Application Security in the Public Cloud
David Linthicum
Security must continuously change and evolve to respond to changing risks , and it ’ s no longer just a problem for IT security and the infrastructure team . Developers are now in the fight .
For the past 30 years , IT security has been focused on infrastructure . All you needed to do was simply place layers of security around your applications and data and all would be well . But even if that ever worked , it certainly doesn ’ t anymore . With hackers testing the limits of security systems on a daily basis , the pressure is on development teams to provide better security at the application layer as well . And moving your apps to the public cloud is yet another game changer .
The cost of not integrating application security is steep . Home Depot , for instance , was involved in a headline-making cyberattack that targeted its payment terminals . The security breach left approximately 56 million credit and debit card numbers exposed . Multiply that by Ponemon Institute ’ s estimated cost of $ 194 per compromised record in the average data breach and you can see the enormity of the risk . Those costs include investigation , remediation , notification to individuals , identity theft repair and credit monitoring , regulatory fines , disruptions in normal business operations , lost business , and related lawsuits . Bottom line :
The dollars you spend to protect against breaches that could take down your entire business are the best security investments you ’ ll make this year .
On the positive side , moving your apps to the public cloud does not necessarily mean that you ’ re giving an inch on security . Indeed , the approaches and mechanisms available to developers and administrators in the public cloud are often better than the tools and methods you use within the enterprise .
However , in the context of the cloud , you need to look at security as a systemic concept . Long gone are the days when you could just build fences around applications and data and call it a day . Just ask Home Depot , Sony , Target , and other victims of major breaches if traditional approaches to application and data security worked for them . Here ’ s what does work .
Cover Your Basics First
Developers who build applications to run in public clouds , or migrate and refactor applications for the cloud , should focus on a few basic security concepts , including authorization , auditing , confidentiality , and integrity .
Authorization addresses the question , what are you authorized to do ? This process governs the resources and operations that the authenticated user has permission to access . Resources include files , databases , tables , rows , and so on . Users can either access the entire resource , a part of the resource , or none of it .
Auditing and logging guarantees that a user cannot deny an operation or initiate a transaction without the activity being recorded . In cloud applications , this means you log the use of the application or the data store for compliance or other legal reasons . Auditing
18 | THE DOPPLER | SUMMER 2016