Salesforce: Improving Cloud App Security
Cloud application security is a growing concern as companies large and small make the move from in-house servers to off-site compute resources. Cloud metrics app Datadog — which counts big businesses such as AWS, Slack, and Fastly among its major partners — was recently the victim of a data breach and is now recommending that users revoke and change their credentials. With cloud computing now a requirement to compete globally and find success locally, how do companies ensure app security is up to par?
Specialized cloud security solutions designed by SMBs are one option; that’s how Microsoft’s Ronny Bjones sees the market shaking out as developers look for ways to focus more on their craft and startups find niche services that appeal to specific verticals. The problem? This market is still maturing as companies “test out” the cloud to determine where they need help and where they can get by on their own.
The alternative? Large-scale cloud providers like Salesforce, which leverage highly skilled security teams and economies of scale to invest in the latest security technologies. With access to a broad spectrum of resources and information, cloud providers can create a kind of application development pipeline, one that simultaneously delivers enhanced performance and robust security coverage.
Cloud app security covers a great deal of ground, meaning companies must focus on key concepts to maximize IT impact. Common areas of improvement include:
- Encryption — Is app data handled securely at every point in the process? What other applications does the primary app interface with, and are these apps similarly secure? Salesforce is now rolling out a “bring your own key” initiative that lets companies use their own encryption keys to safeguard data on Salesforce apps rather than using the default encryption method, providing greater control end-to-end.
- Access — Who has access to cloud computing applications, and under what circumstances? Provide access on-demand to those who need it rather than adopting a carte blanche process.
- Observation — What tools are in place to monitor data as it moves from app to app, or the behavior of an application itself? Leveraging third-party tools can help drill down and discover the root cause of app issues — in some cases, employee misuse may be responsible. In others, new apps may not “play nice” with legacy systems.
Enhanced Application Development
While end-of-line security processes can help limit the chances of a breach, the ideal time to incorporate solid security structures is during the development process. For example, Salesforce uses an OWASP-inspired three-phase development model to enhance overall security. In the design phase, high-risk features and access points are identified and assessed. During the coding phase, standard vulnerability types are addressed and analysis tools are used to identify security flaws. Finally, apps are tested by in-house staff, external consultants, and third-party tools.
Improved application security impacts all companies — security startups, cloud providers, and clients alike — and is now a top priority for businesses considering a move to SaaS-based solutions. Achieving better app security is possible with the right combination of development-based process and end-user security oversight.