Bloggo back to the blog
Securing Apps over Cloud: Best Practices-->
Gartner predicts that by 2012, public cloud services will grow five times faster than overall IT enterprise spending (19% annually through 2015) which is approx. $2.7Trillion. This massive figure helps us comprehend that securing such apps over cloud, is going to be a challenging task. Cloud computing infrastructures have still not fully matured and organizations are struggling hard to add new capabilities to the existing model. Due to public accessibility and exposure there are many questions which go unanswered most of which are related to application security.
Security testing becomes crucial in order to ensure that the cloud service provider provides a secure platform for business enterprises to host their business critical applications, failure of which can mean permanent damage to business and brand. In a recent study by Gartner, it was discovered that Cloud systems and interfaces, through which cloud providers service their clients, can be exploited by attacks such as SQL injection, cross-site scripting (XSS) and cross-site request forgery (XSRF), which could result in the loss of sensitive information, unauthorized asset transfer and system behaviors that endanger system users (individuals and enterprises, humans and equipment). In addition, the application software which cloud provider uses to service its clients in real time are not available for testing making it further difficult to build trust. Cloud being looked as a repository where lot of confidential information is stored, makes it an area of interest for all the hackers around the globe. As a result, it is predicted that by 2016 enterprises will make it a precondition in their contracts for cloud service providers to produce a certificate of independent security testing as a proof of their cloud being safe and secure to meet the industry security compliances.
Ensuring App Security Testing for Cloud Services
To ensure that your apps hosted on cloud are secured, following 5 ways can prove effective:
1) Before entering into partnership with any cloud service provider, the enterprise must ask an independent testing vendor for the inspection report to be shared. This inspection is based on various security parameters and its adherence to such standards. Thus, these reports submitted by the testing experts help enterprise decide on whether the service provider meets their security guidelines.
2) From the cloud service provider viewpoint, in order to save the cost involved in getting the testing done by third party testing vendor, they can develop an in-house testing team to conduct its own security testing.
3) Testing Certification will become a vital requirement for all cloud service providers soon. These certificates can be awarded by third party testing vendor which can be reproduced by service provider every time enterprises approach them. Such certification will help enterprise gain confidence on its reputed service provider on app security front.
4) DAST testing technology helps locate vulnerabilities such as SQL injection, XSS, XSRF and buffer overflow. This specific technology emulates an attack on the web applications, thus identifying whether the app can withstand such attacks in real life scenario.
5) When signing SLA with the cloud service provider, make it a point that you mention penalties in case he fails to meet security guidelines. Make it a practice to evaluate their compliance adherence from time to time before renewing your agreement.
Every enterprise planning to move on to cloud wants to evaluate security concerns related to it. However, such enterprises are not really concerned about any proof of security assurance to their apps but are simply relying on the service providers’ reputation in the marketplace. Expecting that provider being a brand in the market will take care of your apps over cloud is totally a wrong path to pursue and can lead your confidential information to wrong hands.