Less than ten minutes driving west from my home, you encounter a vast expanse of large, windowless buildings. Situated near them are impressive physical plants dedicated to cooling these buildings and providing back-up power in the case of a power failure. Whenever I drive past these complexes I always point them out to my passengers and say: “You have heard about the cloud – well, there it is.”
Businesses are moving mission-critical applications to the cloud at a rapid pace. The cost savings and other benefits simply are too persuasive not to move to the cloud. So why do organizations hesitate? Analyst studies cite security concerns as the number one inhibitor of moving sensitive applications to the cloud.
Let me examine these concerns by breaking down the conversation into two pieces: the cloud infrastructure and the applications running in the cloud.
I was once concerned that moving to the cloud was fraught with unknown perils. Then I walked into a cloud security panel of really smart, progressive security types at the RSA Conference in 2014 called “Is the Cloud Really More Secure Than On-Premise?” No less a luminary than Bruce Schneier told the audience to essentially wise up and realize that established cloud providers had more security resources and expertise than any enterprise, and that they provide security that is comparable to or exceeds that of any enterprise.
In other words, the cloud is more likely to be secure than your own environment. Therefore, you can add security to the list of benefits that make the cloud so enticing, and remove it from your list of concerns. Privacy experts will continue to call attention to questions about data leakage and other potential maladies, but the cloud environment appears to be a secure choice. Certainly there has been no flood of breach stories coming from the early adopters.
What we had to worry about was ourselves. Research actually shows that it is not the cloud that is the security risk. Over 90 percent of security issues originate with the enterprise, and not the cloud. We remain our own worst enemy, it seems, even as technology moves forward.
It is important to note that experts like Schneier are speaking from an infrastructure perspective, focusing on the broader network and data security. We still need to consider my second point regarding the security of the actual applications running in the cloud.
For that I will start with a simple truth: Moving an application full of security vulnerabilities to the cloud does not make it more secure.
The most basic cloud implementations follow the infrastructure-as-a-service (IaaS) model, where the cloud provider manages the physical devices, the network, the storage and the hypervisors. We have established that these providers – with proper vetting, of course – provide this in a secure manner. The IaaS model is often the entry point for organizations moving to the cloud, as they are able to “lift and shift” applications from their environment to the cloud in order to start reaping the benefits.
Picking up an application with security problems from your infrastructure and placing it into the cloud does not suddenly remediate the security vulnerabilities or mitigate the risk. It is like the Neil Gaiman quote “Wherever you go, you take yourself with you.” Wherever you run an application, its vulnerabilities will follow. If an organization does not follow the basic principles of software security, the risks remain.
Studies show that attacks on web applications now rank at the top of risks facing organizations. One could argue that if more and more applications are moved to the cloud, and the cloud infrastructure is really more secure, then the targeting of applications will continue to rise as other attack vectors are minimized. Even as organizations evolve to the Platform-as-a-Service model where the provider supplies just about everything but the application and the data, eliminating vulnerabilities from the software is critical.
Here is where it gets interesting. In spite of the growing recognition of risks associated with web applications, organizations have stubbornly continued to pump spending into network and infrastructure security. When the organization begins to move to the cloud and relies on the security of the cloud infrastructure, it makes less sense than ever to continue down this path. Perhaps organizations will turn their attention (and budgets) to securing applications appropriately.
At the basic level, organizations should begin by analyzing the cloud platform layer controls and testing applications for vulnerabilities, remediating what is found. If more money is moved to software security, organizations can perform deeper testing, combining static testing (SAST) and dynamic testing (DAST) and code review. Given that 50 percent of application vulnerabilities begin in the architecture level, architecture and design reviews along with threat modeling make for a comprehensive program of removing the risks of web applications. It is entirely possible to bring the security readiness of the application to the security readiness of the cloud.
Organizations should fear security concerns when considering moving applications to the cloud. But they need to recognize that moving web applications to the cloud does not make them secure. The applications will remain a point of attack whether you simply move the application to the cloud or make full use of the full range of cloud services. Organizations should embrace the security benefits of the cloud infrastructure and redirect resources to ensure application vulnerabilities are addressed to reduce the associated risks.
So go boldly to the cloud. Next time I pass those datacenters on my drive west, I promise to wave to your applications as I drive by.