Cloud computing was not designed for security, although organizations such as Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) are making great strides in helping the industry solve the myriad security problems confronting cloud computing. The benchmark guidelines established by the CSA in the document, Guidance for Critical Areas of Focus in Cloud Computing, are a great first step. This article is intended to pick up where the CSA guide left off in terms of defining what a distributed Web application firewall (dWAF) should look like in order to meet the standards set within the CSA document.
Alex Meisel is the CTO of Art of Defence GmbH, member of OWASP and Cloud Security Alliance. Alex's core focus is Web application security.
In order to accurately outline how a dWAF is possible while maintaining all the benefits of a completely virtualized environment-reduced IT overhead, flexible footprint management, virtually unlimited scalability-a brief overview of cloud technology is needed. Far more than simply maximizing current hardware resources to benefit from unused CPU power, today there are three main technologies available in a cloud that provide the backbone for real productivity gains and compelling business services for companies that don't want to invest in the hardware scaling burdens common today.
Software as a service (SaaS) offers users virtualized software through a thin client, usually any standard Web browser. The benefit for users is access to software without any of the headaches of owning the programs-scaling and resources are taking care of, and patching and upgrades are managed.
Platform as a service (PaaS) provides users with virtual databases, storage and programming languages with which custom applications can be built. This service provides nearly unlimited resources behind the platform and allows customers to scale throughout the lifetime of the application. It is an effective solution for companies ranging from the very small to those serving millions of customers. The customer does not worry about the infrastructure needed to run the services and is billed in per usage model.
Infrastructure as a service (IaaS) allows users access to virtually unlimited resources to build and manage their own virtual network. Customers can commission and decommission virtual resources depending on their need. The most obvious benefit is that there is no end-of-life for hardware anymore for the customers. The providers move them according to their service level from hardware to hardware without any downtime.
The common user benefit of services available through a cloud is access to key resources via the Internet, which provides an incredible degree of scaling without the need to invest in expensive hardware infrastructure.
Cloud Applications Are Highly Exposed to Threats
Accessing cloud technologies requires a thin client, and the world's most commonly used thin client for this purpose is a Web browser. This means the vast majority of all applications on the Internet have some kind of Web and/or application server on which the business logic is implemented. Currently, most of the money spent on security goes into firewalls and antivirus solutions, but in the last 10 years the typical target for attacks has shifted from the network layer to the application layer because the operating systems and services available to the general public were cut down. As a result, it is now easier to target the application logic or framework of an application than the actual server behind the hardened network perimeter. Applications are mostly developed by the businesses themselves and not every developer considers security the highest priority, which leads to a wide variety of problems.
The IBM X-Force 2008 Annual Report highlights that Web application vulnerabilities are the Achilles' heel for corporate IT security. The impact of not being able to secure these vulnerabilities is far reaching.
Further, attack vectors increase exponentially in correlation with the mainstream adoption of cloud computing. Their increase is dictated by hosting and delivering infrastructure, platform and software. Establishing a comprehensive patch management system is the common solution offered by most in the industry, however, in practice this approach has proved very difficult and costly. Typical Web applications are built on open source components, by third parties, who rely on Web frameworks. This approach has the obvious benefits of interoperability and shortened development time, however, patching becomes exponentially more difficult. A flaw in one piece of open source code must be patched for each instance it is used throughout each application in which it is used. In a cloud setting, this becomes a very large issue.
Applications developed specifically for a cloud are often very complex, designed for access speed, scalability and flexibility for third-party development through an open API. For example, Salesforce.com, Google Docs, MySpace, Facebook and Twitter, are all prime examples. These as a Service' applications are developed two ways today: by moving on-premise applications to a cloud, and by developing and operating applications directly in a cloud.