Cloud computing security, is your seatbelt on?
Cloud computing is now-a-days the buzzword in the Techworld. Every techie wants to know about it and work on it. Every CEO wants it be on their strategic business plan. The Techworld out there is researching, exploring and working on how and what to create, market, and sell.
Every Industry at small, medium and big scale are embracing cloud in big or small way, some are already on cloud and reaping the benefits it has got to offer. Some are in the process of getting on to the Cloud bandwagon, while some are following the wait and watch approach. There is intense competition of who gets their first.
Some of the Top cloud computing providers are Amazon, Verizon, IBM, Salesforce, CSC, Rackspace, Google, Bluelock, Microsoft & Joyent. With some of the biggest names out there it has already generated the necessary interest and captured the imagination of the techworld.
Cloud computing has been identified as one the top strategic technology which is going to re-shape the world in this decade. http://www.gartner.com/it/page.jsp?id=1454221
According to the survey by Global Industry Analysts & Gartner's, cloud computing is one of the fastest growing markets, the market size is forecast to touch $222.5 billion by 2015.
Cloud computing is going to change the way the world is today, the way pervasive devices store, communicate, connect and operate today, going to change the way tomorrow's products are going to be designed and developed. It is going to change the way business is conducted as on today. Many of existing technologies would be converging into cloud. Today the storage occupies biggest space in all of the connected and disconnected electronic devices. For every device which is connected to net, the storage is going to diminish and at some point there is not going any storage on these devices, they are going to be using cloud and devices would become much smaller, thinner and sleeker. More and more devices would get connected to cloud, changing the way we talk, we function & the way we work.
Now that we have set the context about how Cloud computing is going to be way of life, let's discuss about what are the issues that may hold back or slow down the progress, what are the issues that are causing worry lines and making the consumers think...
One of the biggest concerns that the consumers around the world have is of security.
When our data, business process, applications are deployed to Cloud, how secure are our data, business process & applications going to be. This is one of the top most questions by the customers. What are security solutions that are provided by cloud service provider, what are the security solutions that can be built into products, Business applications, and Enterprise applications by different IT vendors?
"Cloud security market is forecasted to touch $1.5bn by 2015" according to a Forrester report.
Security in Cloud computing would need to consider and address following areas. Come up with secure Governance model, Address how the Compliance framework is going to be addressed and managed, now that the application boundary is no more on-premise, it is going to cut across states, countries & international boundaries. In this context how will the state, country, region specific laws & regulations apply? How to establish a trusted environment in which all the stakeholders can operate seamlessly, how to secure the cloud computing architecture, how to operate securely in the multitenant environment, what are the authentication, authorization and access control techniques going to be, how to develop and maintain applications which are cloud secure, how to develop applications which can counter the threats/vulnerabilities, how to achieve secure isolation between the different VMs, Data protection and how to ensure 100% availability.
Let us look at how applications can be created, maintained which are cloud secure. Firstly for the existing applications which are planning to be migrated to cloud, it will first need to go through a security assessment and find out where does it stand on the vulnerability and threat index. Based on the recommendation it will then need to pass through security testing process which includes secure code analysis, threat modeling, security testing to identify all the vulnerabilities. Fix the identified vulnerabilities. Once the applications are verified to have the vulnerabilities fixed, it can then be deployed to Cloud.
Secondly for the new applications which are developed for cloud it has to follow the secure development life cycle model. Security requirements will need to be captured along with project requirements at beginning stage, security features will have to be built into the design, performing threat modeling at the design stage would help to identify the possible threats and help in secure design, perform secure code analysis during the coding stage, plan for security testing during the testing stages. Security will need to be built in at every stage throughout the life cycle of the project. It is always recommended to plan for security at the beginning of the project and throughout the project life cycle rather than trying to fix it at the end of the project. Fixing the vulnerabilities at the end of the project is lot more difficult and will escalate the cost throwing your project budgeting and scheduling off track.
TADM team at Infosys Labs has been working on application security for years now and we are currently focusing on how to develop secure cloud applications. Currently we are in the process of developing the processes, methodology, creating checklists, establishing guidelines, designing solutions, IPs and papers to secure applications for cloud.
Your applications on cloud without having taken security into consideration is like driving a car without wearing your seat belt, it is like flying in a plane without wearing your seat belt. There are chances that you may reach your destination, but there is no guarantee that you will reach in one piece.
Does your applications have the seat belt on, if not it is time to wear one and we at Infosys labs have the resources, solutions to make your seat belt as secure as possible
In my next blogs, I will talk more about different aspects of cloud security, top threats, vulnerabilities, counter measures, secure SDLC process and about our solutions.