When we talk about Cloud Computing and security in the same sentence, we immediately think about infrastructure security and a debate kicks off around the topic. Yes, infrastructure security is important and it is the headache of the IaaS provider. As a developer running a web app on top of IaaS or a startup building a SaaS application on the cloud or on top of a managed provider infrastructure, one needs to worry about the application security. In this post, I will briefly discuss the state of application security in the cloud and introduce an interesting company, Art of Defence , in this space.
In fact, it is my gut feeling that many startups offering web 2.0ish applications or SaaS applications are completely ignoring the application security and it is just a matter of time before things blow up on their face. The IBM X-Force annual report in 2008 showed clearly how there was a 8X increase in the count of web application vulnerabilities (an exponential increase from 2004-2008) and at the end of 2008, 74% of these vulnerabilities were left unpatched. Most of the users have absolutely no idea about what is in store for them when the web applications they use are severely vulnerable. It is like a bomb waiting to explode and the costs of any attacks using these vulnerabilities could be devastating to both the vendors and their users.
In the traditional web application hosting era, we used web applications firewalls which adds a layer around the web server fending off any attacks based on the rules we add to the configuration of such firewalls. Mod Security is one such example for Apache web server and in my previous avatar of system admin, I have used Mod Security extensively to fend off attacks on PHP scripts running on our servers. Such web application firewalls served the purpose to a reasonable extent protecting web applications from attacks exploiting vulnerabilities (known and, sometimes, unknown using some of the Just In Time rules).
As web applications moved from traditional development model to a SaaS model, things got pretty complex. For one, it makes it difficult for cloud providers because they will have more than one client in a single hardware. The traditional web application firewall approach will not work here. Not only these firewalls are dependent on the hardware and, thus, adding to the complexity, they also consume quite a bit of resources. This makes it useless in a cloud based scenario. A better way to do it is to implement the security measures into the applications itself so that the security also scales well with the cloud. It is not happening anytime soon and we need a different kind of solution to handle this requirement. Enter dWAF, distributed Web Applications Firewall. dWAF comes in the form of a plugin or even a SaaS service and seamlessly integrates with many cloud environments. These firewalls offer support for detection of vulnerabilities and protection from attacks in a seamless way without consuming much resources.
Art of Defence, founded in Germany with a recently opened office in San Francisco, has done great work in developing such a distributed firewall and their flagship product, distributed Web application firewall (dWAF) Hyperguard, offers comprehensive application security for the cloud era. They have partnered with Amazon Web Services and GoGrid to offer their firewall solution as a SaaS. AWS customers can access hyperguard SaaS by simply adding a small software plug-in to an existing web server Amazon Machine Image (AMI), or by using art of defences custom AMI. GoGrid customers can also do the same.
Hyperguard has three components
- The enforcer, a small plugin that can be plugged into a web server or a network firewall or a load balancer. The Enforcer sends request and response data to a component called Decider and also modifies requests and responses if needed. The Enforcer is an adapter for hyperguard to get the data it needs to enforce the policy
- The decider, the core policy engine receives the request from the enforcer, decides what to do and offers a response
- The admin interface, the UI that lets the administrators set the policies, monitor and track alerts
Art of Defence has recently partnered with the Santa Clara based Whitehat Security, a company that helps businesses with website risk management and compliance. With this partnership, art of defence’s hyperguard is tightly integrated with the WhiteHat Sentinel website vulnerability management service. Art of defence used WhiteHat Security’s operational open XML API to enable hyperguard to transform WhiteHat Sentinel’s verified website vulnerability assessment results into viable rule-set suggestions for hyperguard’s security policy management. Now, companies that use both solutions will be able to take advantage of “virtual patching” functionality and mitigate website vulnerabilities quickly, limiting exposure to exploits.
Some of the top folks from Art of Defence is also heavily involved in Cloud Security Alliance’s efforts to promote best cloud security practices. They have played a major role in the application security part (domain 10) of Security Guidance for Critical Areas of Focus in Cloud Computing report. It is an interesting company to keep a tab on for anyone who follows cloud security closely.