Security must always be a key consideration when deploying applications – whether they are within a data centre, hosted or on a cloud platform – and never an afterthought. After all it is the data your organisation owns and consumes that makes it unique and ultimately successful in the services it delivers. The preservation of this data and the integrity you take towards its confidentiality and availability is paramount.
There were many unfounded security fears about hosting applications on the public cloud. These have long been dispelled. The UK government’s approach acknowledges this with CESG (the National Technical Authority for Information Assurance) issuing its own guidance for public sector organisations using cloud services for handling OFFICIAL information. More recently new guidance has been issued by the Financial Conduct Authority which addresses the appropriate management of risk when using cloud services for financial services organisations such as banks and insurance companies. The FCA stated “We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”
The rules of engagement
At the start of any project it is critical to engage the security/information assurance teams in order to understand the prevailing Information Security polices and details of all relevant regulatory compliance. This helps define the security requirements that will shape the end solution. However there also needs to be an understanding of the IT/Cloud strategy as this will influence the choices made during the journey. The approach to Information Security cannot be considered in isolation.
When designing applications in the cloud it is essential to understand the different shared responsibility of the models of SaaS, PaaS and IaaS. The value comes the further you move up the stack, as the responsibly shifts from organisations to the cloud providers as shown in the graphic below.
How mature and compliant are the features of the platform offered by the Cloud Service Providers (CSPs) you are considering? CSPs are continually bringing out new and innovative services. Selecting the services with the relevant accreditation is necessary to ensure end-to-end compliance or a least knowing what the roadmap is for these services. This allows the security/information assurance teams to make decisions based on facts and understand the possible risks that could surface.
Organisations will undoubtedly have a number of existing services within their environments that monitor and protect their current applications. The proliferation of applications distributed across multiple platforms can create issues with management. Decisions have to be made. Do you build separate instances on each platform? Do you manage them from a central location and if yes, where would that be, depending on maturity of your journey to cloud?
Considering these options gives you the opportunity to evaluate your current toolsets, many of which might be running older versions. Most organisations tend to have a number of different applications and services for antivirus, web application firewall, security logging, network and host-based intrusion detection systems. Using a Security-as-a-Service offering could potentially lower the total cost of ownership, particularly given that there is usually a plethora of mundane daily tasks involved in maintaining these services. It allows staff to focus on delivering improved features to the front end customer-facing applications.
Reducing the chance of attack
Using reference architectures and vendor secure best practice are recommended wherever possible during the design stage. Hardening guides are readily available on the Internet to help secure your systems by reducing further the surface of vulnerability. They can be applied using configuration management tools, maintaining the desired configuration and remediating any assists that fall out of compliance. Doing this ensures that the end solution is supportable during the application lifecycle. Good design documents also provide invaluable knowledge to support teams further down the line.
Your security/information assurance teams need to make decisions based on facts. The solution must therefore factor in all of the previously recorded requirements and whether they were compliant or not, taking a note of any deviations with valid justification.
Once the designs have been approved and the applications deployed, the next stage is the validation. It is always advisable to undertake an IT security health check, ensuring that the application or infrastructure adheres to all of the design principles and is implemented as such.
At this point you should be able to spot any potential issues before taking the application into production, giving it the ultimate rubber stamp and the final assurance that will please all of the stakeholders.
By Daniel Rae, Director of Professional Services for public cloud consultancy SystemsUp.
SystemsUp has over a decade of experience helping central government agencies formulate the right approach to application security, from dealing with legacy Impact Levels on hosted platforms to managing the risk around migrating those services to the public cloud.