Securing Cloud Infrastructure

The Cloud Security Alliance (CSA) came out with some new guidance this month on security issues you should consider when deploying or contracting with vendors for various cloud computing solutions.

The three main layers of cloud computing relevant to application security are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Each of these layers has the potential to add new threats to the application’s runtime environment.

The CSA states the questions you should start asking when considering these various scenarios include:

Infrastructure as a Service

  • What mechanisms does the platform provide against DoS and DDoS attacks at the infrastructure and network layers?
  • What threat models are addressed at the infrastructure and network layers?
  • What mechanisms does the platform provide to validate the integrity of the virtual machine images?
  • What protections are in place against BIOS and root kit level attacks? Are there detection and response plans in place if such attacks were to occur?

Platform as a Service

  • Where is the line of responsibility drawn between security of the platform and application components?
  • What facilities does the platform provide for application level logging?
  • Is application log data integrated with other platform-provided logging and reporting?
  • Are there any real time intrusion detection systems deployed for detecting issues related to security at the application layer?
  • What mechanisms does the platform support for isolating message data on the client’s service bus?
  • What mechanisms does the platform support for securing communication between two application components? What mechanisms does the platform support for isolating data at rest and in use?

Software as a Service

  • What Web application security standards (input validation, encoding output, preventing request forgery and information disclosure) are being followed by the vendor?
  • What application and infrastructure controls are in place to isolate the enterprise’s data from that of other tenants?
  • Data at rest
  • Data in transit
  • Data in use

As interest heats up in Cloud computing and its related security challenges we’ll pass along relevant updates.