Chasing Away Cloud Conundrums, Part 2

IN MEDIEVAL TIMES, CASTLES WERE BUILT WITH MANY LAYERS OF PROTECTION–A MOAT, A DRAWBRIDGE, LOOKOUT TOWERS and arrow slits. The public cloud is the modern-day castle on the hill, so if you’re thinking about operating your Software as a Service platform in a public cloud, you’ll want to follow a similar approach to network and application security. Deploying many controls to monitor, detect and prevent unauthorized access to critical data will make your castle difficult to attack.

1. Running Software in a Hostile Environment?
As we discussed in Part 1, using public cloud technology offers many advantages compared to on-premise models, including mobility, scalability and localized access. It’s important to realize that, just like your on-premise environment, cloud environments are vulnerable to both inside and outside attacks. To decrease the probability of a cyberattack against your SaaS platform, you will want to make sure you employ the proper countermeasures.

Start by focusing on systems management. Maintaining the servers, databases and other critical system components is important. Systems that are unpatched or unmanaged can lead to unnecessary downtime or, worse, a breach allowing sensitive data to be exfiltrated to an outside party. Make sure you have a patching program in place for your SaaS infrastructure.

Provide your cloud-based SaaS solution with a fully managed attack detection system that can detect and inform about the malicious use of cloud services by intruders. For example, you’ll want to consider using a Security Incident and Event Management system (SIEM), and you’ll want to make sure that you monitor it. You should plan to use a Web Application Firewall (WAF), and you’ll want to make sure you test it. There are other security tools that should be part of attack detection such as intrusion prevention systems, intrusion detection systems and hot-based intrusion prevention systems (IPS, IDS and HIPS). You’ll want to make sure these tools are configured well and that they have complete coverage of all assets.

Finally, on the engineering side you should consider having security tests as part of the build pipeline for your SaaS platform.

Systems management and patching for SpheraCloud are pivotal components to maintaining a reliable and relevant application. Our part- ners have worked with us to define a schedule that has systems patched on a regular basis, and Sphera has tools in place to mitigate attacks and inform us when they happen. Even with patching, we can maintain a 99.92 percent availability every month (including scheduled down times).

2. What Controls Do you Have Around Your Operation?
You will want to have your SaaS product operating in a public cloud that maintains industry-recognized certifications and reports that demonstrate a strong set of security controls. Reports like the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report, also known as the Service Organization Controls (SOC), will demonstrate that the cloud provider has proper control over security, availability, process integrity, confidentiality and privacy. A good cloud provider should also have an ISO-27001 certi- fication showing that a strong information security program exists within their organization. All public cloud providers have strong controls in place for physical access. Since everything is virtualized and distributed across multiple physical sites, it is very difficult to exploit by attackers.

You should have your own information security program that builds upon the physical and operational controls that the cloud provider is operating under. At a minimum, you should have policies and procedures around access management, systems management and patching, network security and privacy. This set of policies and procedures work together with others to define how your data is protected and moni- tored. A good information security program has checks and balances. If policies and procedures are the checks, then compliance measurements are the balances.

In general, with any system, the user is often the weak- est link. System end users are human, and people are prone to make mistakes. Access management helps do a couple of things for end users. First, access management controls how users gain access to a system or how they authenticate. Next, it governs what users can access or what they are authorized to see. By using authentication appropriately, you can establish who can see what.

Maintaining data privacy is now at the forefront of any information security program. The General Data Protection Regulation (GDPR) that went into effect last year has brought a new standard to all European Union citizens and their personal data. Many companies in the United States and Europe have struggled to understand and follow the new regulation. A well-qualified partner will be GDPR-compliant. They will understand that the data you are collecting is sensitive and will need to be protected in a specific manner.

We operate SpheraCloud in a world-class public cloud that has strong controls and holds dozens of security and privacy certifications. In addition, Sphera follows a set of ISO-27001 certified operational controls for SpheraCloud. In the software itself, we have built authentication and authorization around industry standard best practices and have included the option of enabling Single Sign-On (SSO) for clients’ internal active directory. This allows for greater control of access management as customers manage their user access. In addition, the SpheraCloud platform meets the regulations described by GDPR.

3. How Will You Deliver Your Software? Lift and Shift? Containerize? Replatform?
Not directly related to security but still an important consideration is: How will you deliver your SaaS solution into production. The simplest migration approach for delivering your SaaS application in the public cloud is lift and shift. The application is taken as is, without any code refactoring, and run rehosted on a cloud platform. This approach allows you to move your application quickly, but because it’s not optimized for a public cloud environment, it might be costly to run or difficult to operate. Since the application hasn’t been developed for the cloud, it won’t be able to take full advantage of cloud services.

Container technology is something to consider because you can deliver your software updates faster and reduce or eliminate manual handovers between engineering and operations. Containers can run either on-premise or in any public cloud. Container technology isolates your software from other applications running on the operating system. This means applications cannot see each other’s process, data or network. You can restrict the amount of computer processing, memory and disk space they use, and you can have the container scanned for software vulnerabilities. Containers offer immutable infrastructure that keeps your production environment stable because all changes come from code- nothing is changed in the live environment. Containers also make it easier for you to deliver a highly available SaaS solution because you can have multiple instances of your container on a cluster of servers.

Finally, you can choose to replatform, which means making code—level changes that optimize the application for a public cloud platform. It’s a complex, time-intensive function and requires space on your product roadmap, cloud-service domain skills on your team and security expertise in your organization. It’s worth taking this approach because, at the end of this refactoring, your application can take advantage of the scalability and elasticity of the cloud. Compute-intensive apps refactored to use automated node and pod scale-out resource provisioning will deliver cost savings because you are not overprovisioned.