Everybody’s doing it: shifting applications to the cloud. More flexibility. More storage. More scalability. But how does this affect application security? What challenges does it present?
The shift to the cloud also means a shift in trust and control. When the software and the infrastructure that you use are on-premises, you know it’s yours, and you have responsibility for maintenance and security. With cloud services, however, you trust another vendor and their tools. While it is tempting to think that the cloud service provider will cover your security needs, that isn’t necessarily the case. The fact is, you can’t, and shouldn’t, relinquish all responsibility for your application security when you shift to the cloud.
It’s important to remember that you’re buying a service, but it remains your responsibility to use it properly and to supplement it with a robust AppSec strategy and tools. It’s like buying a car. Manufacturers have a lot of safety features, but you still have to drive the vehicle correctly. In cloud environments, that involves setting up the right configurations and settings.
Take Amazon, for example. AWS has vast data centers and the tools it provides are trustworthy, but it’s up to you to use them correctly and wisely to keep your code and applications secure and updated. It’s what AWS calls its shared responsibility model between provider and customer/user.
The cloud hugely expands your options, but risk also increases because you are dealing with another interface layer; as soon as you enter the cloud to take advantage of what it offers, you end up integrating and connecting with other software. And while cloud environments provide instant scalability, that also means that you can call upon more components and dependencies. You use more APIs. You’re going into third-party services, and suddenly your scope of trust has to expand, which makes it even more important that you know what software you’re using, how you’re using it, where you’re putting it, and who you’re trusting. Every item, component, and dependency should be scanned, tested and where necessary, and updated to mitigate any security vulnerabilities and threats.
The cloud’s increased interconnectedness gives you easier access to newer technologies and more ways to develop applications, but it also makes things more complex, and complexity increases risk. This should mean applying more vigilance, but many organizations don’t do that, because they think their provider will cover them. Actually, it requires a deeper understanding of what you’re working with and whether all components are configured correctly.
Similarly, complexity grows with scale and volume, which increase significantly in the cloud. This is particularly true when enterprise customers shift to the cloud, because the bigger the customer, the bigger the scale and the more complexity there is. Enterprises like banks or hardware manufacturers do things on a large scale. They’re gigantic companies with huge amounts of applications that are developed with the same reusable components put together in different ways. This creates a problem of scale because it’s harder to secure something that has 30 uses than it is to secure something that’s used just once. And more stakeholders are involved in teams that don’t necessarily work together. It can be unclear who’s responsible for the security of individual and shared applications, components, and dependencies. In any large organization, people create bottlenecks. So, this kind of scale tends to cause a lot of redundancy and complexity, and that means loss of speed.
Plus, enterprises are more often regulated companies in regulated industries, so strong security and tight compliance are imperative. But their problem is the same as it has always been, just in a new context. It’s how they can quickly deliver what they want with the least amount of bureaucracy, the most volume, and velocity while meeting all their necessary security and compliance requirements.
So, the shift to the cloud has focused attention on application security in a positive way. That’s because companies that are properly embracing the cloud’s potential aren’t simply shoving old on-premises applications into the cloud. Rather, they’re making new cloud-based apps and using the scope and access the cloud offers to build better products. As a result, the cloud provides a good chance to start over, and the best place to implement security by design is at the beginning of the software development lifecycle. Applications that are built for the cloud should always be more secure than legacy apps that were built a decade ago.
The cloud also turns the spotlight on security precisely because it increases the incidence and opportunities of sharing data, code, and software. The attack surface expands, and with that comes a greater need for robust and efficient security. It’s now unignorable if you want to ensure that you don’t expose your applications to vulnerabilities and attacks.
The best way to overcome the challenges of application development and security at scale in the cloud is with automation. Automating application security with dependency updates removes the bottleneck that people create and the risks arising from human error and poor decision-making. The security process is no longer impeded and can accelerate, costs get reduced, and productivity improves.
In many respects, the cloud simply amplifies and accelerates the application security issues that organizations already face. Modern application security solutions are designed with the scope of the cloud in mind. They have the agility and capability to handle the volume, speed, and access that the cloud provides, and protect applications from increasingly frequent infiltration and attacks. As such, deploying cloud-native application security isn’t just nice to have, it’s a must-have.