Code surety: Secure by design

Configuration

“It's critical to think about the type of applications customers run on the web and in the cloud – as an extension of their intranet, collaboration system, or a retailer's entire e-commerce site,” says Omar Khawaja, director of security solutions for Terremark, Verizon's cloud services subsidiary. “How are these applications, systems and clouds configured? And, more importantly, how are they securely accessed?”

As an example, Khawaja points to a customer facing web application that processes financial transactions. During the design phase, trust boundaries must be established between the web and transaction servers to protect the data. This seems like an obvious design point, but in virtual and cloud environments, these trust zones are more overlooked than they should be, say experts.

When designing to commercial cloud services providers, secure zones also encompass how customers are segmented from one another in the cloud, adds Phillips from Symantec.

“Ten years ago we wouldn't have put data from the KGB and CIA on the same RAID array of a storage service provider,” he says. “Today, cloud vendors need to deal with that same security challenge when hosting applications belonging to competing organizations in the same shared hardware and virtual infrastructure. You need to work this out at design and support separation rules with service level agreements.”

Identity federations, along with authentication and access standards – like OAUTH, XACML, SCIM and SAML – are being designed today to meet access needs, according to Eric Olden, CEO of identity and access management vendor, Symplified. “Access control, authentication, audit and administration all apply to cloud and web applications,” says Olden.

Encryption of sensitive data should also be tied to authorization, say industry experts. However, according to a survey by the Cloud Security Alliance released in November, encryption offerings in the cloud are not as robust as they should be. The report, sponsored by Trend Micro, recommends several layers of encryption for data in transit and in storage, and the need for key management.

“Any design plan must take the posture that the system will be breached and that the data inside will be accessed,” says Mark Bower, VP of product management at Voltage Security. “This is particularly true for payment transactions, which are essentially cloud-based services to merchants.”

According to Bower, authentication should be tied to data encryption to limit exposure of the full live data – especially with new techniques, like format-preserving encryption.

“Encryption should also be used to protect live data from authorized users,” he says. “For example, to verify a transaction or to match a customer to an account, an operator may only need to see the last four digits of a Social Security number or the last section of a credit card number versus the complete field.”

By now, most organizations should be encrypting their sensitive information in a datacentric manner, which means sensitive material stays encrypted at rest, in transit and in use. If organizations are migrating to an IaaS where they're responsible for their applications, it may suffice to replicate the same technology in the cloud through standards-based APIs.

If purchasing software-as-a-service, organisations should discover how the provider will help them carry their encryption and, in particular, key management over into the cloud. For example, Voltage manages keys in the cloud for Voltage Cloud Service-based file and email encryption customers. Alternatively, enterprises may want to control their keys themselves with on-premise key servers for their applications in the cloud.

When considering application deployment to the cloud, the specific type of hosting environment will determine who and how security capabilities such as encryption and monitoring will be supported, says OWASP's Manico.

For example in the IaaS model, the organization acquiring the service is responsible for its own applications. With SaaS (software-as-a-service), the provider manages the applications for the consuming organization. SaaS also can manage security applications in the cloud for the consumer, as well as offer new security services to the consumer.

Next: Visibility and maintenance