5 Tips to Optimize Cloud Security for Developers

Adnan Raja
by (131 posts) under Cloud Hosting, Dedicated Hosting, VPS
0 Comments

If it’s a popularity contest, cloud is winning.

February 2014’s State of the Cloud Survey gathered information and perspectives on cloud computing from 1068 IT executives throughout a broad spectrum of economic sectors. 24% of those who completed the survey were from enterprises employing 1000+ people. This year’s results show that cloud has exceptionally high acceptance, with 94% of companies either using cloud applications or Infrastructure as a Service (IaaS; also called Hardware as a Service, or HaaS). 87% of companies are at least partially integrated with a public cloud while 74% either have a hybrid cloud in place or are planning a transition to that model.

5 Tips to Optimize Cloud Security for Developers

As the survey report indicates, cloud adoption has “reached ubiquity.” Part of the reason that’s the case is that security concerns have receded. The percentage of survey respondents who view cloud security negatively fell in both the Cloud Beginners and Cloud Focused groups (terms used by the research team that refers, respectively, to those starting their first cloud projects and those with business systems that rely on a substantial amount of cloud technology). In fact, many computing experts have considered the cloud – especially in its private sense – to be secure for years, assuming the right configurations and safety protocols are in place: the US Department of Defense started using cloud computing in 2011.

Regardless of how secure the cloud can be, the security of a particular cloud environment can be better or worse based on what protections are in place. John Grady of Developer.com, in an article published in June 2014, offers five tips that can improve the security of a cloud-based development environment.

1. Data breaches

The biggest concern of developers, says Grady, is a data breach. Building an application that is fully compatible with all operating systems and devices is complicated enough without having to worry about code theft. However, for developers, just a few lines of lost code could mean that the script must be regenerated from scratch and that – worst-case scenario – a copycat application is released using the leaked snippet.

A trusted way to defend against a data breach incorporates encryption technology and the management of user permissions. You want to be sure that all data is encrypted, especially when it is in motion – moving from a client device to the cloud or between devices. Your cloud service provider (CSP) also should not be able to access any of your files or content. As Grady notes, “Oversight… Is the mandate of a reputable vendor.”

2. Problematic APIs

Two major security issues arise from application programming interfaces (APIs). One is that CSP’s use them to control access, but malicious parties can extend the interfaces to give themselves a full range of privileges.  A recent example of that was the discovery by a French computer scientist that you can perpetrate a brute-force attack via iOS to hack any Tesla Model S, by manipulating the API that the carmaker engineered itself. Another security loophole could arise when open-source APIs are integrated with projects, giving users broader permissions accidentally.

The standard rule of thumb for APIs, says Grady, is minimalism. It’s best to create the entire API yourself, but if you do use anything from an outside party, make sure you have a comprehensive understanding of the external code prior to integration.

3. Distributed denial

The dreaded distributed denial of service (DDoS) attack is one of the top concerns for any developer because it can completely shut you out from your system, and you can’t know if your code will be corrupted or not until everything is back running properly.

A major problem with DDoS, though, is not the attack itself but its strength as a decoy.  Distributed denial of service causes a state of emergency, and many providers forget about other security tools such as firewalls while the attack is underway.

Your cloud provider must have adequate brute-force detection systems in place, along with strong disaster recovery mechanisms. Research your CSP so that you know how often they have downtime and how quickly the cloud platform was fully recovered.

4. Resource compromise

Many developers benefit from the cost-effective performance of the public cloud, which disburses resources on demand (as needed). Because of the structure of the cloud, some malicious parties now hack resources, claiming and using cloud power for their own purposes. This tactic can increase your latency and malware risk.

Security and scanning tools that track resources and sense intrusion can be used both within a Cloud VPS and on client devices, by developers and their CSP’s.

5. Multi-tenancy

Although a cloud computing system is much more sophisticated than shared hosting, it does have one major element in common with them: multi-tenancy. In a public cloud environment, it’s possible that your data could be stored in proximity to code that becomes corrupted or gets analyzed by the government. Know what your service-level agreement (SLA) stipulates in terms of information release to law enforcement. Apple specifically states that it doesn’t provide any data from its cloud to outside parties unless a warrant is presented, but some CSP’s leave themselves with the right to comply so they don’t risk a general shutdown.

A CSP that deserves your business

You can see from the above five tips that wisely selecting a cloud service provider is a fundamental step to increase your security. Just because the cloud is new does not mean your hosting company should be. Atlantic.Net has been in business since 1994, and we offer best-in-class Cloud Hosting with no contracts and no commitments, live in  30 seconds.

By Moazzam Adnan