Virtualization Technology News and Information
ZeroStack 2016 Prediction: Organizations Will Implement Strict Policies to Address the Weakest Link in Cloud Security - The Application Development Process

Virtualization and Cloud executives share their predictions for 2016.  Read them in this 8th Annual series exclusive.

Contributed by Kiran Bondalapati, co-founder and CTO of ZeroStack

Organizations Will Implement Strict Policies to Address the Weakest Link in Cloud Security - The Application Development Process

The extraordinary costs associated with network intrusions and data loss have the power to impact an organization's bottom line unlike anything else, making security top of mind. Arguments around cloud security usually revolve around which team -- the security experts in Enterprise IT or the security experts working for public cloud providers -- you trust more. To me, this is a myopic debate that ignores what may be the most critical point of vulnerability - the application.

The weakest link in cloud security is the application development process. While they may audit an application, security experts usually do not have a hand in development. App developers are habitually under time pressure to quickly evaluate technology stacks, develop prototypes and iterate. While on this treadmill, security is often overlooked and vulnerabilities are detected after they have been exploited.

Imagine a Java developer who's building a new web service using real data from other corporate systems. To demonstrate the prototype as soon as possible, in order to obtain the approval to move the project forward, she will likely deploy it on the public cloud where resources can be self-provisioned and other employees can access it easily. Chances are good that the developer invested zero time in thinking about the security aspects; the prototype probably won't have any firewalls, security groups, SQL injection checks, etc. For the developer, including these constructs would have killed the speed at which innovation is expected in today's competitive business environment.

This is a classic case of "security through obscurity," where the application is assumed to be secure by making it available only to internal users.  But, lacking the peripheral security of the enterprise to act as a basic shield, any system deployed on the public cloud without strong controls becomes an immediate honeypot for various automated intrusion attempts. The prototype is of minor concern but the real data it was being tested with becomes a glaring security vulnerability.

In most public clouds, there isn't a quick and simple way to move the deployed resources into a Virtual Private Cloud (VPC) and one would have to redo the process from scratch (i.e. re-configure and re-launch the application) to incorporate this feature. Our hypothetical developer would have to essentially go back to the drawing board.  Not only would she lose the time-to-market advantage she was initially striving for, but her project would now be critically delayed.

To avoid this type of scenario, I foresee more organizations instituting a "secure by default" edict to complement the existing "cloud first" development strategies many have already employed.  If enterprises want to enable developer productivity and innovation while still keeping security threats at bay, policies have to be put in place to ensure that developers secure applications upfront using both peripheral security such as VPC and by hardening the deployed system itself. I also predict that private clouds will play an increasingly important role in the cloud strategies many companies are architecting as a safe harbor to iron out security issues before new apps go into production.


About the Author

Kiran Bondalapati is a co-founder and the CTO of ZeroStack, responsible for driving the company's product innovation. Kiran was a founding engineer at Bromium where he architected Bromium's security solution based on radically new techniques with hardware virtualization. Earlier, at AMD, he developed fundamental underpinnings for  virtualization and power management impacting a wide spectrum of computing, from data centers to laptops.

Kiran has a Ph.D. from University of Southern California and a B.S. from IIT, Delhi. 
Published Monday, October 26, 2015 6:32 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2015>