There has been a huge shift in the software industry over the last decade. Gone are the days of small, isolated pieces of software, sitting on a server in the corner of the office. Now, we have large scale applications, sitting in a public cloud such as Amazon Web Services – continuously collecting data about users and their behaviour when using the system.
While there is often no functional impact of migrating an application to the cloud – that is to say, the application will still work in the way that it works locally, there could and probably will be a massive security impact.
Why is there such a huge security impact? Well, in the past, software would generally sit on a dedicated server, belonging to the software company. Machines may well be virtualized and a single server might run more than one application but the hardware is still owned and managed by the software company themselves.
Today, we see virtualized servers, offered by Amazon Web Services (as an example), where multiple companies will share the same physical servers.
So, we’ve moved from situation where your data was on your own server and was completely under your control to a situation where your data is on the same piece of hardware as (potentially) your competitor or worse, someone that wants to access and misuse your data.
All of this data is logically separated, so theoretically, you shouldn’t be able to access anything outside of your ‘silo’. However, with hacking techniques being continuously refined, do we honestly believe that there is no back door entrance that can be exploited?
One change which could be made to make to improve security standards is to implement centralized policy management. It’s already present in Amazon Web Services to an extent, but, we should start to intertwine it with the software development process. That way, we’re no longer relying on a developer to always implement the correct security standards as they build new functionality into a system. Rather, they implement a centrally managed security policy in lieu of custom security code.
This gives you the ability to enhance security across your system from a single source and also ensures that legacy parts of your system aren’t compromising the rest of your system security.
So, when considering a move to the cloud, yes, your system will probably work exactly as it does now – but will your current security profile stand up to the scrutiny of the masses?