The concept of cloud computing can trace its inception back to the 1906's when the Turing Award winning computer scientist John McCarthy stated that "computation may someday be organized as a public utility". However, it wasn't until recently that the cloud began to take hold in IT as a result of Amazon providing access to their systems to maximize the use of their data centers through their Amazon Web Services project.
As more companies begin to explore the benefits of cloud computing, it was found that this solution had the potential to:
While the advantages of a cloud solution are evident, there are many who also have been quick to point out the fact that there are plenty of security concerns one faces when considering moving to the cloud.
The debate as to how secure moving applications and data to the cloud is such an area of concern that the topic consumed much of the discussion at the 2009 RSA conference. These ongoing debates have sparked a number of security experts to identify a number of threats to cloud computing to include;
Moving data to the cloud requires a great deal of trust in the host since they are essentially housing all of your data. If they fail to put adequate security controls in place between the client and data, a number of attacks can be used to compromise sensitive information. SQL Injection attacks, compromised servers, and session hijacking can all lead to cyber criminals harvesting your data on someone else's watch.
While this is also noted as one of the benefits to cloud computing, it can also cause problems. As web applications grow in popularity, more companies rely on them as an integral part of how they do business. Moving these applications to the cloud should mean that the management of these apps is taken care of, but this usually means automated updates, not complete security. In fact, George Reese stated in his article, Twenty Rules for Amazon Cloud Security - "Above all else, write secure web applications."
The fact is, while your cloud provider may handle necessary updates of your software, they are not going to review your code for potential vulnerabilities; make sure your input and output is validated, escaped, and filtered; and that your application is protected against other methods of exploiting common threats like Cross-Site Scripting.
The very nature of the cloud means that resources are shared as they are needed. Traditional perimeter security in the cloud doesn't work in the same way. For instance, using Amazon's Web Services you may find yourself restricted when it comes to checking logs and deploying tools like traffic sniffers and intrusion detection systems. Essentially, its not your perimeter so the way you used to protect it has changed. Some terms of service even prevent you from running vulnerability scans making it virtually impossible to perform a code review. For PCI compliance, this can present a major problem.
Even though data and applications running in the cloud are exposed to a number of security threats, a strong push form industries such as healthcare and ecommerce, as well as support from Google, IBM, Amazon, and other IT powerhouses, means that solutions to these security related problems need to be identified.
One way to protect against threats to your web applications and data is to deploy a Web application Firewall as a software solution. No additional hardware is required on the part of the cloud provider and in can be installed directly in front of your web facing applications.
When deployed correctly, a Web Application Firewall protects your web applications from known threats including:
Web application Firewalls also take traditional security much further. By performing a deep inspection of traffic on the web service layers they are able to stop threats that intrusion detection and prevention systems often miss.
Cyber criminals attack the most vulnerable web sites, and they attack the biggest possible pool of victims they can. As more IT departments are forced to scale back, cost saving initiatives like cloud computing become even more attractive.
While cloud computing provides managed services, you are still responsible for compliance. No provider will assume this responsibility for you simply because they are managing your applications and data. In order to comply with regulations like PCI DSS, HIPPA, SOX, and the many others it is essential that security be one of the most important factors when making the decision to move to the cloud.
What sets dotDefender apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.
By acting as a Security-as-a-Service solution, dotDefender is able to provide protection to web servers whether the admin has an extensive background in security or just a minimal amount of knowledge on the subject. In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your web site’s performance.
Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, Cross-Site Scripting, SQL Injection attacks, path traversal and many other web attack techniques.
The reasons dotDefender offers such a comprehensive security solution to your web application security hosted in the cloud are:
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.