5 Myths of Application Security in the Cloud

Enterprises around the world are adopting cloud services because they offer benefits such as greater agility and the ability to instantaneously make compute, storage and network resources available when and where they are needed.

But as more businesses leverage applications that are hosted in the cloud, the lines between corporate networks and the internet become blurred. Accordingly, enterprises need to develop an effective strategy for ensuring security. The problem is, many of today’s most common approaches simply don’t work in this new cloud-based environment.

The following are 5 myths that must be debunked in order for companies to optimize application security in the cloud.

Myth #1: Security is uniform and standardized among cloud hosting companies

Companies should not make the assumption that all cloud providers are alike when it comes to security. Security offerings, as well as support for them, vary across all vendors.

Efforts are underway in the industry to enhance the overall security posture of cloud providers and make it easier for companies to assess the security of hosting companies. For example, the Cloud Security Alliance (CSA) operates a STAR Registry program that is open to all cloud providers and allows them to submit self-assessment reports that document compliance with CSA published best practices. The registry enables potential cloud customers to review the security practices of providers.

CSA says the program represents a “major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.”

But there are no guarantees that a given cloud provider is adhering to any particular standards or practices when it comes to security. In addition, risks can be specific to the particular hosting platform; for example, AWS is built differently than Microsoft Azure.

Finally, remember that cloud providers are in the business of operating hosting services. Security is not their core business, nor is it one of their expertise areas. As such, it’s up to companies using these services to ensure the proper security controls and mechanisms are in place to address all the possible threats and vulnerabilities.

Myth #2: Applications hosted in the cloud are totally protected by their cloud service providers

Another misconception is that cloud services providers offer protection for all applications that are hosted in the cloud, and that the level of security and control is the same as with applications housed in enterprise data centers.

The reality is, cloud service providers expect their customers to bear a good part of the responsibility for security applications. Information security is certainly a high priority for service providers. How else would they get clients to sign up? But they typically operate with a paradigm that’s known as the "shared responsibility model."

With this model, service providers typically handle a variety of functions including the physical security of their data centers. But customers are responsible for securing whatever they run in the cloud, including applications and operating systems.

Major service provides have documented their positions on shared responsibility. For example, as AWS notes on its website: “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center.”

Companies need to understand what they are responsible for in terms of security, and adopt whatever application security tools and services they need in order to ensure that they are fulfilling their shared security responsibilities. This includes protecting applications in the cloud against threats such as hacker attacks and data leakage, and includes such capabilities as application-level security, access controls, identity management and strong authentication.

Organizations that sit back and expect the cloud service provider to be responsible for all aspects of security are asking for trouble.

Myth #3: Security in the cloud is the same as in the data center

Many companies might have the impression that security in the cloud is simple. For sure, the fundamentals of security in the cloud are not that different from traditional IT environments. Organizations still have to provide authentication controls and make sure they are granting appropriate access levels based on job roles or other criteria.

However, from the security professional’s perspective, they are different as night and day. The manner in which access is provided in the cloud world is quite different than with an on-premises infrastructure. With the advent of the cloud, mobile technology and the propensity for organizations to share all kinds of information with business partners, the traditional network perimeter essentially no longer exists.

In this new environment, access to applications and data has become considerably more complex. Adding to this complexity is the fact that many enterprises are now operating a hybrid IT environment, with a combination of private clouds, public clouds and on-premises computing.

As part of the effort to bolster security in this new environment, companies need to find a way to safeguard all inbound access to their IT infrastructure while at the same time isolating access to specific applications by users.

Another challenge, particularly for large enterprises, is training users to adapt to these changes and learn to work securely within the cloud model. Change management processes need to be in place to make this transition as smooth as possible.

Myth #4: Traditional demilitarized zone (DMZ) technology can provide protection for cloud environments

The cloud environment rewrites the rules when it comes to information security, and the traditional ways of providing defense in depth are simply not as effective as in the past. True, some companies take the approach of extending their data center DMZ into the cloud via dedicated big pipes, but the resulting latency from the traffic trombone is not acceptable in most cases.

As research firm IDC noted in an April 2015 report, enterprise IT architectures have evolved dramatically from the days of on-premises monolithic and simple client/server architectures with centralized resources.

“These architectures, once easily protected by firewalls and other ‘layered’ security solutions, have been replaced by highly distributed service-oriented architectures with components deployed in hybrid environments that include public and private clouds,” the report says. The stresses of today's decentralized architectures require a new model that incorporates a cloud DMZ, it says.

The use of network-based security tools such as firewalls that create a secure perimeter to protect IT assets made sense in a pre-cloud centralized environment. But today, users tend to be dispersed across a heterogeneous architecture that incorporates traditional enterprise computing, mobile devices, and the cloud, IDC says.

While the cloud DMZ functions somewhat like a traditional DMZ in that it separates traffic and resources from two sides, it is different because there are no limits around the multiple sides that might take part in the interaction, the firm says. A cloud DMZ operates as a transfer point that manages all security throughout the environment and in any location.

The report noted that the cloud DMZ has several objectives: provide a place to terminate connections that originate in a potentially untrusted zone and connect with another potentially untrusted zone; provide a controlled set of management resources; give a high level of protection to each individual component; offer strong communications security; provide a standardized, highly secure environment from which to provide management of all the controls deployed in the cloud; and offer rapid deployment.

“The architecture of the cloud DMZ is new and relies heavily on innovators that are willing to stake a claim to a new security model,” IDC says.

Myth #5: Virtual private networks (VPNs) provide adequate security for accessing apps in the cloud

VPNs have long been touted as a secure method of providing access to enterprise applications for remote users. A logical extension would be that if apps are placed in the cloud, no additional security is required. In reality, VPNs are not as secure as you might think.

Over the years, the basic VPN security model hasn’t really changed. The technology is used to link remote users, databases or offices to a secured network. One of the characteristics of VPNs that has made them attractive to companies is that they are less expensive than dedicated leased lines.

Despite the long-term popularity, VPNs have a number of shortcomings and management complexities, which might have been overlooked in traditional IT settings but have become more apparent with the emergence of the cloud and mobile technology.

For one thing, VPNs provide excessively wide network access, giving users and devices full network access even if they don’t need it. They provide a way to securely extend a data center network to end points such as smartphones and laptops, and data transmission is private.

But users essentially have access to any applications in the network, even though most only use a limited number of applications. Furthermore, malware infested on devices that gain network access over a VPN might look for vulnerabilities within internal applications. If only application-level access was granted to users, the attack surface of the malware would be constrained.

Another drawback is that VPNs don’t control access to applications based on user identities. Even if a user is authenticated does not mean he should have access to all applications in the network. VPNs are used in conjunction with firewalls that provide network level filtering of IP/port combinations. But network policies change over time and it’s impossible to maintain complete visibility into the applications a VPN-user can use.

In addition, VPNs are a weak security solution and management burden for access to internal applications by third parties such as consultants, contractors and other business partners. Usually, third parties only need access to particular applications for a limited time. Having to configure, manage and deploy subnets for third parties—and manage user moves, adds and changes—is time consuming.

Organizations that are looking to deploy applications hosted in the cloud need to keep these myths in mind as they plan out their strategy. Ensuring data security in the cloud is no trivial matter, and companies need to take the lead—with their cloud providers as strong partners—in making sure that they have the proper security tools and services in place.