Cloud Application Security| 1.0 | June 2019
Cloud Application Security
The Preconceived Cloud Security Problem
Businesses are overwhelming realizing the benefits of adopting cloud infrastructure strategies. Software, Platform and Infrastructure “As A Service” options are supporting wholesale Digital Transformation for small to medium businesses and large enterprises alike. Eight out of ten organizations depend on cloud services for critical business functions including web application publishing, communication, productivity, application development, business intelligence, and disaster recovery and storage solutions1. With nine out of ten organizations significantly concerned about cloud security and the inherent risks to their data2, an alarming number of organizations lack an effective strategy to manage vulnerabilities and risk within their cloud computing environments, mistakenly assuming that “my cloud provider takes care of security for me”.
SaaS vs PaaS vs IaaS – As A What?
Software as a Service has revolutionized how organizations consume commodity services like email with industry leaders like Microsoft and Google now providing fully managed services, instead of simply supplying the software which you’d install and operate yourself. The majority of security professionals will agree that for most businesses operating a commodity service like email yourself introduces unnecessary risk, given the knowledge and ongoing time required to regularly upgrade, patch, to ensure it meets security industry guidelines. In this case outsourcing to an industry leader with significant resources and mature security processes not only reduces cost, but is an effective strategy to mitigate the risk of the system and data being
Infrastructure as a Service such as Amazon EC2 is the most commonly used cloud service. It allows companies to leverage a wide range of resources, also gaining full control over critical security aspects such as the underlying operating system which many bespoke enterprise level application ecosystems require.
Infrastructure as a Service is just that, Infrastructure. Cloud providers offer a number of tools to secure and support Infrastructure as a Service environments however it’s incumbent on the tenant to implement them.
Secure cloud hosting requires new strategies and technologies however many organizations do not have, or are unable to find the resources to implement or maintain the security controls to achieve this outcome.
The IaaS AWS Cloud Security Shared Responsibility Model
Cloud service providers like Amazon Web Services invest significant resources placing the utmost importance on the security of their environments. Fundamentally this includes the availability and security of their global physical data center infrastructure, the virtualization hypervisor, and software defined networking components.
The delineation for organizations using the most common Infrastructure as a Service is clear, everything you place in the cloud is your responsibility, including client and server side encryption, operating system, network and firewall configurations, vulnerability management and patching, identity and access management, the software you install, and your customers’ data. Gartner cited the lack of assumed responsibility to be the primary factor when predicting that through 2020, 95% of cloud security incidents will be the fault of the tenant not the provider.
Managing security asymmetry has been a key challenge for cloud providers who have introduced additional platform, container, and abstract services to allow a cloud consumer to move some, or all of the security responsibilities to the provider themselves. Unfortunately, the benefits of such offerings are marred by the
requirement of the cloud provider to restrict access to features and functionality that pose a security risk. Many of today’s applications were not designed or built for cloud compatibility and rely on functionality that is only available as part of Infrastructure as a Service, leaving YOU, the cloud tenant squarely responsible for the security of the environment.
RedShield – Managed Application & Cloud Perimeter Security
RedShield is the world’s first and only web application shielding-with-a-service cybersecurity company. The RedShield shielding-with-a-service offering combines superior web application shielding software with industry-leading cybersecurity services. Powerful vulnerability intelligence, exploitation research and a prolific database of known exploits ensure the right shields are deployed quickly minimizing application downtime and costly remediation delays.