Capturing the New Frontier:

Transcription

1 Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing

2 Executive Summary Cloud computing is garnering a vast share of IT interest. Its promise of revolutionary cost savings and agile, just-in-time capacity has driven IT organizations at enterprises of all sizes to build cloud deployment strategies into their plans. Realizing the benefits, however, is greatly determined by the trustworthiness of the cloud infrastructure in particular the software applications that control private data and automate critical processes. As cyber-threats increasingly target these applications, IT organizations are forced to sub-optimize the cloud deployments containing this software, limiting flexibility and cost savings. Assuring the inherent security of software, therefore, is a key factor to unlock the power of cloud computing and realize its ultimate benefits. This paper describes these concepts and what they mean to organizations interested in moving to the cloud (consumers), and to the providers of cloud services. The Benefits of the Cloud Cloud computing is immensely popular with companies and government agencies in search of revolutionary costsavings and operational flexibility. According to industry research firm IDC, cloud computing s growth trajectory is, at 27% CAGR, more than five times the growth rate of the traditional, on-premise IT delivery/consumption model. Cloud services growth accounts for fully 25% of the industry s year-over-year growth and if the same growth trajectories continue, by 2013, cloud services growth will generate about one-third of the IT industry s net new growth. (Source: Worldwide IT Cloud Services Spending, , IDC, October 2008) Cloud computing practitioners cite numerous benefits, but most often point to two fundamental benefits: Adaptability: An enterprise can get computing resources implemented in record time, for a fraction of the cost of an on-premise solution, and then shut them off just as easily. IT departments are free to scale capacity up and down as usage demands at will, with no up-front network, hardware or storage investment required. Users can access information wherever they are, rather than having to remain at their desks. Cost Reduction: Cloud computing follows a model in which service costs are based on consumption and make use of highly shared infrastructure. Companies pay for only what they use and providers can spread their costs across multiple customers. In addition to deferring additional infrastructure investment, IT can scale its budget spend up and down just as flexibly. This leads to an order of magnitude cost savings that wasn t possible with 100% proprietary infrastructure. Other benefits of the cloud include collaboration, scaling and availability, but revolutionary cost savings and the almost instant gratification offered by the agility of the cloud will be the key contributors to adoption of the cloud. FORTIFY SOFTWARE 2

3 What IS the Cloud? So much has been written, advertised and discussed about cloud computing, it is appropriate to define the term for common understanding. Cloud computing generally describes a method to supplement, consume and deliver IT services over the Internet. Web-based network resources, software and data services are shared under multi-tenancy and provided on-demand to customers. It is this central tenet of sharing - and the standardization it implies - that is the enabler of cloud computing s core benefits. Cloud computing providers can amortize their costs across many clients and pass these savings on to them. This paradigm shift in computing infrastructure was a logical byproduct and consequence of the ease-of-access to remote and virtual computing sites provided by the Internet. The U.S. National Institute of Standards & Technology (NIST) defines four cloud deployment models: 1. Private Cloud, wherein the cloud infrastructure is owned or leased by a single organization and is operated solely for that organization 2. Community Cloud, wherein the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns, including security requirements 3. Public Cloud, wherein the cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group 4. Hybrid Cloud, wherein the cloud infrastructure is a composition of two or more cloud models that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability NIST s definition of cloud computing not only defines HOW infrastructure is shared, but also outlines WHAT will be shared. These service models shift the burden of security accordingly between provider and user: Software-as-a-Service, or SaaS, is the most mature of the cloud services. SaaS offers a soup to nuts environment for consumption of a common application on demand via a browser. Typically, the customer controls little or nothing to do with the application, or anything else for that matter, and is only allowed to configure user settings. Security is completely controlled by the vendor. Examples of providers include Salesforce.com, Workday, Mint.com and hundreds of other vendors. Platform-as-a-Service, or PaaS, is an emerging cloud service model. The customer is able to develop applications and deploy onto the cloud infrastructure using programming languages and tools supported by the cloud service provider. They are not able to control the actual infrastructure such as network, OS, servers or storage the platform itself. Because the customer controls application hosting configurations as well as development, responsibility for software security shifts largely to their hands. Examples include Google App Engine and Amazon Web Services. Infrastructure-as-a-Service, or IaaS, is where even more of the infrastructure is exposed to multi-tenant users. The cloud service provider provisions processing, storage, networks and other fundamental computing resources. The customer is able to deploy and run arbitrary software, which can include operating systems and deployed applications. Software security in this deployment model is completely in the customer s hands, including such components as firewalls. Examples include Amazon Elastic Compute Cloud and Rackspace Cloud. While SaaS gained popularity as an alternative to on-premise software applications, the models that are driving much of the current interest in cloud computing are the PaaS and IaaS models. Enterprises are especially drawn to the alternative development infrastructure and data center strategy PaaS and IaaS offer. At this point in time, smaller FORTIFY SOFTWARE 3

