The false sense of security in the cloud

Businesses have various reasons to move to the cloud. Some do it to save on buying and maintaining their own hardware. Others go a step further and also outsource services to reduce the drain on their own resources. Those who want to offload all administration and related services to a cloud provider often believe that this also includes all cybersecurity – but does it?

The big question is: when you move to the cloud, can you assume that your cloud services also include web application security? The short answer is no. The long answer is that it depends on the type of cloud environment and services. So, let’s begin with the basics.

All clouds are not alike

The term cloud is very generic, almost as generic as the term computer. Think about the difference between a supercomputer and a smartphone (which is now a handheld computer) – and the types and scopes of cloud services can vary even more.

To understand the differences between cloud service levels, remember that the technology stack used for, say, your WordPress site is made up of many layers, a bit like lasagna. You start with the hardware layer and the firmware it requires to run. On top of that, you have the operating system, often sitting on top of an extra virtualization layer. Then comes the basic web software: the web server and (if applicable) the application server. On top of that, you have additional server-side technologies and modules, such as PHP and a MySQL database. Only then do you have your actual web application – WordPress, in this example. You’re also likely to have several WordPress plugins. And all this to hold your custom WordPress configuration and, finally, your content.

The layers of your web app lasagna can be either moved to the cloud or handled by you locally. However, for cloud services, there are three general types of cloud models, each covering a different set of layers. Let’s see what each type of cloud service does for your web application security.

Cloud level 1: Infrastructure as a Service (IaaS)

When you move your assets to an IaaS cloud, you’re basically getting rid of your server room (if you ever had one). All these noisy computers and tons of wires will now be somewhere physically inaccessible, in a faraway data center where the IaaS cloud provider will keep your systems running (along with thousands of others). Your administrators will be managing your servers not via the local network but via the Internet.

When you move your systems to an IaaS cloud, all your employees and partners can also only access them over the Internet. If you were running legacy business applications on a local network, you might need to transform some of them into web applications, but that’s not always necessary. You can create tunnels to your new virtual server room and still use your legacy (non-web) applications.

IaaS providers often say they handle security, but they can only secure what they control. In other words, they will mostly cover physical security to make sure nobody steals the disks that hold your data. They should also keep your data secure and available through hardware maintenance, redundant data links, etc. But they can’t really do more than that. Even if they provide some network security tools or reactive/temporary protection from a web application firewall (WAF), setting this up will be up to your administrators.

With IaaS, web application security (and most other security) is still in your hands. The cloud provider cannot offer any proactive web application security measures. Even if some reactive or protective measures are provided, you will still need to manage them yourself.

Cloud level 2: Platform as a Service (PaaS)

As you climb the layers past IaaS, you get to PaaS. At this cloud service level, your cloud provider handles all of IaaS but is also responsible for the operating system and, in some cases, the server software. The specific service scope varies between PaaS offerings but can go as far as providing a full web server and application server with additional modules.

The first type of PaaS provider is basically an IaaS provider who also manages the operating system. This level offers exactly the same kind of security as IaaS, with the addition of patching the operating system.

The second type of PaaS provider is similar in scope to what’s always been called basic website hosting. When you got a hosted website, you would be paying for server space to build your websites and web applications. The hosting provider would be responsible for the hardware, the operating system, the Apache server with PHP, and the MySQL server (again, going with the WordPress example). However, providing and maintaining any web content and code would be solely your responsibility. Some hosting providers would provide an easy way to install WordPress or other default applications but would not administer them in any way.

Similarly, the move to a PaaS cloud service means you no longer need a network administrator or systems administrator for the servers that now live in the cloud – but you still need someone to manage the web applications you have there. Security services offered by the PaaS cloud provider are likely to only add network security. If the PaaS offering includes the web server, your provider will keep the server patched and firewalled so that only required ports are open. However, the provider has nothing to do with web server configuration or any code or data you put on your server.

Even with PaaS, web application security is still 100% your responsibility. At best, the cloud provider can only offer related network security services.

Cloud level 3: Software as a Service (SaaS)

The final step takes you to SaaS, where you only need to manage your data and configuration – the cloud provider handles all the rest. This means you don’t even need a dedicated web server administrator for your web applications, as long as the provider ensures you have easy access to all the configuration options. At this level, you are offloading nearly every aspect of your web application to a third party. You are presented with a ready-made, fully functional web application that you can tweak to your business needs.

To stay with the WordPress example, let’s look at the differences between getting a site up and running on IaaS, PaaS, and SaaS. If you go with IaaS, you will get a server and have to install and manage the entire software stack: Linux, Apache, PHP, MySQL, and then WordPress with any plugins. If you select PaaS that includes the web server, you only need to install and manage WordPress (otherwise, you are also responsible for Apache/PHP/MySQL). Finally, if you select SaaS at wordpress.com, you don’t have to install anything: you just log in to the admin interface of your WordPress instance, configure it, and create content.

The SaaS model is the only one that can actually include web application security services, but each SaaS offering is different and might not cover the entire scope of security. For example, wordpress.com might keep your core WordPress product always updated to the latest version to eliminate known vulnerabilities, but it’s unlikely the same will apply to any plugins you install yourself.

So even when you use SaaS, you are still responsible for approximately 50% of your web application security. The SaaS provider will usually offer some security services for the core product but not for any custom additions or modifications.

Even in the cloud, application security is in your hands

As you can see, moving your web applications to the cloud does not mean someone else will take care of your web application security. Depending on the type of cloud service, your provider may handle some aspects of network security or even supply a web application firewall. But at the end of the day, you are the only one who can ensure that your applications don’t have security vulnerabilities. And that means, at the very least, regularly running a good web vulnerability scanner such as Invicti – or working with an MSSP to run one for you.