The false sense of security in the cloud

Businesses like yours have different reasons to move to the cloud. Some do it primarily to save on hardware. Others go further and outsource services to reduce the need for their own resources. Those who want to outsource administration and related services often believe that this outsourcing also includes cybersecurity. But does it?

The big question is: when you move to the cloud, can you assume that cloud services include handling web application security? The short answer is no. The long answer is that it depends on the type of cloud environment and services. So, let’s begin with the basics.

One cloud is unlike another

The term cloud is very generic. Almost as generic as the term computer. You know how big a difference there is between a super-computer and a mobile (which is also a type of computer) – there is just as much difference between cloud types.

To understand the differences between clouds, you have to remember that your IT environment is based on several layers, like a pie. For example, if you have a WordPress site, first, you have the hardware layer and embedded software. On top of that, you have the operating system. Then comes the basic web software: the web server, the application server (if applicable). On top of that, you have additional technologies and modules, for example, PHP and a MySQL database. Then, on top of that, you have the actual web application, for example, WordPress. Then, you have several WordPress plugins. And then, you have your WordPress content and individual configuration.

Every piece of the above “pie” can be either moved to the cloud or handled by you locally. However, there are 3 general cloud types that include different layers.

Option 1: Infrastructure as a Service (IaaS)

When you move your assets to an IaaS cloud, you’re basically getting rid of your server room (if you had one, to begin with). All these noisy computers and tons of wires are now going to be in a place that is not physically accessible to you: somewhere far away, in a huge room together with others, managed by your IaaS cloud provider. Your administrators will be managing your servers not via the local network but via the Internet.

The systems that you move to an IaaS cloud now have to be accessed through the Internet by your employees, partners, etc. It may, in some cases, mean that legacy applications, which used to work over the local network, must be transformed into web applications but it’s not always necessary. You can create tunnels to your new virtual server room and still use legacy (non-web) applications.

IaaS providers often promise you that they handle security. But the scope of security that they handle is primarily physical security – they make sure that nobody breaks into their server factory and steals a disk with your data. But they can’t really do more than that. Even if they provide some network security or reactive/temporary WAF protection, it is your administrators that must manage it.

In summary: with a move to IaaS, web application security (and most other security) is still in your hands. The cloud provider is not able to offer any proactive web application security measures and you must still manage the reactive ones.

Option 2: Platform as a Service (PaaS)

When you move to a PaaS cloud, you get all the benefits of IaaS but you also leave one or two important layers in the hands of your cloud provider: the operating system and potentially the server software. Different PaaS offerings include a different scope of services but they go as far as, for example, your web server and application server with additional modules.

The first type of PaaS provider is just a bit more than an IaaS provider. All that they add to the IaaS offering is the operating system. Therefore, from the point of view of security, they offer exactly as much as IaaS (with the addition of patching the operating system).

The second type of PaaS provider is very similar to what has always been known as simple internet hosting. If you had a hosted website, you would rent a place on a server, where you would be able to build your websites and web applications. The hosting provider would be responsible for the hardware, the operating system, the Apache server with PHP, and the MySQL server. However, all the web content and code would be in your hands. Some hosting providers would make it easy to install default applications such as WordPress but would not administer them in any way.

While the move to a PaaS cloud means that you no longer need a network administrator and an OS administrator for the servers that you move there, you still need someone to administer the web applications on these servers. Security services offered by the PaaS cloud provider may include network security only. If the PaaS handles your web server, they will keep it patched and open only the right ports. However, they won’t touch any code that you put on that server or any configuration of that server.

In summary: with a move to PaaS, web application security is still 100% in your hands only. The cloud provider is only able to offer related network security services.

Option 3: Software as a Service (SaaS)

When you move to a SaaS cloud, you have to manage your data and configuration only. All the rest is handled by the cloud provider. This means that you don’t even need a web administrator for your web applications, as long as the provider offers easy access to all the configuration options. You are outsourcing almost everything that can be outsourced. You are presented with a ready-made, working web application, which you can simply tweak to your business needs.

To understand the difference between IaaS, PaaS, and SaaS, imagine that you want to have your WordPress site in the cloud. If you select IaaS, you must install and manage Linux, Apache, PHP, MySQL, and then WordPress with plugins. If you select PaaS, you must install and manage just WordPress (in some cases, also Apache/PHP/MySQL). If you select SaaS at wordpress.com, you don’t have to install anything: you just log in to the admin interface of your WordPress instance, configure it, and create content.

SaaS is the only type of cloud that is actually able to offer web application security services. However, each SaaS provider is different and the scope of these services may not be complete! The simplest example: wordpress.com may handle your WordPress core security (i.e. update WordPress to the newest version as soon as it’s out) but they may disregard the security of any plugins that you install yourself.

In summary: with a move to SaaS, web application security is approximately 50% in your hands. The cloud provider usually only offers services for core software but not any of your additions or modifications.

Cloud security is in your hands

As you can see from the explanations and examples above, if you think that your move to the cloud will free you from the necessity to take care of your web application security, you are wrong. Even in a SaaS offering, you have to either handle security yourself or outsource it, independently of your cloud services, to a professional MSSP that provides web application security services with the use of professional software such as Acunetix.