I keep reading that people are resisting the cloud because of security. I’m not really getting this. Moving your application to the Windows Azure or Google App Engine doesn’t mean you are abdicating your security responsibilities and handing them to Microsoft or Google.
In the cloud or not, it is your data and your applications and your responsibility to make them secure. Here are 12 things you can do to keep your applications secure:
- The best way to secure confidential data is to not store it in the first place. This seems obvious, but start by asking if the value of collecting the data outweighs the cost of keeping it safe.
- If you decide to store the data, then it should be encrypted. You might be thinking, “I only have to encrypt it, if I put it in the cloud where Microsoft employees can see it. Right?” Uh… wrong.
- If you’re going to transmit confidential data over the Internet you need to use HTTPS for transmission (cloud or not).
- Configuration information should be encrypted. “But Doug, on my network I don’t have to worry about that because only my programmers can see it. Right?” Uh… wrong.
- If you’re using a database, connect to it with a restricted account.
- Only allow access to data through stored procedures. Do not allow access to tables directly. Many people think stored procedures are used solely for better performance. Stored procedures should be used for security as well.
- Never use string concatenation to build a query – using parameterized queries or stored procedures will prevent SQL injection.
- All input from a Web application, whether the user typed it or not, needs to be validated and cleaned. Characters such as “-“, “;”, “<“, “>” need to be removed. These characters are used for code injection.
- If you are using .NET, pre-compile your applications with strong names. There’s a misconception that strong names are only needed to deploy to the GAC. Strong names prevent tampering and enable versioning. “But Doug, I only have to worry about that if I’m using the cloud, right?” Uh… wrong.
- Strong names prevent tampering, but the source code can still be decompiled and read. To prevent that, obfuscate it.
- In a Web application make sure to turn off detailed error pages. In ASP.NET, use the Application_Error event as your last line of defense for unhandled exceptions.
- Keep your servers patched and up-to-date.
If you don’t understand what I’m talking about, come to Learning Tree course 940: Securing Web Applications, Services and Servers. Everything in that course applies whether you use the cloud or not. In the cloud or not, your applications need to be secured by you!
If you’re already doing the things above, your application will be pretty secure in the cloud or on your network.
If you’re not doing the things above, your application is already not secure. So, move it to the cloud and save some money. It might come in handy for the lawsuit.