It’s well understood that securing your AWS cloud applications is important and that it needs to be front and center. This is especially true for companies that primarily generate business through their applications and websites, such as online retailers and SaaS providers. According to Verizon’s 2017 Data Breach Investigations Report, web application attacks are the leading cause of breaches, more than tripling from 9% to 30% since 2014. And as alarming as that sounds, it makes sense as only 24% of organizations said that their application security is mature with all aspects of security measures covered according to Cybersecurity Trends: 2017 Spotlight Report.
Translation: The vast majority of companies are putting themselves at risk, not just from a security perspective, but also a business one.
When launching an application in the cloud, it’s important to understand the risks you face when you do so without a comprehensive cloud security strategy in place. Here are a couple of things to think about before deploying your applications into the cloud.
Identifying Vulnerabilities Is Easier Than You Think
There are millions of web applications out there in the cloud, and the likeliness of an attacker stumbling across yours is very low, right? False. Attackers typically leverage automated tools, such as website vulnerability scanners, to scan public-facing web applications and report back if there are any vulnerabilities and open doors. It’s not that your app is specifically being targeted, but that attackers will take the path of least resistance, which starts with exploiting existing vulnerabilities. Additionally, depending on the application and the skills of the attacker, a successful attempt can take anywhere from hours to weeks. If an experienced attacker is matched with an application with weak security measures in place, a compromise could take place in minutes.
Ask yourself, do you want attackers to be the only ones to know what security weaknesses and vulnerabilities exist on your app or would you want to know as well?
The Less Than Obvious Impact of a Breach
A breach may seem like a security issue, but it is very much a business one as well. When a web application is compromised, several different scenarios could play out. Your company’s customer information could be stolen, confidential information regarding the company or your employees could be leaked, the availability of your web app could be impacted, the attacker could get deeper into your systems, obtaining more information about your networks for further damage, and with any of these scenarios you’re likely to have to deal with post-breach activities and bear costs in investigative, remediation, legal, publicity, customer identity protection and regulatory actions to name a few. Among organizations that experienced security incidents, 41% of IT security professionals said the biggest impact comes from disrupted business activities as stated in the Cybersecurity Trends: 2017 Spotlight Report. In other words, a breach doesn’t just affect the IT and security department of a company, but almost every department in the organization.
Now, let’s look at quantifying the impact of a breach. According to the Ponemon Institute 2016 Cost of a Data Breach Study: United States, the average organizational cost of a data breach has reached a new high of $7.01 million. And the rise in cost is linked to an increase in lost business due to the abnormal churn of existing customers, the increase in cost of acquiring new customers and the increase in the average size of a data breach.
It’s important to realistically understand the risk your company takes on when launching a web app without key security solutions. What losses would your company experience if your web app was unavailable for several hours? Are you willing to risk damaging company reputation and customer loyalty? Is your organization prepared to deal with a breach? Could your company shut down and go out of business if an attack occurred? This may seem like an extreme case, but it’s happened before.
CloudPets stuffed toys. Photograph: Cloudpets/Spiral Toys
CloudPets recently fell victim to a major security breach. As they were a rapidly growing company, speed to market was a top priority to ensure they could build a SaaS application the business needed. While it seems that security was important at CloudPets, as they had some security practices in place, they didn’t have all areas of application security covered, which is ultimately what left them vulnerable and exposed to an attack. Going to market with security gaps is a dangerous oversight for your business, especially for the long term. The likelihood of a breach is tied to the number of vulnerabilities in the application stack, and the greater number of vulnerabilities you have, the easier it is for an attacker to break in.
Remember: When you neglect security, you neglect the business.
Know What You’re Responsible for Securing
When utilizing the AWS cloud, it’s crucial that you’re familiar with their Shared Responsibility Model. Simply stated, the shared responsibility model is made up of two components – “security of the cloud” and “security in the cloud.” “Security of the cloud” is what AWS implements and operates on the customer’s behalf. They’re responsible for protecting the global infrastructures of services running in the cloud and the actual physical security of the facility in which the services operate. On the flip side, “security in the cloud” is the security measures that the customer implements and operates, related to the security of the content and applications that make use of the cloud provider’s services.
When evaluating what security solutions to implement on AWS, get a clear understanding of what you’re responsible for protecting and what AWS is. Subsequently, once you’ve got a grasp on that, you’ll need to then figure out what security capabilities you have and are willing to maintain for the applications and workloads that fall under your area of responsibility. Any area of security that you, as the AWS customer, are responsible for that does not have security in place is a gap that is vulnerable or susceptible for an attacker with malicious intent to exploit.
Learn more about protecting web application security in our eBook, 9 Considerations for Securing Web Apps in the Cloud.