So… You’re an aspiring killer Web app developer or you’re thinking of moving some systems to the cloud? Here are some of the security issues you need to consider.

Application Security

To begin, you need to build security into your application just like you would if you were running it on your own hardware. Many mistakes are made in the areas of user authentication and input validation.

Writing code to authenticate users is about as glamourless as it gets. So, my first advice to developers is to try and avoid doing it yourself. Where possible, use an existing system that already does the work for you. If you’re going to write your own, you really need to do some research. In summary, you need to address issues such as password complexity rules, aging and resets. Passwords should never be stored in the clear and it should never be possible for a user or administrator to view a password. Upon entry, passwords should immediately be transformed using a secure one-way function. In addition, you need to consider delay and lockout mechanisms for invalid authentication attempts and ensure that your application does not provide insight into why an authentication failed.

Failing to properly validate input is a fatal mistake, often leading to buffer overflows, stack smashing, and SQL injection. All data arriving at the application should be assumed to be hostile. Attackers will manipulate input fields, change hidden form fields in HTML documents and do all sorts of other unexpected things in an attempt to break your application.

Network Security

In your office or data centre you have control of the network. You can design multiple DMZs to separate data of different sensitivities and to create defense in depth. In the cloud, you loose much of the control you had over the physical network topography, making it much more important that every computer is capable of defending itself. If you’re designing for the cloud, every machine should have its own firewall and you should seriously consider encrypting all traffic between your machines in the cloud. Unless you can clearly demonstrate otherwise, you should assume that an attacker can directly probe each of your machines. And remember, not all hostile traffic will come from the Internet. A hacker may be renting computer time from the same vendor.

Physical Security

A related issue is that in the cloud you no longer have control over physical security. However, for smaller business, this may not be a bad thing. Amazon, for example, likely has much better physical security at their data centre than your small businesses would have. But this is one area where you might want to carefully consider your options, including encrypting all sensitive data to ensure it is protected in the event of a physical security incident.


One of the reasons we look to the large service providers is that they are often capable of providing very attractive levels of data integrity and availability, including backups. However, in the event of a natural disaster, fire, bankruptcy or contract dispute, you do not want to find yourself unable to access critical data such as a customer or subscriber list. You should therefore consider backing up your data (or at least the most important subsets of it) either to your own office or to another unaffiliated provider. Otherwise you are completely at the mercy of your cloud provider, which could be a financially perilous place to be.


A high level of availability can be achieved in cloud computing, but it takes some work. How much work depends on the cloud provider. For example, Amazon offers the ability to run in different ‘zones’, but you still need to architect your application to take advantage of it. Since cloud providers are heavy users of virtualization technologies, it is critical that you understand how to ensure that your ‘redundant’ virtual computers are not actually running on the same physical computer.

Jurisdictional Issues

Storing data in the cloud can result in complicated or unfavorable jurisdictional issues. For example, the laws in some jurisdictions make it very easy for law enforcement to obtain data without adequate judicial oversight and some cloud providers may not have any interest in contesting access requests, even when the requests may be unlawful. It is critical to understand where one’s data may be stored and to determine if additional security controls, like data encryption, are required to protect it. Some providers offer data storage in different countries to help resolve these issues and comply with applicable privacy legislation.

A Final Thought

If you just want to play in the cloud, but all means do so. But if you’re developing a serious application, or dealing with personal or corporate information, consider some expert security advice early in the design process. In many cases a security professional can help you build a secure system in the first place and save you a lot of money, time and frustration.

Leave a Reply