Hybrid IT has disrupted traditional IT due to its ability to introduce emerging technologies quickly. But what is hybrid IT? It’s a combination of “internal and external services, usually from a combination of internal and public clouds,” according to Gartner.
Enterprises, while reluctant to give up control of their data or face potential compliance challenges, recognize the benefits of using public and private cloud services. Security remains the primary concern for many chief information officers (CIOs) in adopting hybrid IT and cloud technologies as they pursue application modernization.
The concern is not without reason: Time and again, there have been major breaches in security where cybercriminals have managed to hack into prominent companies’ data. Not only do such breaches compromise user data and privacy, but they also create bad press for the affected companies and their cloud service providers (CSPs).
For this reason, cloud security is of the utmost importance in the context of cloud migration.
Cybersecurity Breaches Are Common
Cybercriminals are always on the prowl for opportunities to break into systems. Traditional, on-premise systems are not immune to such attacks. According to a 2014 survey from software company Alert Logic, there is no indication that cloud applications and data are more vulnerable than traditional systems, Forbes reported.
Therefore, it’s a myth that cloud computing is inherently less secure than a traditional approach. In fact, due to an increased focus on cloud security, applications and data on the cloud are becoming safer than in traditional systems.
The most notable recent hack that hit traditional systems is the WannaCry ransomware, which affected Microsoft Windows systems in May 2017. It was estimated that the attack impacted more than 200,000 computers across 150 countries — with billions of dollars in total damages.
The State of Cloud Security
Cloud technology is getting safer every day, but cybercrime techniques are simultaneously growing more sophisticated. This means that the challenge for cloud service providers is to keep one step ahead of cybercriminals.
Likewise, companies are implementing various measures to make the cloud more secure, but that doesn’t mean organizations that are migrating data can rely completely on the security of cloud infrastructure. Some of that security is also out of their control — Gartner warned in 2015 that through 2020, 95 percent of cloud security failures would be due to customer error.
Therefore, cloud security follows the shared responsibility model, which includes both the security “of” the cloud and “in” the cloud. It’s the CSP’s responsibility to protect the infrastructure that provides the services. Configuration, such as that of identity and access management (IAM) and firewall, security of the applications hosted, encryption of data and integrity of data is the responsibility of the customers.
Using this dual security model, both CSP and customers will own equal responsibility for ensuring the security of the data on the cloud. This model ensures that highest priority is given for the security of the cloud.
Secure Migration Processes
CSPs are already taking sufficient steps to ensure cloud security. If customers also step up to the plate by following the right processes and adopting a security testing strategy, the cloud will become much more secure as a result.
CIOs and transformation leads who are concerned about security can also use security as a driver for application modernization. In fact, business stakeholders are more likely to provide funding for applications and infrastructure identified as vulnerable.
Read the story of an IT Director’s Road to Cloud Transformation
Security Services During Migration Planning
During migration planning, application security must be considered a top priority. Companies must ensure that applications are free from vulnerabilities and compliant with security standards before they are migrated to the cloud.
Many security services can be utilized during application modernization. Using all or some of these services will increase the security of the applications being migrated substantially.
Detect Application Security Vulnerabilities
Security scanning is the process of scanning source code, web applications and representational state transfer (REST) application programming interfaces (APIs) for potential vulnerabilities, as defined by the Open Web Application Security Project (OWASP) and the SANS Institute.
There are two types of security scanning:
- Static or source code scanning
- Dynamic scanning
In static scanning, the source code is scanned to find any security vulnerabilities. Going through code with tens of thousands of lines can be cumbersome and time-consuming, so automated tools are used for this purpose.
In dynamic scanning, the web application and/or REST APIs are tested dynamically by sending various malicious requests and checking for any existing vulnerabilities. There are many well-known tools available for automated dynamic scanning.
With the help of these tools, scanning services will help find many vulnerabilities — although the tools by themselves cannot find everything. The scanning can be integrated into the development operations (DevOps) workflow to automate the process. By fixing such vulnerabilities in applications before they are migrated, risk can be greatly mitigated.
Security Posture of Middleware and Third-Party Code
Applications that use old middleware components could be prone to security threats. Many of the applications being migrated may also use open source or third-party code. Even if the application’s code is designed and implemented in a secure manner, the middleware or third-party code may contain vulnerabilities that may eventually affect the application and lead to data loss.
An application’s security is only as good as its weakest component, so all middleware and third-party components need to be checked for vulnerabilities before migrating to the cloud.
Use Secure Frameworks
Developers tend to use their own methods to address security issues, which may lead to improper fixes. Using secure, well-known frameworks instead of proprietary methods can help avoid this. During migration planning, look for the presence of such proprietary code and replace it with frameworks that are known to be free from vulnerabilities.
Ensure Modernization of Insecure Legacy Components
Applications that have been developed the course of years may use legacy technology. These applications may have been written using old programming languages that may not be sufficiently secure. Such legacy components may have known vulnerabilities, and it is possible that they may not have been fixed due to end of maintenance or lack of support.
When migrating to the cloud, such legacy code or technology may lead to serious security concerns. But for a good security posture, it’s necessary to identify all such legacy components and modernize them to mitigate security risks.
