Security Testing in the Cloud: What to Know
Learn more about security testing in the cloud.
Join the DZone community and get the full member experience.Join For Free
Cloud computing allows us to access our email, documents, applications, and more from anywhere with an Internet connection. Everything that used to be stored in-house on a private network is now just “out there” on the Internet. This phenomenon simultaneously offers a variety of new opportunities as well as a new attack surface for malicious hackers.
This new attack surface is what inspired cloud security as a discipline within the broader field of cybersecurity. Cloud security refers to the protection of data, applications, services, and infrastructure in the cloud. Many aspects of security for cloud environments (public, private, or hybrid) are similar to those for in-house IT architecture.
The truth is that, in some cases, cloud service providers can actually provide a more secure environment than an individual organization because they focus on it as a critical business function. Amazon EC2, for example, holds around 30 different international security certifications. Trust is key to a cloud service provider’s success.
As an organization that takes advantage of the flexibility and elasticity of the cloud, you don’t have to manage physical servers or storage devices. It is, however, important for you to monitor and protect the flow of information into and out of your cloud resources.
You can outsource operations but not responsibility. You want customers to feel confident about the service you offer, and this is especially important when the service runs exclusively in the cloud.
In this article, I interview Mathias Brenner, CTO at SHERPANY. Brenner believes that it's essential to be transparent with your customers with regards to how you manage cloud security. For more than six years, he and his team have been building secure meeting management software for C-level Executives and Board Members. In this interview, he talks with me about how SHERPANY gained its customers' trust and the challenges he faced along the way.
What best practices have you come across while building security programs at a cloud company like SHERPANY?
MB: I think the ISO/IEC 27001 standard “Information technology – Security techniques – Information security management systems – Requirements” is a good starting point for the development of a new security program. The specified Information Security Management System (ISMS) is broadly adopted across multiple industries and covers various important aspects of information security. The risk-based approach at its core can be tailored specifically to the needs of an organization which makes this framework practical in different contexts.
From this point on, it depends heavily on an organization's context and offering. Are you developing software? Then, you should probably implement a “Security Development Lifecycle” (SDL). Are you processing sensitive, personal, identifiable information (PII)? Then, the implementation of an appropriate PIM is the way to go. A good example here is the British Standard 10012:2017, which even addresses the requirements of the General Data Protection Regulation (GDPR).
Last but not least, there are some important concepts that should be considered when building a security program. Defense is one example that is not explicitly mentioned in the ISO-Standard. Nowadays, it is not enough to “just build a big wall” around your premises. You need to implement multiple layers of security, which include perimeter defense, intrusion detection, and incident response. Don’t only focus on keeping malicious actors out but also think about what to do if someone gets in.
As a company that offers a SaaS solution, are there certain measures or extra precautions that you take to secure your application?
MB: In my opinion, the security measures and precautions do not depend on whether an application is running in the cloud (public and private) or on-premise. There are other factors, for e.g. sensitivity of processed data, exposure, or complexity, that determine the security requirements. The fact that, due to these characteristics, a lot of cloud providers should have high-security standards does not mean that an on-premise solution has lower requirements by default. Security is always connected to context.
What are the main challenges with offering a service that runs exclusively in the cloud when it comes to security? How do you combat those concerns?
MB: I think there are various challenges arising from the characteristics I have mentioned above, but these are most obvious and not unique to cloud solutions. From my experience, besides acting according to leading security principles, one of the most important ones is to earn the trust of your customers. With the recent hacks, breaches, and cyber attacks appearing all over the news, this can be quite challenging. Trust is so important as customers outsource entire processes to an external entity, and thus, depend on the adequate performance of the provider.
At SHERPANY, we address these concerns from various sides. Mainly, we invest a lot of resources into security and data privacy. To secure customer data is our main concern. Thus, we are transparent about how we manage security. We think that security through obscurity is the wrong approach, hence, we allow our customers to inspect and assess our security program as a collaborative partnership. Additionally, we work exclusively with experienced security partners in the market as well as educate our employees on security. To get things done right from the beginning, our regularly trained employees are all specialists in their areas of expertise. Where we lack these kinds of internal resources, we team up with well known industry leaders in order to get access to the know-how of their specialists. Finally, we offer a very solid legal framework. We define the terms and conditions of our cooperation with customers, as well as with our suppliers, in a very clear and definitive way. This enables us to have clear responsibilities, tasks, and deliverables.
What are the benefits from a security standpoint to operating in the cloud?
MB: The key benefit is to focus on your own core processes and competencies. Moving towards a cloud solution often means that an organization is outsourcing a certain process to an external provider. This step results not only in risks and challenges as discussed above but in significant benefits. A cloud provider generally has its people, infrastructure and know-how tailored to deliver a very specific service and therefore is very effective in what he does. Overall this often means a better quality of service. Quality of service also includes the security aspect of a solution.
To sum it up, I think that when outsourcing a process you are able to transfer specific responsibilities to an external partner and benefit from his expertise, know-how, and scalability. This allows you to focus on your core business and conquer your market while mandating a specialist to manage certain necessities.
How does the cloud change the way you pentest your applications?
MB: Due to the natural exposure of cloud solutions, security audits play an essential role when delivering a secure service. When doing so, the focus should not only be on the technical application itself. It is necessary to keep the big picture in mind and thus, consider the whole environment plus its surrounding processes. This includes audits of the application, the infrastructure, the network, and the associated security processes and policies. Especially in the cloud context, you should not only have the regular tests but also proceed with the prompt fixing of identified vulnerabilities. Depending on the vulnerability itself, the complexity of the environment and the engineering processes, this can be a challenge.
Acting as an outsourcing provider, external assurance is a valuable asset when meeting compliance requirements and earning trust. Therefore, pen-testing by an external specialist should be mandated at least once a year. This provides, on the one hand, quality assurance for your internal processes, and on the other hand, serves as evidence that you take security seriously.
What effect does business logic have on cloud security testing?
MB: In the world of security testing, there are different stages. While we discussed the actual testing-stage (pentesting) already in the question above, I would like to dive a little bit deeper in the risk-determination of the identified vulnerabilities. Because this is where the business logic has the most impact on the whole process.
When assessing the risk of a vulnerability, it is important to always consider the underlying business logic. Let’s say a pentester identifies two similar SQL-Injection vulnerabilities in your web app — one on your publicly available login-page and one in your administrator's backend. Since the technical constraints and conditions for these vulnerabilities are probably similar, the technical risk is probably the same. As an owner of a cloud application, this is not very interesting to me because it is a theoretical value. If we add the dimension of the business logic to our assessment, we get a more practical value and the result looks drastically different. While the administrator backend is only accessible for a few internal employees, the login page is exposed to the entire Internet and, therefore, to all kinds of untrusted visitors. In this case, the effective associated risk is undoubtedly higher. So when I coordinate and plan the remediation of the two vulnerabilities, the one on the login-page is more critical and, therefore, should be focused on first.
This simplified scenario shows very well why business logic plays an important role in the process of security testing. In my opinion, this is because of the naturally high exposure, especially true for cloud-context but should, as well, be considered for non-cloud-solutions.
Opinions expressed by DZone contributors are their own.