Moving your applications to cloud can help you reduce costs and increase productivity. However, securing your applications and data can get so much tougher considering the unfolding threat scenario and the complexities associated with administering the cloud.
Securing applications is always an area of critical concern as cyber criminals are constantly on the lookout for vulnerabilities in an application to access and steal data. When the application resides on premise you have a certain level of control over it. But securing the application when you access it on public cloud is not as easy. The most basic question that one needs to answer in a cloud environment is: who is responsible for application security? Is it the cloud service provider who hosts the application or the application developer who sells you the license?
Whose job is application security?
Some cloud service providers have comprehensively documented issues related to application security. They make it amply clear that it is a shared responsibility borne by the application provider as well as the cloud service provider. However, there is still some ambiguity as to who is eventually responsible for application security.
There are a couple of factors you need to consider before moving a workload to the cloud. Cloud service providers lend you the infrastructure to run the application. Consequently, it is their job to ensure that the application stays secure. This is easier said than done as the cloud service provider does not have adequate visibility into the application layer and that can result in vulnerabilities that hackers can exploit. The other factor that determines application security is network security. Invariably you access your applications on cloud through the network. Network security is critical in ensuring your applications are intruder-proof.
It’s important you know what you are combating
There are many factors you need to consider before developing solutions to secure your applications.
- Check for vulnerabilities within your application: Open Web Application Security Project (OWASP) regularly shares updates on top vulnerabilities. Check them out regularly and constantly monitor your applications for vulnerabilities. The website also has a treasure chest of information on techniques employed by hackers to identify and exploit vulnerabilities.
- Ensure that your application is immune to malware and ransomware: Before you move a workload to the cloud make sure that the application is fortified to ward off malware or ransomware attacks. Remember, hackers are getting extremely creative and always stay a step ahead of application developers. In such a scenario, it’s wise to put in place your own monitoring system that prevents them from targeting your application or data. This is extremely important as your cloud service provider has little or no visibility into your application layer.
- Stay clear of those bad bots: Estimates reveal that bad bots account for almost a quarter of the traffic on the web. While all these bots may not present a security challenge to your data, they can devour your server resources in a major way, resulting in huge losses in productivity.
- Applications on cloud are easy targets for Advanced Persistent Threats (APT): APTs are more lethal than malware or ransomware attacks. APTs can stay dormant within your system, unnoticed for months, and steal your data when you least anticipate it. Your application and your data is in danger irrespective of whether your application resides on cloud or on premise. Defending your organisation from APTs might require a transformation in your approach to security. You might have to infuse a security centric culture into your organisation.
- Beware of DDoS attacks that are directed at your application layer: DDoS attacks are becoming highly sophisticated and have the ability to derail your business by exploiting the vulnerabilities in your application. Your security information systems should be able to proactively detect and help protect your applications from DDoS attacks.
It’s a war moving forward
ICT brands today provide CIOs a whole range of security services on the cloud. Many believe that cloud based security services are more effective than the security systems deployed on premise. But the threat scenario is extremely dynamic, with criminals quickly getting up-to-date with transforming technologies and exploring vulnerabilities to steal your information assets. So you are constantly on the warpath. More importantly, you are only as good as the weakest link in your application and networks.
Photograph: Blue Coat Photos/Flickr