rvlsoft - Fotolia
“On average, there are now 777 cloud apps in use in European organisations, but 94.4% of these apps are not enterprise-ready from a security standpoint,” said Eduard Meelhuysen, vice-president at cloud security firm Netskope. “This means that sensitive corporate data may be exposed without staff even realising it.”
Software developers must understand the security threats to software developed for Microsoft Azure, because it is ultimately the developers’ responsibility to ensure the security and compliance of their Azure applications.
Azure developers are likely to build apps and websites destined for public use, but the lack of thought given to security built into these apps is a huge weakness that can be exploited by cyber criminals.
A consistent cause of software vulnerabilities is software defects and bugs written into program logic. These flaws can be accidentally built into any application, whether it is hosted on Microsoft Azure or your local network.
Azure developers must practise secure programming or risk opening up their apps to vulnerabilities, such as the massively damaging Heartbleed flaw.
Also, by their nature, cloud development platforms such as Azure introduce threats found only within the cloud, such as new privilege escalation attacks and hypervisor takeovers known as hyperjacking.
To combat security vulnerabilities, Azure developers must follow these best practices when developing using Azure App Service:
- Ensure web applications enforce HTTPS.
- Disable remote debugging immediately after troubleshooting.
- Keep “always on” setting in Azure App Service always on to ensure reliability.
- Conduct regular logging and traffic monitoring.
- Stage regular penetration tests on your applications.
And in response to the growing threat of cyber crime on Azure, Microsoft recently announced a plethora of new security enhancements.
Cloud security crucial
As cloud adoption accelerates, threats such as data breaches will become increasingly common. With the average cost of a data breach now an estimated £3.2m, can developers using Microsoft Azure really afford to leave security as an afterthought?
The cost of a data breach is rarely confined to remediation and recovery. A recent insider security breach affecting Sage resulted in the FTSE100 company’s stock price dropping by 4.3%, causing millions of pounds in losses.
Demand for professionals with Azure security skills will rise as cloud applications become more sophisticated, and IT pros who can demonstrate they have invested in learning Azure security skills will be in high demand this year.
GDPR is coming
Azure application security must improve before the EU General Data Protection Regulation (GDPR) is introduced in 2018.
GDPR will impose new accountability and restrictions on internal data flows, and threatens fines of up to £17m for businesses that fail to comply.
But just 2% of enterprise cloud applications are GDPR-ready, so there is a lot of work ahead for developers on Azure – and every cloud platform.
Anyone developing for Azure needs to know what he or she is responsible for in terms of security. With the rise of cloud technology, the responsibilities of shared security have changed. Azure may be responsible for your infrastructure, but it might be easy to forget that, as the customer, you are responsible for the security of your own apps.
Last year, Microsoft issued guidelines about Azure security, spelling out when a security problem is a customer’s problem and when it is Microsoft’s. By doing this, Microsoft has clearly stated where its security responsibility ends, and the developers’ begins.
Read more about Microsoft Azure
- Microsoft’s Azure cloud platform has gone well beyond mere virtual machines and orchestrated workflows. It can now also power internet of things applications.
- AWS has been king of the public cloud mountain for years. But now Azure is steadily climbing up, with a host of new services in tow.
- Microsoft has opened its UK Azure cloud for business, offering customers in government and regulated industries a means to keep their data resident in the UK.
To put it simply, the security of apps that organisations develop for Microsoft Azure is their responsibility. Microsoft provides powerful security features, but it is the developers’ responsibility to implement them and maintain their knowledge of threats.
Microsoft Azure customers are responsible for:
- Data protection and classification.
- Endpoint and client protection (except in Software-as-a-Service environments).
- Application stack security in infrastructure as a service (IaaS).
But no matter whose responsibility it is, developers should act as if they bear the full weight of cloud security. After all, it’s your sensitive data on the line.