will poor performance send it spiraling right into its grave?
Cloud computing is a simple concept: Instead of purchasing specific hardware, why not just purchase computing resources such as virtual computers and virtual storage as you need them?
Over the next few weeks, I’m going to be looking at the Cloud computing phenomenon and discussing the security implications. If you have any questions, please feel free to send them via TLP’s ‘Ask the Editor’ page.
Security Failures
If you’ve ever decided to loose weight, you’ve undoubtedly been exposed to an endless stream of products, most of which make it sound very easy. Take this pill or drink this tea and those extra pounds will simply disappear. While deep down we know that achieving weight loss requires a process in which we consume less energy than we expend, that silver bullet is much more attractive. Given the choice, we’d all rather swallow a few pills than change how we eat and hit the gym.
Security is often more complicated than weight loss, but it suffers from many of the same problems, including the search for a silver bullet and a tendency to focus on only a small part of the problem. I hear a lot of variations on the same basic question:
With all the advances we’ve made in security like firewalls, anti-virus, anti-spam, intrusion detection, intrusion prevention, data loss prevention [and the list goes on], why do we continue to see an increase in the number and severity of security breaches?
Some people will tell you it’s because we’ve become better at detecting security breaches, and that is true. Others would tell you that it’s because information crimes have become heavily monetarized, and that’s also true. But the real root of the problem is that we spend way too much time and money searching for that technical silver bullet and not nearly enough addressing critical issues like sound operational practices, personnel security and training.
Security, like weight loss, is a process. Contrary to the sales pitch, there is no product that will make you or your information “secureâ€. We hear terms like “completely secureâ€, and “totally secure†all the time, but these states simply don’t exist. Some products can help, but only if they are incorporated into a foundation of solid security processes.
If we really want to stop failing, we need to shift our focus toward actively managing risk. We need to better understand our current risk situation, determine what level of risk is acceptable, and then we’ll be in a much better position to make security program, process, and product decisions.
Keep in Touch
Kudos
Recent Comments