- What is the criteria for going to the cloud?
- What is the fail-over plan for your application?
- What security controls are in place in those applications today?
The answer to #1 is never "security" (and "elasticity" is mentioned with reckless abandon but that's another topic altogether). The answer to #2 is almost always "the cloud" as if it had some magical powers beyond server re-balancing to understand when an application is behaving badly. (There are many techniques to accomplish application-level fail-over, but most require design within the application.) Finally, the third question is guaranteed to produce an air of puzzlement. Many companies rely on the "hard outer shell" security provided by their infrastructure; legacy applications which have worked for the past 10 years are taboo for modification; projects undergoing Agile development tend to dismiss designing security (because it is easy to design incremental functionality but difficult to design incremental security); and as good as development teams are, implementing for standards such as the FTC "Red Flags" Rule is just not on their priority list.
This does not mean applications are not secure; only that the security chain relies on layers of mitigating controls inherent in the environment for which is was originally built. When moving applications to the cloud, project managers need to understand how applications and their data was protected, and ensure a cloud provider can meet similar requirements.
The Cloud Security Alliance has created guidelines that both cloud providers and clients should reference for security guidance. The National Institute of Standards and Technology (NIST) also has similar guidelines geared towards cloud usage by government agencies; but is really applicable to every company. Even with the robust resources like these, there still seems to be some major issues in ensuring security of applications in the cloud:
- A 2012 survey conducted by O+K Research found that 55% of those companies polled did not consider security aspects when migrating projects from physical to virtual environments and only 18% of European companies virtualizing are actively taking a role in securing this new environment.
- A study by the Ponemon Institute shows a large disparity between cloud providers and clients about who is responsible for security in a cloud implementation. The fact that across cloud providers there are differing levels of assumed security responsibilities, there is an inconsistency in implementation the CSA guidelines.
- Understanding the contractual details and legal ramifications on cloud migrations is always a challenge. For example, if your application uses specific types of encryption or holds personally identifiable data (PII) for residents of particular jurisdictions; then the application may not be hosted on, nor the data pass through, specific countries. Applying locality clauses to some cloud providers may increase costs and reduce the efficiencies of going to the cloud.
As a general rule, migrating to the cloud will not increase security; it may even expose security weaknesses. Do not play "Rock, Paper, Scissors" with your cloud migration.