Employ a Threat-Modeling Service
Adopting security standards during the development cycle — rather than fixing defects at a later stage — is always a good practice. For any application under development, threat modeling should be done during the design phase. Quite often, the development team may not be aware of the security aspects while designing and developing an application. Threat modeling helps in building a secure design by identifying security risks and mitigating them early on.
A security architect can facilitate collaboration between the development and threat modeling teams, answering a series of questions to identify weak areas in the design. This strategy can include reviewing an architecture diagram and evaluating how sensitive data is stored, how users are authenticated, how authorization is managed, what encryption algorithms are used and how session management is handled.
Addressing the risks identified during threat modeling ensures a secure posture and decreases the chance of security loopholes being carried into later stages of development. Identifying such risks early on can lead to cost savings down the road.
After following these processes, a company can identify major vulnerabilities. The applications that are found to be vulnerable to security threats should be the top priorities for modernization.
Security Techniques After Cloud Migration
Security needs a multi-pronged approach. Various methods can be used to enhance security posture before migrating applications to the cloud. Adopting these measures will help considerably to address security risks in the applications being migrated, but these methods alone may not be sufficient to address all risks.
Once these applications are migrated, the cloud infrastructure also needs to be assessed for any security weaknesses.
Create Access Control and Security Groups
Once applications and data are moved to the cloud, they are accessible from anywhere, and, therefore, need to be protected from unauthorized users. Simply relying on username and password authentication doesn’t provide enough security, as it’s vulnerable to various types of attacks. Apart from authentication, a proper authorization mechanism needs to be in place to ensure the authenticated user can only access the data they are supposed to access and not any other confidential data.
Therefore, access control plays a vital role in safeguarding private data. IAM and proper configuration are essential to ensure that only the right people have access to the particular resources. Security groups can also be used as an additional measure to configure filter rules to define how incoming and outgoing traffic must be handled between source and destination.
Implement Penetration Testing
Penetration testing is a testing methodology that tries to find and exploit security vulnerabilities in an application or infrastructure by simulating an external attack using various tools and techniques. The idea is to mimic an attack to find any existing security loopholes before a cybercriminal can. This method uses a combination of automated tools and manual techniques. As part of this, the person performing the penetration test tries not only to find potential vulnerabilities but also to exploit those vulnerabilities to gain access to the system, acquire sensitive information or bring down the service.
Automated scanning, also known as vulnerability assessment, can be used to find vulnerabilities, but automated scanners cannot be counted on to find every single vulnerability in an application. Vulnerability assessment is mainly used to find potential weaknesses over a breadth of areas in a short timeframe.
The emphasis is more on detecting potential vulnerabilities and less on exploitation. Scanners work on pre-defined rules, and different scanners will have their own strengths and weaknesses. These tools also may generate many false positives.
Penetration testing has become a necessity because it not only covers a breadth of areas but it also achieves a depth of testing that automated scanning cannot. Penetration testing utilizes a combination of tools and extensive manual tests to unearth vulnerabilities that a vulnerability assessment would be unable to find.
Exploitation of vulnerabilities also shows the impact those vulnerabilities could have on the business. Penetration tests are performed not only on applications but also on the network and infrastructure to ensure that they are secure.
Guard Against DoS and DDoS Attacks
Attacks that bring down a system and cause system downtime are called denial-of-service (DoS) attacks. DoS attacks can take various forms. Some examples of DoS attacks include user datagram protocol (UDP) flood, Internet Control Message Protocol (ICMP) flood and SYN flood, which aim to flood the network or consume network resources to deny genuine traffic. These are best handled at the network or infrastructure level using firewall rules and an intrusion detection system (IDS).
Application-level (layer 7) DoS attacks are hard to detect, as they appear as normal traffic and follow protocol rules. These types of attacks can bypass a firewall and target applications directly, which can be hard to detect.
Cybercriminals are able to bypass defenses against DoS attacks by employing a technique called distributed denial-of-service (DDoS) attacks. This is an attack where the malicious traffic originates from multiple sources. IDS and firewalls find it difficult to identify and block such an attack. Advanced techniques, such as next-generation firewalls, source rate limiting and DDoS traffic scrubbing services, can be employed to guard against such attacks.
Successful DoS attacks can cause service disruption and customer data loss and can significantly dent the reputation of a CSP. Thus, it’s necessary to have a good defense against such attacks.
Try Threat Detection
By taking a strategic approach to security, a company can ensure that applications migrated to the cloud are reasonably safe against most attacks. However, cybercriminals are getting smarter and bolder by the day as they continue to expose new vulnerabilities. This means it’s important to keep a watch on such attacks on the cloud. This is where threat detection plays a major role in keeping such attacks at bay.
Having a good threat-detection mechanism is a must to ensure that cyberattacks are detected in time. The volume of data is increasing exponentially — and it’s impossible to detect such threats manually. With the help of analytics and cognitive technologies, threat detection and response can be handled much more efficiently.
Read the story of an IT Director’s Road to Cloud Transformation
Infrastructure Architect - Application Security, Cloud Migration, IBM
Global Delivery Leader - CIO Advisory and Cloud Migration Factory
Consultant - Cloud Strategy and Technology, IBM