Software Journey to the Cloud - CATUG Discussion Document

Transcription

1 Software Journey to the Cloud - CATUG Discussion Document Cloud Arena Technical Users Group (CATUG) ABSTRACT The CloudArena Technical Users Group (CATUG) developed this discussion document, which could act as a checklist for companies considering building software in the Cloud securely.

2 Table of Contents Acknowledgment... 2 Background... 2 Disclaimer... 2 Software journey to the Cloud Starting point Technology Development frameworks Security module & controls Platforms Development lifecycle Data protection, storage and extraction Encryption (Part of security) Auditing and logging Security review Ongoing security... 7 Key contributors to this document... 8 Acknowledgment The CloudArena Technical Users Group (CATUG) developed this discussion document. The group is made up of a number of IT professionals with a broad range of IT experience and skills. The group s purpose is to share and exchange knowledge with a particular focus on Cloud Computing. Background Based on the groups discussion around shared experiences of working in the Cloud the group wanted to produce a document in support of CloudArena s security event for companies who were looking to build a bespoke software in the Cloud, whether internal or external facing, software as a service or not. It s a very high level guide, which could act as a checklist for companies considering building software in the Cloud securely. There are a number of questions and pointers to consider which are captured in the document. Disclaimer This document is intended to support businesses of all types who are considering building software in the Cloud. It is a general guide and cannot reflect all of the particular requirements of every organisation. Ultimately, any decisions on the development and adoption of business technology should be made by users based on their own judgment, supported by professional advice where required. Neither the authors nor the publishers of this document can accept liability for any loss incurred by any person acting or refraining from acting on as a result of material in this document. The content of this document was compiled from the input of many individuals working in a personal capacity. Their input does not necessarily reflect the opinions of the organisations that they are employed by and no such validation should be assumed. 2 Copyright Cloud Arena

3 Software journey to the Cloud 1.0 Starting point So what s the business case? The standard rules still apply when it comes to the cloud and the proper justification needs to be sought. Do you have business or organisational buy in at this stage? You need to fully understand the cost benefit of moving to the cloud and clearly research the potential costs of such a move. Based on the CATUG s experience pricing services in the cloud was not always easy or as expected. At this starting point do you know what is the service you are looking to provide? Is it an internal service or an external service? Are there legacy constraints or is a clean slate. Will it be a managed service or self-service. Are their any integration requirements e.g. to third party software or services? Is it already available and how mission critical is the service? What is the level of support requirements e.g. for bandwidth, spikes and uptime. 3 Copyright Cloud Arena

4 What level of security to do you require? It would be the group s recommendation to involve a security specialist at the start of your project as well as at the end for verification. 2.0 Technology So you ve got support and you now need to select the right technology so there are a number of considerations at this point. Do you go with an open source technology such as PHP, JEE, Ruby, Python, or a closed technology such as Microsoft s.net? Do you understand the benefits or potential challenges of this decision such as? Do you understand licensing implications of the technology? What community support is available for the technology? Paid support versus free. What is the maturity and quality of the technology? What is your experience and understanding of using that technology? Needs to be a clear fit now and also in the future You don t want to cul-de-sac yourself so be sure! Consider maintenance and future proofing yourself Security concerns Some technologies can be less error prone than others Known vulnerabilities and misconfigurations need to be considered and understand How well documented is the technology? Access to resources Accessibility to the skill base you require for that technology now and in the future is a very important issue. Interoperability Enterprise integration with third parties and services What environments and devises do you intend to run your system on 3.0 Development frameworks Development frameworks are like the scaffolding for your application. The benefits of using a framework would be you are typically using proven components, which should improve the overall quality the system so you re not reinventing the wheel. There are risks with some development frameworks because of the possibility of introducing rogue or malicious code that is perhaps unchecked by the framework or community. What is your or your development team s understanding of the framework? What is the quality of the implementation of the framework? And again it s critical to have the right skills and experience to leverage the chosen framework. 4 Copyright Cloud Arena

5 4.0 Security module & controls When you are developing where are the security controls within the application and what do they do? Authorisation (privileges to invoke a function) Authentication (proving who the user is) Input validation (accepting appropriate non malicious data) For more information on security controls check out OWASP s top ten. What security components does your framework offer or contain? Do they meet your requirements? Are they sufficiently proven and future proofed? Can you change or enhance these if required to maintain a level of compliance? Do you need to integrate with other services or third parties with different security controls? For example integrating a Microsoft technology with OpenID or an enterprise environment connecting to a legacy system or mainframe. How effective are the security controls you are connecting to. 5.0 Platforms Do you know what types of platforms exist? There are public, private, hybrid, community cloud platforms and each provides it s own type of service. For example there is a significant difference in the services supplied between Cloud providers e.g. Amazon versus Google Apps versus Force.com versus Microsoft. So what are the differences between cloud platforms and data centres? Get your own server versus a managed service? What are the risks and security issues? Depends on the platform you ve selected and service provided! Key is to understand the security module being provided by the platform and then compliment that with your own requirements Do you understand the service level agreements (SLA) What are the terms of the service? Do you need legal advice to review? How do you deploy to these platforms? Make sure you understand what the process is and how you intend deploy following best practice Make sure you document and test! Make sure you restrict and control access! Pricing and cost modules Based on the groups experience it is critical you understand how your Cloud provider charges for its services. Costs for bandwidth, transactions, storage and content delivery can quickly accumulate if your service doesn't take these into consideration or not architected for the Cloud. Ease of integration with other Cloud services For example Amazon plugins, IBM integration services, Azure AppFabric & Azure Accelerators 5 Copyright Cloud Arena

