The Shift to the Cloud and its Implications for Application Security

The Shift to the Cloud and its Implications for Application Security

Everybody’s doing it: shifting applications to the cloud. More flexibility. More storage. More scalability. But how does this affect application security? What challenges does it present?

A Question Of Trust And Responsibility

The shift to the cloud also means a shift in trust and control. When the software and the infrastructure you use are on-premises, you know it’s yours, and you have responsibility for maintenance and security. With cloud services, however, you trust another vendor and their tools. While it is tempting to think that the cloud service provider will cover your security needs, that isn’t necessarily the case. The fact is, you can’t, and shouldn’t, relinquish all responsibility for your application security when you shift to the cloud.

It’s important to remember when buying a service, it remains your responsibility to use it properly and to supplement it with a robust AppSec strategy and tools. It’s like buying a car. Manufacturers have a lot of safety features, but you still have to drive the vehicle correctly. In cloud environments, that involves setting up the right configurations and settings.

For example, AWS has vast data centers and the tools it provides are trustworthy. It’s up to you to use them correctly to keep your code and applications secure and updated. It’s what AWS calls its ‘shared responsibility model’ between provider and customer/user.

Interdependence And Integration

The cloud hugely expands your options, but also increases risk because you are dealing with another interface layer. As soon as you enter the cloud to take advantage of what it offers, you end up integrating and connecting with other software. And while cloud environments provide instant scalability, that also means that you can call upon more components and dependencies. You use more APIs. You’re going into third-party services, and suddenly your scope of trust has to expand, which makes it even more important that you know what software you’re using, how you’re using it, where you’re putting it, and who you’re trusting. Every item, component, and dependency should be scanned, tested and where necessary, and updated to mitigate any security vulnerabilities and threats.

Complexity And Scale

The cloud’s interconnectedness gives you easier access to newer technologies and more ways to develop applications. It also makes things more complex, increasing risk. This should mean applying more vigilance, but many organizations don’t do that because they think their provider will cover them. Actually, it requires a deeper understanding of what you’re working with and whether all components are configured correctly.

Similarly, complexity grows with scale and volume, which increase in the cloud. This is true when enterprise customers shift to the cloud because the bigger the customer, the more scale and complexity there is. Enterprises like banks or hardware manufacturers do things on a large scale. They’re gigantic companies with huge amounts of applications that are developed with the same reusable components put together in different ways. This creates a problem of scale because it’s harder to secure something that has 30 use cases than it is to secure something that’s used just once. And more stakeholders are involved in teams that don’t necessarily work together. It can be unclear who’s responsible for the security of individual and shared applications, components, and dependencies. In any large organization, people create bottlenecks. So, this kind of scale tends to cause a lot of redundancy and complexity, and that means loss of effeciency and speed.

Plus, enterprises are often in highly regulated industries, so strong security and tight compliance are imperative. But their problem is the same as it has always been, just in a new context. It’s how they can quickly deliver what they want with the least amount of bureaucracy, the most volume, and velocity while meeting all their necessary security and compliance requirements.

An Opportunity To Harden Security

The shift to the cloud has focused attention on application security in a positive way. That’s because companies that are properly embracing the cloud’s potential aren’t simply shoving old on-premises applications into the cloud. Rather, they’re making new cloud-based apps and using the scope and access the cloud offers to build better products. As a result, the cloud provides a chance to start over, and the best place to implement security by design is at the beginning of the software development lifecycle. Applications that are built for the cloud should always be more secure than legacy apps that were built a decade ago.

The cloud also turns the spotlight on security precisely because it increases the incidence and opportunities of sharing data, code, and software. The attack surface expands, and with that comes a greater need for robust and efficient security. It’s now unignorable if you want to ensure that you don’t expose your applications to vulnerabilities and attacks.

Continue reading ??



