Security in the cloud is a shared responsibility between cloud service providers (CSPs) and government organizations. CSPs provide agencies with a secure platform to operate on, but it is the responsibility of agency security leaders to ensure the applications that are being hosted have been hardened, according to security experts.
Typically, cloud service providers have control over physical security, storage, the virtualization layers, and network security. CSPs come armed with strong security controls, numerous compliance certifications, and their own security features. However, agency chief information security officers and security operations teams should take responsibility for the data, operating system, and application layer security, experts say.
Agencies are developing new applications in the cloud or are migrating existing applications to cloud-based services as information technology leaders align their mission objectives with the Federal government’s cloud-first initiative and IT modernization mandates.
As agencies move workloads and applications to cloud environments, IT and security professionals must ensure that applications are secure even if those applications are being moved to FedRAMP-compliant GovCloud environments, such as Amazon Web Services and Microsoft Azure, said Muneer Baig, founder and CEO of SYSUSA, a cybersecurity and information technology consulting company.
“The infrastructure is secure, but the applications sitting on it could be vulnerable,” Baig said. Agencies are turning to secure infrastructures provided by AWS, Google, and Microsoft to streamline IT operations and meet mission objectives more effectively. But anything they put on those infrastructures “has to go through that due diligence process to make sure it meets [government] compliance requirements,” Baig noted.
Baig recommends that agency software developers and security teams harden their applications according to the Department of Defense Security Technical Implementation Guides (STIGs) for defense devices, systems, and guidelines established by the National Institute of Standards and Technology (NIST) and organizations such as the Center for Internet Security (CIS).
Vulnerabilities can be present for many reasons including coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions, according to CIS. That makes testing application code essential.
“If you are implementing applications for the cloud, you will want to know how the application is coded and when was the last test of the code,” Baig said. “You need to do this test against the application and might want to do it against the [cloud] infrastructure,” as well.
CSP security can differ by cloud service models, infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS). “IaaS and PaaS CSPs take no responsibility for the security of application code that customers develop and run in clouds. A web application with an SQL [Structured Query Language] injection vulnerability is as much at risk running in a CSP as it is in a traditional data center,” according to a Gartner Research report written by research director Steve Riley.
Gartner also recommends testing. “Use static and dynamic testing tools to identify and remove application vulnerabilities. For cloud-based workloads, consider using cloud-based testing tools,” according to the report, Staying Secure in the Cloud Is a Shared Responsibility.
It is important to realize that security should not be bolted onto software as an afterthought, especially within a Federal DevOps organization. “Security operations people must have a seat at the table. It is not something that can be layered on at the end,” Adam Clater, chief architect with Red Hat U.S. Public Sector, told MeriTalk in a January 2018 interview. All DevOps and security teams must work together to ensure that security between platforms, operating systems, and infrastructure conforms to standard security controls and requirements, he said.