4 enterprises seem to have more traction with PaaS, enabling them to rapidly bring web sites to market; whereas larger enterprises are more comfortable beginning their cloud deployments with an existing application moved to an IaaS cloud model. Cloud computing promises organizations reduced expense and increased flexibility with their computing solutions. To fully realize these benefits, however, customers must also trust that infrastructure vulnerabilities especially the software that cyber-threats target more and more don t compromise the cloud s shared services or open new avenues for hackers to access private information or disrupt business processes. Dave Cullinane, Chairman of the Board and Co-Founder of the Cloud Security Alliance Software Security in the Cloud In today s world, software has become the primary target of hackers and malicious users for good reason: software controls the flow, storage and use of data and is often easily exploited. Some industry analysts have estimated that as much as 75% of attacks are at the application layer. In addition, today s software applications are extremely complex, and the process of securing them during development, deployment and in production is not as mature as with the network or hardware infrastructure. This complexity only grows as applications are placed within shared cloud environments, putting additional pressure on this weak link in online security. Due to the above, software security has become a key factor for realizing benefits no matter the cloud computing service consumed. While the SaaS service model is a special case (see Fortify s CISO Guide to SaaS), commercial and government agencies are increasingly drawn to the additional control offered when utilizing NIST s PaaS and IaaS service models. Regardless of the model, the need to secure the software applies equally to software that the provider is using to provision cloud services as well as applications moved to the cloud. Before taking on the increased risk inherent in the cloud, any organization needs to ensure that the software applications that run their business are cloud-ready. As enterprises move applications into cloud environments, assumptions made by the developers of the software need to be examined given the new context. A few examples help illustrate potential problems: 1. Communication protocols: An application that used to run on an internal network may not be vulnerable using HTTP, but using the same protocol when the cloud relies on public networks introduces new risks. Software that is written securely makes transitioning from HTTP to HTTPS easier. Poorly written software can make it impossible. 2. Network infrastructure: The typical data center provides resources under direct IT control. For example, a DNS server provides a yellow pages for computers to find each other easily. When software code is moved to the cloud, it now relies on public DNS servers. Result: cybercriminals have a new vector of attack. 3. Data Protection: If a software application writes personally identifiable information to log files, the level of exposure can be easily managed by in-house data operations. In the cloud, the operations team is not your own. More tight control is required over where personally identifiable information is written. FORTIFY SOFTWARE 4

5 Current Approaches to Cloud Software Security According to the Cloud Security Alliance, a not-for-profit organization promoting security assurance best practices in cloud computing, the ultimate approach to software security in this unique environment must be both tactical and strategic. Some of their detailed recommendations include the following: Pay attention to application security architecture, tracking dynamic dependencies to the level of discrete third party service providers and making modifications as necessary Use a software development life cycle (SDLC) model that integrates the particular challenges of a cloud computing deployment environment throughout its processes Understand the ownership of tools and services such as software testing, including the ramifications of who provides, owns, operates, and assumes responsibility Track new and emerging vulnerabilities, both with web applications as well as machine-to-machine Service Oriented Architecture (SOA) which is increasingly cloud-based For a complete accounting of the CSA s recommendations, see its report, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. So exactly how should businesses secure their applications for the cloud environment? What do cloud service providers need to know about securing their infrastructure software? What constitutes a smart cloud implementation? Unlocking the Benefits of the Cloud with Software Security & Fortify The answers to the above questions and the key to achieving the benefits of the cloud are found in a new approach to software security called Software Security Assurance, or SSA. SSA is a risk-managed, cost-effective approach that involves three fundamental steps to assure the security of software for an enterprise adopting the cloud: 1. Find and fix vulnerabilities in existing applications before they are moved into a cloud environment 2. Audit new code / applications for resiliency in the target cloud environment 3. Establish a remediation / feedback loop with software developers and outside vendors to deal with on-going issues and remediation. A key part of the SSA concept is to establish security gates to systematically accept or reject software applications according to their risk profile. Because the risk profile is determined by the assets controlled by the software and the context / environment in which it will operate, organizations can clearly determine the appropriateness of deploying particular applications into various cloud environments. Cloud providers can assist their customers by offering services that help assess the cloud readiness of their applications and guide them to appropriate deployment configurations. FORTIFY SOFTWARE 5

