So far we’ve looked at physically securing the datacenter a cloud service is delivered in, how that datacenter should be run andhow the network must be secured. The final pillar in a delivering a secure cloud service is ensuring the application itself is secure. The datacenter can be secure, the network can be locked down but if the application is poorly designed, allowing for hackers to easily gain unauthorized access, the security of the whole system may become compromised.

Application security may be the most difficult thing for IT managers to understand because it requires familiarity with coding practices and QA testing. It’s important to work with cloud vendors that are transparent about application security. Questions to ask vendors include:

  • How do you develop the application and what languages are used?
  • How often do you release new versions?
  • What is the procedure for rolling back unsuccessful changes?
  • What coding methodologies are used?
  • What is the developer to quality assurance test ratios?
  • What certifications has the application received?

Penetration testing (or “pen-testing”) is a process performed to find security holes in a hosted application and cloud vendors run these tests regularly to ensure that their system is secure. Essentially, they are designed to simulate a hack attempt: skilled hackers use a number of methods to attempt to gain access to the system. Comprehensive pen testing involves the whole security ecosystem, from end to end, including end user security.

Arguably, the final frontier of application security falls on the shoulders of the end users who use the application. Unlike the rest of the IT system, users aren’t under the direct control and management of IT, so they own some of the responsibility for the security of their data—which is why cloud services should make it effortless for end users to work securely. Cloud services often have an end user portal that requires a username and password, and it’s important to consider how the application enforces and advises end users on passwords.

Until Minority Report retina-scanning technology becomes ubiquitous, usernames and passwords generally serve as the end user gateway to the cloud service. As a result, some organizations—especially heavily regulated industries such as finance—mandate strict password policies that make it extremely difficult for unauthorized users to access the application, such as:

  • Frequent password changes, sometimes daily
  • No recycling of old passwords
  • A minimum on the number of characters in the password
  • A mix of alphanumeric and/or sequenced characters

But sometimes these strict requirements on multiple systems actually undermine security: strict requirements require the end user to remember difficult passwords—which instead get written down on paper (not secure) or are forgotten (IT spends time resetting passwords).

How do we mitigate against this? Cloud providers that are designed for use by large enterprises such as Huddle support a technology called “single sign-on” or SSO. Single sign-on enables your users to remember one password (the one they use to log on to their corporate computer) to access services. This means you can have one, strict policy applied to users’ corporate password, which in turn, grants access to cloud services such as Huddle.

SSO is achieved via a technology called SAML—or Security Assertion Markup Language—an XML-based protocol that allows one system to tell another whether a particular user is authorized. A large company could use a SAML-based system such as ADFS (Active Directory Federation Services) to authenticate their users. SSO can also be used for more advanced scenarios such as two-factor authentication (2FA) or multi-factor authentication (MFA). Companies require MFA/2FA when they want to further ensure a user’s password hasn’t been compromised by the use of additional security measures. For example, if your company wanted a user to put in their username and password, but also insert a smart card, input a code from an RSA token or use a biometric sensor to further verify their identity. An SSO provider could do any number of these measures before giving Huddle the “All Clear” to let the user in.

Finally, what about access on mobile devices? Is information stored on the devices? Is it encrypted? Can it be remotely wiped in event of theft or loss? All these are pertinent questions and are becoming increasingly so in the age of consumerization. Your employees will increasingly access corporate data on personal devices, so it is imperative to understand the ramifications of data flow within your organization beyond the firewall.

Security is a complex, multi-faceted problem that faces cloud providers. Each layer is dependent on the next, and failures in one can render an entire system insecure. That said, security has long been the concern of a great many people who are well-skilled at creating, running and monitoring secure cloud services for you and your enterprise. Standards and accreditations can be used to ensure you are confident with the security basics so you can spend more time determining the business value that the service can bring rather than worrying about the potential risks.

What are your thoughts on application security and how it works in the broader cloud ecosystem?

James Matthews


Request a Demo
trillatron

© 2006 - 2019. All Rights Reserved.