As cloud computing continues to move from "early adopters" to the "early majority," many online retailers are starting to evaluate the cloud as a valuable alternative.
Lower upfront and running capital expenses, lower operation expenses, faster time to market, increased scalability and flexibility, as well as pay "by the drink" pricing, are just some of the promised benefits companies can experience with cloud computing. However, when it comes to cloud computing in ecommerce, the question isn’t so much "will there be advantages to switching to the cloud," but more so "how can I take advantage of the cloud without sacrificing security and privacy?"
Building secure applications requires a strategic approach to both development and deployment. Developers can painstakingly design and develop a highly secure ecommerce application based on the most current and widely-adopted best practices, only to find that the application and its data becomes vulnerable because it was not deployed in a secure fashion. It’s like spending top dollar on a state-of-the-art alarm system for your home, yet failing to arm the alarm before you leave the house. For applications to be secure, they must be both designed securely and deployed securely.
Understanding the Cloud Security Challenge
The stakes are raised when it comes to ecommerce systems, especially those that store or process customer credit card payment and account data. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by payment brands such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. that attempts to facilitate the broad adoption of consistent data security practices. The PCI DSS includes requirements not only for software design, but also for security management, network architecture and security policies and procedures.
So, after you’ve designed a secure architecture, developed your application and addressed things such as security vulnerability assessment and remediation, how do you ensure that application is deployed securely in the cloud?
The good news is that deploying applications onto cloud platforms securely really isn’t that much different from deploying them securely in traditional environments. The bad news is that, depending on the type of cloud computing environment that’s being used (platform-as-a-service versus infrastructure-as-a-service, for example), there may not be an adequate level of control over the different pieces and parts to ensure the application is deployed in a manner which aligns with the developer’s intent.
This is because different cloud models provide different levels of control over the architecture. For example, public platform-as-a-service (PaaS) offerings usually require developers to write applications specifically for the platform (i.e. .NET Azure and Ruby on Rails platforms like Heroku). On the other hand, a public infrastructure-as-a-Service (IaaS) solution may provide more flexibility.
Regardless of the cloud model being employed, there are three things to consider when looking to deploy and manage your ecommerce applications in the cloud.
No. 1: Physical Security
Does the cloud provider maintain adequate levels of physical security control over systems, applications and data?
Physical security is the first, and sometimes most important, step in ensuring the secure deployment and management of ecommerce applications. With direct physical access to systems or data, nefarious folks can do just about anything they want.
Physical security measures such as access controls with zones of trust, alarm systems, and video surveillance should be employed to ensure that only appropriate personnel gain access to systems. This includes ensuring that backup media is properly secured and that when equipment is retired any sensitive data is securely deleted. Looking for cloud providers that have SAS 70 Type II certified data centers is a good (but certainly not foolproof) way of assessing the physical security measures that are in place.
No. 2: Network Security
Does the cloud service provider build and maintain a secure network?
At a minimum, cloud providers should install and maintain a firewall configuration that protects hosted systems. Additional services such as intrusion detection services (IDS) and intrusion prevention services (IPS) use a combination of signatures, protocol validation, anomaly detection, behavioral analysis and other methods to filter a large portion of incoming network traffic without requiring deep inspection.
Since traffic to and from most web-based applications travel over the same known TCP ports (port 80 and port 443), it is also important to implement web application firewalls which are "intelligent" and can look more deeply into traffic for protocol-specific attacks, such as cross site scripting, SQL injection, and directory traversal attacks.
No. 3: Operational Security
There is a saying that "a chain is only as strong as its weakest link." In the case of ecommerce application security, it can be said that an application is only as secure as the operating system on which it is running. Often overshadowed by high tech biometric physical access controls and advanced network gear is the quality of operational management that happens on a day-to-day basis by less high tech things: people.
Deploying an application securely means properly securing and maintaining the underlying operating system on which it runs. When hosting applications on PaaS or IaaS offerings, which include a managed services aspect, it is important to ensure that operating system vulnerabilities are dealt with quickly and that security policies related to things like account privileges and password security are consistently enforced. Operational security for cloud providers also should include advanced monitoring capabilities that transcend "is my server up?" and include application-specific performance characteristics and regular access auditing.
Conclusion
Moving or deploying your ecommerce application to the cloud can be a very smart business move and provide a lot of development opportunities, but you need to make sure you can do it securely.
You can deploy your application with any number of cloud providers using a variety of cloud architectures, but look to partner with a provider to host your application who will take as much time and effort in securing and managing it as you did building it.
Bob Roudebush is Director of Sales Engineering for BlueLock
