Cloud Application Security, Who is responsible for what?

Most of the organizations today have either already moved their IT infrastructure to cloud or planning to do the same in near future. The benefits like improved productivity, costs savings efficiency and better agility are driving the current popularity of cloud services deployment.

It`s up to businesses own requirements, whether to deploy public cloud services like AWS (Amazon Web Service) or Microsoft Azure, Google Cloud Platform or Cloud infrastructure maintained by organization`s own IT team.

Security is the topmost concern for the businesses that are heavily dependent on IT services and applications. However, there is a great deal of confusion among businesses about the issue of security, especially that are hosted in the cloud.

It raises the important question that who owns the application security in the cloud? is the company using application or cloud service provider? Some experts believe that as the application is hosted in the cloud it becomes primary responsibility of the cloud infrastructure.

While others feel that security is the responsibility of the owners and therefore application should not be hosted in the cloud unless security is ensured.

The Debate of Responsibility of Security.

Although, according to public cloud service providers like AWS and Microsoft Azure application security is shared responsibility between cloud service providers and application owners.  it is not clearly defined that where the responsibilities of application owners end and cloud service provider starts.

It makes more sense to view application security responsibilities from network infrastructure perspective when cloud services are accessed via network.

Here is a table that shows the division of ownership between cloud providers and application owners.

The Table above shows that cloud service provider control and manages the physical infrastructure resources hence it is their responsibility to make sure that the application that runs on it is secure.

However, in case of virtual and software-defined networks (SDNs), where application owners also define the virtual networks as per requirements of application architecture. Its security resides with them. In most cases, application owners have an established set of best practices that makes implementation of security relatively easier for them. However, because  network is also part of infrastructure, the tools for security implementation of virtual network will be provided by cloud service providers

Cloud service providers don’t have access to the application layer and don’t know what’s happening at that level; therefore they cannot help application owners with security matters in this context. Hence the application security at this level becomes the responsibility of application owners.

Application Security Challenges in the Cloud.

Before we can decide who is responsible for what in terms of application security hosted in the cloud, we need to understand what are the main challenges related to application security in the cloud environment.

1. Security Monitoring. Security monitoring is a must have and imperative for applications in the cloud.

2. Application Vulnerabilities. Another challenge in the cloud is application vulnerability that may help attackers to exploit an application to gain control over it, alter it or steal data.  New vulnerabilities may arise at the time that may require on time patch management.

3. Malware and Ransomware. Another problem that should be addressed prior to deployment of an application in the cloud is malware and ransomware.  It is growing challenge for all types of applications.

4. BOTs- it is estimated that almost 30% of traffic comes from non-useful BOTs while many people don’t consider it to be security threat they can be a reason for wastage of server resources.

5. Application Layer DDoS Attacks. Distributed denial of service attacks are on the rise as these are evolved in the size, scope and sophistication. Protection for this type of attack for cloud service providers and application owners should be biggest concerns.

Solving These Challenges.

There are number of solutions available that can help organizations to overcome above mention challenges with respect to cloud-based applications. For example one of such tool is Web Applications Firewall (WAFs) can help common vulnerabilities that are identified by OWASP.  In addition to that IP reputation, a signature database that is meant to combat malware and bad BOTs.

Many Application Delivery Controllers (ADCs) security solutions usually come with load balancing and other application services.  It is possible that by using the complete set of application delivery tools with security and visibility in DDoS resilient architecture can help you create a sophisticated layer of security.