5 Tips to Optimize Cloud Security for Developers

If it’s a popularity contest, the cloud is winning.

February 2014’s State of the Cloud Survey gathered information and perspectives on cloud computing from 1068 IT executives throughout a broad spectrum of economic sectors. 24% of those who completed the survey were from enterprises employing 1000+ people. This year’s results show that the cloud has exceptionally high acceptance, with 94% of companies either using cloud applications or Infrastructure as a Service (IaaS; also called Hardware as a Service, or HaaS). 87% of companies are partially integrated with a public cloud, while 74% either have a hybrid cloud in place or plan to transition to that model.

As the survey report indicates, cloud adoption has “reached ubiquity.” Part of the reason that’s the case is that security concerns have receded. The percentage of survey respondents who view cloud security negatively fell in both the Cloud Beginners and Cloud Focused groups (terms used by the research team that refers to those starting their first cloud projects and those with business systems that rely on a substantial amount of cloud technology). In fact, many computing experts have considered the cloud – especially in its private sense – to be secure for years, assuming the correct configurations and safety protocols are in place: the US Department of Defense started using cloud computing in 2011.

Regardless of how secure the cloud can be, the security of a particular cloud environment can be better or worse based on what protections are in place. John Grady of Developer.com, in an article published in June 2014, offers five tips that can improve the security of a cloud-based development environment.

1. Data breaches

The biggest concern of developers, says Grady, is a data breach. Building an application that is fully compatible with all operating systems and devices is complicated enough without worrying about code theft. However, for developers, just a few lines of lost code could mean that the script must be regenerated from scratch and that – worst-case scenario – a copycat application is released using the leaked snippet.

A trusted way to defend against a data breach incorporates encryption technology and the management of user permissions. You want to ensure that all data is encrypted, especially when it is in motion – moving from a client device to the cloud or between devices. Your cloud service provider (CSP) also should not be able to access any of your files or content. As Grady notes, “Oversight… Is the mandate of a reputable vendor.”

2. Problematic APIs

Two major security issues arise from application programming interfaces (APIs). One is that CSPs use them to control access, but malicious parties can extend the interfaces to give themselves a full range of privileges.  A recent example of that was the discovery by a French computer scientist that you can perpetuate a brute-force attack via iOS to hack any Tesla Model S by manipulating the API that the carmaker engineered itself. Another security loophole could arise when open-source APIs are integrated with projects, giving users broader permissions accidentally.

The standard rule of thumb for APIs, says Grady, is minimalism. It’s best to create the entire API yourself, but if you do use anything from an outside party, make sure you have a comprehensive understanding of the external code before integration.

3. Distributed denial

The dreaded distributed denial of service (DDoS) attack is one of the top concerns for any developer because it can completely shut you out of your system. You can’t know if your code will be corrupted or not until everything is back running correctly.

However, a significant problem with DDoS is not the attack itself but its strength as a decoy.  Distributed denial of service causes a state of emergency, and many providers forget about other security tools such as firewalls while the attack is underway.

Your cloud provider must have adequate brute-force detection systems in place, along with solid disaster recovery mechanisms. Research your CSP to know how often they have downtime and how quickly the cloud platform was fully recovered.

4. Resource compromise

Many developers benefit from the cost-effective performance of the public cloud, which disburses resources on-demand (as needed). Because of the cloud structure, some malicious parties now hack resources, claiming and using cloud power for their own purposes. This tactic can increase your latency and malware risk.

Security and scanning tools that track resources and sense intrusion can be used both within private cloud hosting and on client devices by developers and their CSPs.

5. Multi-tenancy

Although a cloud computing system is much more sophisticated than shared hosting, it does have one major element in common with them: multi-tenancy. In a public cloud environment, it’s possible that your data could be stored in proximity to code that becomes corrupted or gets analyzed by the government. Know what your service-level agreement (SLA) stipulates in terms of information release to law enforcement. Apple specifically states that it doesn’t provide any data from its cloud to outside parties unless a warrant is presented. Still, some CSPs leave themselves with the right to comply, so they don’t risk a general shutdown.

A CSP that deserves your business

From the above five tips, you can see that wisely selecting a cloud service provider is a fundamental step to increasing your security. Just because the cloud is new does not mean your hosting company should be. Atlantic.Net has been in business since 1994, and we offer best-in-class VPS hosting with no contracts and no commitments, live in 30 seconds. We also provide HIPAA cloud hosting services.