The Developer Cloud: 5 Tips for a Secure Environment
By John Grady
At the recent IBM Innovate conference, Big Blue announced major updates to its BlueMix open cloud developer platform, according to a June 2nd article from Destination CRM. IBM Cloud Platform Services general manager Steve Robinson said, “We’re allowing the programmer to have no boundary between them and their consumer.”
But despite increasing support for devops work, many developers remain wary about putting their hard work into the cloud. Here are five of their top concerns — and solutions.
Breach in the Wall
Data breaches and data leaks top the list of developer’s cloud concerns. It's difficult enough to construct an app or service that works across platforms and devices, but to have code stolen or leaked from a supposedly locked-tight service is unthinkable. Developers have to think this way, however, because even a few lines of proprietary code gone missing could mean a complete rewrite or the risk of a duplicate app emerging.
The solution? Encryption and access control. In theory, it’s simple. In practice it means making sure data in transit (from device to cloud or from device to device) is always encrypted, and that your cloud provider doesn't have direct access to your materials. Oversight, not investigation, is the mandate of a reputable vendor.
Application programming interfaces (APIs) pose two security challenges. First, cloud providers rely on them to grant customers access, but third parties can build out these interfaces to include broader permissions than originally intended. For example, a French IT expert recently discovered it was possible to hack a Tesla Model S using a brute-force iOS attack and an API designed by Tesla itself. It's also possible that open-source APIs built into devops projects could allow unintended user permissions, allowing the alteration of basic functions or forms.
When it comes to APIs, less is more: Ideally, design what you're using yourself, or thoroughly vet third-party offerings before they become essential to your project.
Dealing with DDOS
Distributed denial of service (DDOS) attacks are among the top five security concerns because they can completely cut off developers from their project and leave them uncertain about code integrity after service is restored. As Business Cloud suggests, however, that the biggest issue with DDOS attacks is that they're often smokescreens for other, more sophisticated intrusion attempts. By forcing IT response teams to focus on the obvious problem of denied service, it's possible for providers to neglect firewalls or other security controls. The results can be disastrous.
Here, it's your cloud service provider that needs to step up and handle DDOS effectively. Do your research — find out how many service outages a prospective vendor has suffered, along with their response time.
The Compromised Resource
DDOS is an obvious security threat; compromised resources are something else altogether. With more developers leveraging the power of the public cloud to run large-scale project tests, there's a greater need for on-demand resource allocation. Some attackers, however, focus on “resource hacking,” or the hijacking of public cloud resources for their own aims. This can lead to compromised app performance and the risk of malware infection.
Real time monitoring tools, both local and server-side, can help alert developers to this issue.
An inherent property of the public cloud, multi-tenancy comes with the risk that project data will be stored alongside compromised code or examined as part of a government request. Apple, for example, will not release any iCloud data to officials without a warrant, but many providers prefer to comply rather than risk a shutdown. Always make sure your service-level agreement (SLA) specifies under what circumstances (if any) your data will be made available.
Developing in the cloud? Handle these five security concerns to minimize potential problems.
John Grady is the Senior Manager of Product Marketing at XO Communications. XO Communications is the primary provider of cloud computing and cloud security services for businesses of all sizes throughout the nation.