Cloud security needs to be part of the software development lifecycle

The slogan 'there is no cloud, it’s just someone else’s computer', accompanied by an image of a worried looking cloud, has been doing the rounds for some time now. It’s overly simplistic but it neatly sums up the mistrust that some computer users have about cloud technology. The inference being that people who trust the cloud and believe the hype are in some way naïve. The extension of which is that, if you’re giving your data to someone else, how can you be sure it’s safe? This is why cloud security needs to be part of the software development lifecycle.

Security: the biggest issue for cloud adoption

Security concerns are undoubtedly the major hurdle for widespread cloud adoption; indeed, a massive ninety per cent of firms surveyed by Information Security in 2015 stated security was the biggest factor preventing organisations from moving to the cloud. No one is about to wave a magic wand in 2016 and make that go away. As more people adopt cloud services, we’re going to see more high profile breaches. It’s a case of two steps forward, one step back.

Cloud providers are fully aware of this hurdle. By default right now, the major cloud providers deliver high levels of security control to the user. So it becomes a question of who is responsible for appliances control? Anyone can buy an account on Amazon and start up a cloud environment. But the big question is: do you have enough skills to do this?

Why is cloud security an issue?

Cloud security is an issue because sometimes clients forget essential patch management (out of sight, out of mind). We often observe situations when an old server that is still available in the cloud with a version of Tomcat or PHP or any other software framework or application server, which might put client data at risk.

In 2015 we saw a situation where a client was in a cloud environment that was compromised and the hacker was using their cloud machines to mine Bitcoins. In another case a guy hacked a company that had infrastructure in the cloud and then blackmailed the company. So the Black Hat guy emailed the chief security officer of that company. The security officer was so scared that he decided to cooperate with the blackmailer and they paid money. But of course this is a risk, because there is always the possibility that the cyber terrorist will leave a backdoor so they can connect to the server at any time in their future and start to blackmail again.

Two approaches to security: Reactive and proactive

Taking the proactive approach means putting security controls in place to avoid the possibility of situations arising. If such situations happen then we have to get everything up and running again, which is the reactive approach of 'Incident Forensics and Response'.

With the existing security threats (in particular, unauthorised access, hijacking, and malicious insiders) and numerous breaches, the importance of raising cloud security awareness among staff to decrease the human factor in security incidents, is growing.

Looking after your cloud

One of the best remediation approaches is to set up Security Information & Event Management or a Security Operation Centre. Here you have people dedicated to monitoring your cloud environment and can register attacks against your cloud infrastructure and react properly to block an attacker or stop an attack. Or if an attacker successfully penetrates, to track them and stop the attack inside the perimeter. Larger companies will set up on premise solutions, but smaller firms would be advised to use security-as-a-service.

How do you avoid these problems in the first place? My recommendation is to pay security due respect and have it tightly integrated with all stages of the Software Development Lifecycle (SDLC) rather than being conducted post-factum, whether you develop your applications in house or outsource.

Nazar Tymoshyk, Security Consultant Lead, Research & Development at SoftServe

Image Credit: Shutterstock/Maksim Kabakou