6 6.0 Development lifecycle What are the differences between traditional methods and developing in the Cloud? Behavior of a Cloud application, depending on the Cloud service, could be quite different to a tradition architecture The lifecycle of a Cloud application maybe different as you could run several instances and versions of the same application concurrently This in turn could impact maintenance, code versioning and management, as well as administration of the system itself Deployment maybe different depending on the cloud service The benefits of spinning and ramping services: Switching it off when you don t need it! Testing potential scenarios before deciding appropriate path Speed at which you can deploy environments 7.0 Data protection, storage and extraction It is critical you understand jurisdiction requirements and adhere to them. How are you going to secure your data in storage and is data size a potential issue for backup or extraction? How are you managing storage / backups? Will you use a different Cloud provider or back up in-house? Are their any standards you need to consider in relation to extraction? Closed versus open standards and code versus data extraction. You also need to consider who has access to the system and more importantly the data that is held within the system. What levels of access and visibility are appropriate and what internal governance and policies do you need to have in place to make sure those levels are adhered to? 8.0 Encryption What is the appropriate level of encryption required for your application? What type of data are you encrypting? Are there any legal or compliance obligations that you need to adhere to? What is the industry standard for the level of encryption required? Do you have to encrypt data all the way to the client? Is there encryption required in transit and in storage? What levels of encryption do you require? Performance of data once encrypted Decrypting data will create an overhead on the performance of the application If you are using encryption how will you manage your encryption keys? Supporting policies and procedures How are you going to manage and administrate the encryption Again consider independent third party advice! 9.0 Auditing and logging You need to ask yourself what are you looking to capture? Do you understand the key system events and steps you need to log? And what are you NOT going to 6 Copyright Cloud Arena

7 log? Auditing and logging customers as well as your own employees need to be considered. Are there quality or compliance requirements do you need to adhere too? What alerts do you need or expect? How does auditing / logging impact your backups? What level of analysis is required from the logs What supporting procedures are required How do you rate or describe a breach? How will you deal with a breach 10.0 Security review So what are the benefits of a security review. It s key you understand the importance of this stage and budget appropriately at the start of your project. A proper security review can ensure the continuity of the service and privacy of data held within the system. It enhances the quality and compliance of the service if you need to adhere to compliance requirements. Based on the CATUG s experience third party evidence that you take security seriously means you ll be taken seriously. Penetration testing External and internal testing of your system Seeking application vulnerabilities Authenticated and unauthenticated access testing Network and / or application layer Code review Independent review that code is securely developed and following industry best practice Availability of the code Ensure ongoing maintenance is managed in a secure manner 11.0 Ongoing security Good ongoing security is about taking each of the items outlined and making sure you ve considered and understood your options. You ve adhered to best practice with you approach and implementation and you understand the risks and are managing them appropriately. You have a proactive approach to security and continuously review and monitor. You have independently verified that what you ve set out to achieve has actually been achieved. Hopefully this discussion document has provided some helpful tips and considerations with your move to building your software in the Cloud. You re more than welcome to join CATUG and share your experiences. 7 Copyright Cloud Arena

8 Key contributors to this document Trevor Dagg: Chairman of CATUG & Managing Director Talentevo Eoin Keary: Owasp Global Vice Chair/Director of BCC Risk Advisory Mike O'Brien: Founder & CEO at Eastpoint Enterprise Information Solutions Ltd Terry Jack: Tech Project Manager at Citi Michael Bradford: Lecturer NCI School of Computing Derek Hardiman: Chief Technology Officer at Abbey Capital Dave Feenan: Business Development Manager, Swiss Post Solutions Ireland Richie Bowden: Chief Operations Officer, Cloud Consulting Ltd Freddie Graham: Senior Account Manager at Commidea Ltd Vikas Sahni: Independent consultant Chad Gilmore: Managing Director, iplanit Joe Haugh: Managing Director of ProductFul.com And other members of the CATUG Group - You can view their profiles and also join our Linkedin group at: 8 Copyright Cloud Arena