Here's a question: Which IT sector accounts for 25% of the industry's year-over-year growth and, if the same growth trajectories continue, will generate about one-third of the IT industry's net new growth by 2013? The answer is cloud services, according to research firm IDC. Cloud computing is garnering its fair share of industry buzz as well. Its promise of revolutionary cost savings and agile, just-in time capacity has driven IT organizations at enterprises of all sizes to build Cloud deployment strategies into their plans. (Source: Worldwide IT Cloud Services Spending, 2008-2012, IDC, October 2008)

Realizing the Cloud's benefits, however, is greatly determined by the trustworthiness of the cloud infrastructure - in particular the software applications that control private data and automate critical processes. Cyber-threats increasingly target vulnerable cloud applications, leaving IT organizations forced to sub-optimize their Cloud deployments in fear of insecure software. Ensuring the inherent security of software, therefore, is a key factor to unlocking the power of Cloud Computing and realizing its ultimate flexibility and cost benefits.

• So what are the security challenges organizations are facing when they move applications to the Cloud?
• Exactly how should organizations secure their applications for the cloud environment?
• What do Cloud service providers need to know about securing their infrastructure software?
• What constitutes a smart Cloud implementation?

The Security Challenges of the Cloud

Key to protecting services in the cloud is a proper understanding of what the challenges are and why software in the cloud is particularly susceptible to attacks:

1. Software is the primary target of threats: Software has become the primary target of hackers and malicious users for good reasons: software controls the flow, storage and use of data, therefore it's often easily exploited. Some industry analysts have estimated that as much as 75% of attacks today enter at the application layer rather than the network or hardware.
2. Software is complex: Today's software is the next great security frontier and the least understood as it is extremely complex. Also the process of securing it during development, deployment and in production is not as mature as network or hardware security methods.
3. Cloud brings "sharing": Software's inherent complexity only grows as applications are placed within shared cloud environments, putting additional pressure on the weakest link in online security. Moving to the cloud gives organizations less visibility to their applications and reduced control of risk.

The need to secure cloud software infrastructure applies equally to software that the provider is using to provision cloud services as well as applications that customers move to the cloud. Before taking on the increased risk inherent in cloud computing, every organization needs to ensure that the software applications that run their business are "cloud-ready."

As enterprises move applications into cloud environments, common assumptions made by software developers need to be examined given a cloud context. A few examples help illustrate potential problems:

1. Communication protocols: An application that used to run on an internal network may not be vulnerable using HTTP, but using the same protocol when the cloud relies on public networks introduces new risks. Software that is written securely makes transitioning from HTTP to HTTPS easier. Poorly written software can make it impossible.
2. Network infrastructure: The typical data center provides resources under direct IT control. For example, a DNS server provides a "yellow pages" for computers to find each other easily. When software code is moved to the cloud, it now relies on public DNS servers. Result: cybercriminals have a new vector of attack.
3. Data Protection: If a software application writes personally identifiable information to log files, the level of exposure can be easily managed by in-house data operations. In the cloud, the operations team is not your own. More tight control is required over where personally identifiable information is written.

Current Approaches to Cloud Software Security
According to the Cloud Security Alliance, a not-for-profit organization promoting security assurance best practices in cloud computing, the ultimate approach to software security in this unique environment must be both tactical and strategic. Some of their detailed recommendations include the following:

• Pay attention to application security architecture, tracking dynamic dependencies to the level of discrete third-party service providers, making modifications as necessary
• Use a software development life cycle (SDLC) model that integrates the particular challenges of a cloud computing deployment environment throughout its processes
• Understand the ownership of tools and services such as software testing, including the ramifications of who provides, owns, operates, and assumes responsibility
• Track new and emerging vulnerabilities, both with web applications as well as machine-to-machine service-oriented architecture (SOA), which is increasingly cloud-based

Unlocking the Benefits of the Cloud with Software Security
The key to achieving the benefits of the cloud are found in a new approach to software security called Software Security Assurance, or "SSA." SSA is a risk-managed, cost-effective approach to software security that can be practiced by enterprises, government agencies and cloud providers alike to ensure the security of software in the cloud. There are three fundamental steps to putting SSA into practice:

1. Make current applications "cloud-ready" - find and fix cloud-specific vulnerabilities in existing applications before they are moved into a shared infrastructure
2. Audit new code/applications for resiliency in the target cloud environment
3. Establish a remediation/feedback loop with software developers and outside vendors to deal with ongoing issues and remediation.

A key part of the SSA concept is to establish "security gates" to systematically accept or reject software applications according to their risk profile. Because the risk profile is determined by the assets controlled by the software and the context or environment in which it will operate, organizations can clearly determine the appropriateness of deploying particular applications into various cloud environments. Cloud providers can assist their customers by offering services that help assess the "cloud readiness" of their applications, and then guide them to the appropriate deployment configurations. The cloud providers also benefit by not allowing vulnerable applications to taint their shared infrastructure. Through SSA, both cloud consumers and providers can confidently make use of cloud computing.

To be an effective program, SSA must unite information security, risk management, and software development in a cross functional program. To realize the full benefits of cloud computing, organizations must assess and mitigate the risk posed by application vulnerabilities deployed in the cloud with equal vigor as those within their own data center.

Resources

• IDC on IT Cloud Services
• NIST definition of Cloud Computing
• Cloud Security Alliance "Security Guidance for Critical Areas of Focus in Cloud Computing v2.1"