Pre-requisite:- Cloud Computing

Designing and implementing applications that will be deployed on the cloud platform will be required to re-evaluate current practices and standards of existing security programs of application. The security of applications ranges from standalone single-user applications to sophisticated multi-user e-commerce applications used by millions of customers. A large number of organizations also develop custom built web-applications for their business.

Since the browser is the end-user client for accessing the cloud applications it is important for application security programs to include browser security in the scope of application security.Combined(application and browser security) determine the end-to-end cloud security that helps in protecting the confidentiality, integrity, and information availability on the cloud services.

Security Threats at the Application Level

• The existing threats on the web application may exploit well-known vulnerabilities including XSS(cross-site scripting), SQL injection, malicious file execution, and other vulnerabilities resulting from programming errors and design flaws.
• The hackers are exploiting the various vulnerabilities that they have discovered for various illegal activities including financial fraud, cyber-bullying, and converting trusted websites into malicious servers using phishing scams. Thus, all web applications are at risk of security defects from insufficient validations to logic errors.
• Organizations that use the public cloud should have a combination of security controls and network-and-host-based access controls to protect web applications.
• The web applications that are deployed on the public cloud are at a higher threat level as they are exploited by hackers to support fraudulent and illegal activities. Threat models for web applications that are deployed on the public cloud must be designed in which internet security should be embedded into the SDLC(Software Development Lifecycle).

DoS and EDoS

DoS(Denial of Services) and EDoS(Economically Denial of Sustainability) are attacks that can disrupt cloud services. DoS attacks at the application layer can result in high-volume page reloads XML web services requests or protocol-specific requests supported by a cloud service. This malicious request comes with legitimate traffic. Hence, it is difficult to filter this traffic without impacting the services as a result it makes a poor user experience.

These attacks have more impacts on the cloud service budget of the organization as in the cloud we have a pay-as-you-go structure for using different cloud services, therefore, we’ll have an increase in network bandwidth, CPU and storage consumption this attack is primarily known as economic denial of sustainability(EDos) as it is impacting the organization economically.

Security of End User

The customers of cloud services are responsible for ensuring the end user security they have to perform the tasks such as

• Performing the security procedures for protecting the Internet-connected PC, ensuring “safe browsing.” that is not using malicious web applications that websites not having the HTTPS certification are not reliable.
• Activity Protection includes the use of security software, like anti-malware, antivirus, personal firewalls, security patches, and IPS-type software on your Internet-connected computer most browsers have software vulnerabilities that make them vulnerable to end-user security attacks.

Hence, for achieving end-to-end security in a cloud the end user should always have an updated browser as in these updates the developer hides the vulnerabilities by patching them.

Web Application Security in the Cloud

1. For maintaining security in the cloud. Both the cloud service provider(CSP) and the customers are responsible, this responsibility depends on the Cloud service delivery model(SaaS, PaaS, IaaS) and service level agreement(SLA).
2. As the customers do not have expertise in the area of software vulnerabilities in the cloud service which prevents them from managing the operational risk that might come from vulnerabilities.
3. The cloud service provider(CSP) often treats their software as sole proprietary which results in difficulties for security researchers in analyzing the software for bugs and flaws. (Except for the operation on the open source software) due to this customers are dependent on their service provider to secure their applications from any new vulnerability that can affect the confidentiality, integrity, or availability of their applications.

Applications Level Security in System as a Service(SaaS)

In the SaaS model the service provider generally manages the entire application of the customer Hence, it is their responsibility for securing the applications of the customers. Customers are responsible for user and access management and operational security functions, generally, the customers request information from the service provider about the various security aspects of their application including design, architecture, development, back-box and white-box application security testing, and release management.

The security controls available for managing the risks to information are offered by the cloud service providers in the form of a web-based administration user interface tool for managing the access control and authentication of the application.

The customers of the cloud should have knowledge of access control management in the cloud for authentication and privilege management based on the roles of the user and take the required steps for protecting the applications. Generally, SaaS providers invest in software security and practice security assurance as a part of the SDLC phases.

Application Level Security in Platform as a Service(PaaS)

Platform as a Service(PaaS) cloud service providers are responsible for securing the platform of software including the runtime engine that runs the customer’s application, as PaaS applications can use third-party applications, components, or web services, therefore, the third-party application providers are also responsible for securing their services.

Generally, the PaaS platform uses the sandbox architecture in a multi-tenant computing model as a result, due to the sandbox characteristic of the platform runtime engines centrally maintain the confidentiality and integrity of applications that are deployed in the PaaS.

The cloud service providers are responsible for bugs and vulnerabilities that might exploit the PaaS platform and break out of the sandbox architecture, the network and host security is also the responsibility of platform as a service(PaaS) cloud providers.