6 The cloud providers also benefit by not allowing vulnerable applications to taint their shared infrastructure. Through SSA, both cloud consumers and providers can confidently make use of cloud computing. Security is almost universally the number one concern of companies moving into cloud computing environments; however, most organizations have not yet considered the implications of using insecure software in the cloud. Fortify s leadership and expertise help us establish set guidelines and protocols for organizations to embrace software security in the cloud. Jim Reavis, Executive Director, Cloud Security Alliance Fortify brings a wealth of customer deployment experience in real-world, heterogeneous environments, helping customers to assess and mitigate the risk posed by application vulnerabilities whether deployed within their own data center or in the cloud. Fortify has also introduced new cloud-specific product capabilities for use by enterprises, government agencies and cloud providers alike to assess the security readiness of applications to be deployed into a shared infrastructure. The primary benefit delivered to customers is an improved understanding and control of cloud software security risks. These new cloud security capabilities include: 1. Cloud-specific vulnerability analysis to test the readiness of software for cloud environments by finding issues specific to the cloud environment 2. The industry s first Cloud Readiness Scorecard to rate an application from weak to strong depending on the number of minor or major fixes required deploying an application to the cloud 3. Project Template for remediation that enables teams to zero in on the root cause of important security vulnerabilities 4. Rules Pack that provides continual up-to-date guidelines on emerging threats from Fortify s Software Research Group Fortify s cloud security features are available in both of its award-winning products, Fortify 360 and Fortify on Demand, which share a common security architecture. Fortify 360 is an on-premise solution for Software Security Assurance that brings together the critical analytic, remediation and management capabilities necessary to identify, remove, contain and prevent security vulnerabilities in software. Fortify on Demand is the industry s first SaaS-based software security solution to test for security issues specific to the cloud and to provide such a scorecard. It provides many of the same capabilities offered in Fortify 360, but as an on-demand service. Both Fortify 360 and Fortify on Demand use Fortify s industry leading Static Analysis Security Testing (SAST) technology. It is able to identify more than 400 categories of security vulnerabilities across 19 development languages and platforms and more than 600,000 application programming interfaces (APIs). Fortify s SAST technology has now been extended to be able to identify cloud specific issues that may impact security or inhibit migration to the cloud such as system environment dependencies, insecure data storage and logging infrastructure. Fortify 360 also includes Fortify s innovative Runtime Analysis Security Testing (RAST) technology to mitigate vulnerabilities while applications are running in the cloud. FORTIFY SOFTWARE 6

7 Fortify s Cloud Industry Expertise Fortify is an active member of the Cloud Security Alliance ( supporting its cloud security initiatives. A fundamental part of the CSA s mission is to provide education on the uses of cloud computing to help secure all other forms of computing. It is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. Fortify contributes its Software Security Assurance experience and participates alongside other security industry leaders in driving awareness of and solutions for cloud security. The company donates subject matter expertise promoting best practices for software security in cloud computing, such as providing input to the Alliance s report, Security Guidance for Critical Areas of Focus in Cloud Computing. Trust Your Software in the Cloud: Fortify It To unlock the power inherent in cloud computing, organizations must consider the impact of software security. Fortify Software, the market leader in SSA, has introduced new cloud-specific product capabilities designed specifically for this promising and challenging computing environment. As a leading industry authority, Fortify is the best resource for commercial enterprises, government agencies, and cloud vendors interested in understanding and then ensuring the cloud readiness of their critical applications and infrastructure. Contact us at Copyright 2010 Fortify Software. All rights reserved. Fortify is a registered trademark of Fortify Software. CloudWPrev20510 FORTIFY SOFTWARE INC. MORE INFORMATION IS AVAILABLE AT BRIDGEPOINTE PKWY. TEL: (650) SUITE 400 FAX: (650) SAN MATEO, CALIFORNIA CONTACT@FORTIFY.COM