Cloud security: Apps need tough bodyguards

Even minor applications should be treated like medieval royalty and accompanied on all occasions by a personal bodyguard — particularly when the monarch takes up residence in the cloud, says Lori MacVittie

The latest successful mass SQL injection attack has propelled Lizamoon onto the agendas of information security professionals. But Lizamoon is particularly troubling because of its impact on smaller organisations. At least, that is the view of security experts, who have described it as a "run-of-the-mill threat that is mostly hitting obscure, low-traffic sites".

Large organisations, familiar with secure coding practices, have the resources and the expertise to address the lack of security services available in cloud computing. Whether they do so, or not, is another matter. Too often complacency can undermine even comprehensive security strategies.

Human error, too, can ensure the most vigilant fall victim to the constant barrage of attacks perpetrated against sites whose only crime is being accessible on the public internet.

The sheer volume and volatility of attacks against web applications should remind organisations of any size — but particularly those drawn like moths to the bright flame of cloud computing — that security is a constant concern.

King application's personal bodyguard

The recent admission by Barracuda Networks that it had been compromised by a mass SQL injection attack generated a lot of commentary — most of it negative. On the one hand, a security vendor fell victim to an attack from which it purports to safeguard customers.

But the other side of the coin, if you read Barracuda's response and explanation, is that the web application firewall (WAF) in question was not active at the time of attack.

Also unstated is the understanding by the security community at large that attacks are ongoing. Twenty-four hours a day, seven days a week, 365 days a year. Thus it is reasonable to assume that such attacks were occurring regularly while the WAF was active and no breach had occurred. This fact would certainly appear to prove that a WAF does, in fact, provide value by protecting vulnerable applications.

Organisations adopting cloud computing, whether for migration of business-critical applications or green-field development, should note the impact of removing such safeguards from the forefront of application defences. Applications secured by a WAF that move to the cloud may suddenly be vulnerable, shorn of the protection of an enterprise security infrastructure.

Moving or deploying an application in the cloud should not be an undertaking that occurs in a vacuum. Rather, it must be viewed as a migration or deployment of a mini-datacentre. Such an application deployment should be accompanied by all components and services required to implement and enforce enterprise security, in a manner not unlike the personal bodyguard of the application king.

Where King Application goes, so goes his personal security entourage. To do otherwise is to invite attack and ultimately fall victim to compromise — or worse.

Architecture is captain of the king's guard

With every new deployment model come new architectures to support it. Cloud computing is no different and in fact may require more attention because essentially you're moving an application into hostile territory and must pay special attention to security.

Cloud computing may require more attention because essentially you're moving an application into hostile territory and must pay special attention to security.

That architecture may require deployment of services in the cloud or it may require a change in the enterprise architecture to support security oversight of existing services on cloud-hosted applications. It may entail incorporating into enterprise infrastructure architecture the use of external security services.

Those services are ones deployed in another location to provide the same flexibility and coverage of applications whether they are deployed internally or in the cloud.

Regardless of which architectural approach best fits a given organisational culture and tolerance of risk, there is ample evidence that failure to protect applications — even the most obscure, low-traffic applications — will result in compromise.

Luckily, Lizamoon has a relatively low impact. Despite having infected more than 500,000 URLs, it is considered of low threat to customers because of its implementation. That assessment does not guarantee that future mass infections will have such minimal impact.

Organisations — particularly security practitioners and increasingly devops teams — will need to continue to be vigilant and steadfast, especially as applications venture out into more public and uncontrolled environments such as cloud computing.

Lori MacVittie is responsible for application services education and evangelism at application delivery firm F5 Networks. Her role includes producing technical materials and participating in community-based forums and industry standards organisations. MacVittie has extensive programming experience as an application architect, as well as in network and systems development and administration.