Every organization that develops or integrates software needs a software security initiative (SSI)—that has been true for years. Security is, or ought to be, as important as function and features.
What is also true now, given that the large majority of organizations have already migrated or are planning to migrate some or all of their applications, storage, and workloads to the cloud, is that cloud security needs to be integrated into that SSI.
After all, the threats and risks are as great, or even greater, in an environment where, as Synopsys product marketing manager Steven Cohen put it last year, “the cloud interfaces with just about every application and corresponding infrastructure stack in existence.”
The list of possible vulnerabilities that are common to both on-premises and cloud environments is well-known, but worth repeating. It includes weak identity, credential, and access management, insecure APIs, insufficient due diligence, lack of encryption, and malicious insiders.
Vulnerabilities specific to the cloud exist largely because using a cloud services provider (CSP) means you’re not the only customer. It means shared tenancy, multiple users on the same stack, and shared technology vulnerabilities.
All of which makes for a very large, very attractive attack surface for hackers and can enable the usual list of very bad things: data breaches and data loss, account hijacking, advanced persistent threats (APTs), abuse and nefarious use of cloud services, denial of service, and ransomware.
But you can make the cloud a much safer place by making cloud security best practices part of your SSI. And there are roadmaps to help you do it.
Cohen, who has researched building security into cloud migration of workloads, has offered a number of recommendations for cloud security best practices.
For starters, it is crucial to “integrate application security testing and other vulnerability scanning capabilities into the deployment cycle, including scanning containers if they are used,” he said. In other words, find and fix vulnerabilities in applications before they are up and running in the cloud.
There are multiple tools available to do so—a veritable alphabet soup of acronyms, including SCA (software composition analysis), SAST (static application security testing), DAST (dynamic application security testing), and IAST (interactive application security testing).
It should also be mandatory, for those using a public cloud, to use a leading IaaS (infrastructure as a service) provider to improve the security protection of public cloud workloads.
Because, as Cohen notes, the results are worth it: “Through 2020, workloads that exploit public cloud IaaS capabilities to improve security protection will suffer at least 60% fewer security incidents than those in traditional data centers,” he said.
Security in the cloud will also improve from a strong DevSecOps culture. Cohen said many organizations “engineer their own platform-as-a-service (PaaS) stacks to provide a layer of abstraction between their applications and public IaaS offerings. This essentially allows them to retain control and independence while reaping the benefits of cloud economics.”
Beyond those basics, here is a useful list of cloud security best practices your SSI should include.
Finally, keep in mind that you can do all that and still be vulnerable if you ignore one of the most basic fundamentals of security: Keep up-to-date. Know what you’re running, and keep track of reported vulnerabilities and patches.
In the end, cloud security best practices aren’t much different from any security best practices. Cohen said the statistics make it clear: The overwhelming majority of security breakdowns won’t be the CSP’s fault; they’ll be the result of organizations failing to patch and update.
“Through 2020, 95% of cloud security failures will be the customer’s fault,” he said. “And 99% of vulnerabilities exploited will continue to be ones known of by security and IT professionals for at least one year.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.