Cloud computing is certainly gaining ground and many enterprises are finding ways to cut costs and improve efficiency with cloud services around the periphery. But security concerns seem to be holding enterprise application developers back from deploying enterprise software in the cloud. Cloud service providers are working hard to gain the trust of enterprise application developers, but earning trust is always a slow process.
According to TechTarget's December 2012 IT Priorities Survey of IT managers worldwide, enterprises are still mostly deploying applications on premises. When asked which deployment models their company would use in 2013, just over 60% responded with on-premises software/hardware. In comparison, 20% indicated they would use Platform as a Service (PaaS), and only 12% indicated they would deploy their software on a public cloud infrastructure.
Public cloud is driving application security to get better than applications sitting in the private space.
cloud security architect, CloudPassage Inc.
It's also apparent that for organizations that are holding out on deploying applications in the public cloud, the primary reasons boil down to cloud data security. The top two concerns that IT managers pointed to when asked about external cloud service providers were security and protecting company data, in that order.
But are the fear, uncertainty and doubt that surround public cloud models actually warranted? Some security and cloud experts are starting to suggest that cloud platforms can potentially be more secure than traditional on-premises server architecture. However, it's not necessarily a matter of one model being fundamentally better than the other when it comes to security. Web application security in the cloud requires a slightly different approach than securing traditional on-premises server applications.
Public cloud environments may actually be more secure than their on-premises counterparts, explains Forrester Research Inc.'s vice president and principle analyst of application development and delivery John Rymer in a Forrester report titled Achieve cloud economics for operations and services. The report states, "In general, cloud vendors implement per-tenant, per-application, and/or per-resource security controls, while most enterprises rely on perimeter security."
Cloud data security is different than on-premises security
In a recent conversation with TheServerSide.com, Rymer's associate and frequent collaborator James Staten expounded on this difference. In his capacity as Forrester vice president and principle analyst of infrastructure and operations, Staten has seen the evolution of public cloud from the early Wild West days of yore to today's more sophisticated cloud environment.
"Cloud providers have built their security around multi-tenancy," said Staten, "which means they're used to providing security that keeps tenants safe from other tenants." On the other hand, corporate data center security efforts tend to center on a strong firewall. "It's tough to bypass that firewall," he said , "but once you're inside you can do pretty much whatever you want."
Chris Brenton, cloud security architect for CloudPassage Inc. and a teaching fellow at the SANS institute, sees the same differences between cloud security and on-premises security. He said that the students who come in green are quick to see the challenges of securing cloud services and adjust to them, while the ones who have a good deal of experience with traditional security measures have difficulty accepting that the public cloud can be secured.
"Cloud is different," Brenton said "It's not more or less secure, but it's different." Brenton said many developers working in the public cloud are encrypting everything. Everything that comes from the client gets encrypted before it hits the wire. These measures might be considered overkill in traditional application security models, where the predominate thought is that those communications should be kept on the secured network, where only the good guys have access and there's no need for encryption. In Brenton's view, "Public cloud is driving application security to get better than applications sitting in the private space."
Public cloud security includes safety in numbers
Staten also mentioned a separate security concept that cloud services present, but traditional IT infrastructure would be hard-pressed to implement. The concept is that malleable and tangled cloud IP addresses let cloud data hide in a mass of other data. Without a single static IP address or a known port to go to, targeted attacks become much more difficult. Staten compared it to security through obscurity. If a hacker were targeting a particular department store's corporate data center, he could potentially wage brute strength attacks against the firewall until he broke through the firewall and then wreak whatever havoc came to mind.
On the other hand, if that same department store kept its data in a secure public cloud, it would be able to hide among thousands of other organizations, none of which are actively broadcasting their existence to the Web. Plus, if a hacker did find and begin attacking the store's cloud IP address, it would be a simple operational maneuver to change the IP address and go back into hiding. Of course, there are still security faux pas to avoid in the cloud. "You can make yourself a shining target by opening up all of your available ports," Staten said. "If you handle it stupidly, you're on your own."