Security in Cloud
Since it caught on, any application built is build to leverage the cloud – more than 70% of all business, according to CSA. Makes you wonder if there is any other kind of IT platform and how we ever managed without it.
Cloud doesn’t just offer the cost and management benefits but gives the freedom to build ‘the best possible’ application – and why not? On a traditional IT infra you have to accommodate a certain amount of traffic and hence distribute your resources in the order of importance. But no more.
Applications which used to be server based designed to be monolithic are now cloud based ensemble Eco-spheres having many moving parts and interconnected services. Which is great news. I mean, we are only doing this in our pursuit to build applications which bring out great user experience. We are now building apps which are highly specialized, ever more complex and intricate.
On the flip side, it isn’t just the cloud technologies that have gotten better over the years. Threat to application and data security on and off cloud has increased just as well.
Most cloud service providers offer security of the cloud i.e your provisioned IT infrastructure is as safe as having it in-house. This doesn’t mean that an application deployed in the cloud is inherently living in a enterprise class security model. It is up to the architect and the developers to see to it and that the best practices are implemented in to the system. Security of the cloud is only as good as the developer using it to provide security in the cloud.
Some of the common data security threats to an application are breaches through hijacked accounts, Malware injection, or even a disgruntled employee, MITM and DOS service disruption attacks.
For the most part breaches occur due to lack of foresight or technical shortcomings and consequently lack of mitigative methods built into the architecture and IT management.
Its a good idea to think about risk assessments, security requirements, regulatory and compliance requirements and data disaster recovery strategies in addition to fault tolerant and scaling policy prior to sketching out application architecture.
Data encryption – in flight, at rest, SSL authentication and authorization, Access control, Distributed service and content delivery to mitigate any single point of failures – are few of the aspects to be taken in to consideration.
Securing third party API connections is just as important. The amount of data exchanged and possible nodes of data breach, increase with the number of API services used. The way the api communicates with the application needs to be secure with out vulnerabilities.
A good security model forms an application’s fortress. Security should be a concern for application of any size and should take precedence right from App specifications rather than as an after thought.
A good start would be with Murphy’s law in mind.
Having such specifications makes it easy to choose the proper development framework, supported services, third-party providers and deployment environment that enforce the over all security.