It's a common refrain-IT decision-makers like the promise of the cloud, but they remain concerned about the security implications of putting their most valuable data and applications outside their own perimeter. Our Sue Marquette Poremba reports on a survey in the UK that found 25 percent of decision-makers believe that the cloud is more secure than their own network. That, of course, means that about 75 percent aren't so sure about cloud security.
The cloud is all about software, and cloud security is all about baking security into code from the earliest design stages. Security experts Ronald L. Krutz and Russell Dean examine how traditional dev processes must be modified from the cloud in their book, "Cloud Security: A Comprehensive Guide to Secure Cloud Computing." IT Business Edge members can download an extensive excerpt from the book free here in the IT Downloads library.
Krutz and Dean begin the book chapter, "Cloud Computing Software Security Fundamentals" by discussing the three "domains" of security laid out by the Cloud Security Alliance that are most critical to a security-focused cloud software dev cycle.
Information Life Cycle Management - Retaining data on the cloud is easy, but systematically and smartly destroying stale data can actually be very tough.
Storage - Encryption, encryption, encryption.
Application Security - As the book says, "IaaS, PaaS and SaaS create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications."
They then move on to dissect how the design process itself must be shored up to focus on security. While a classic design process might look like this:
After adding renewed emphasis on issues like exception handling and abuse/misuse cases, the design process looks more like this:
The 62-page chapter goes into great detail about various requirements models (goals-based design, for example), comparing how demands on internal and external software can vary. There are sections on penetration testing, accreditation of sources before they can connect, footprinting, covert channels - it's a very comprehensive resource.