There are many reasons why deploying your software application in the cloud may make sense. Resource elasticity enables you to spin up/down storage and processing for large datasets. Remote access provides access to team members that may not be in the office. Save money through automatically-managed infrastructure, enabling work to be performed off-site, and only paying for what you need.
If you simply Google "<big pharma name> data theft" then you will likely come up with a number of stories on your own. Pfizer had three instances from 2007 alone. We all remember the Anthem breach, this occured due to a failure to abide by the Principle of Least Privilege. Even Target has had a huge breach that was initially detected, but the security breakdown happened when they failed to follow up appropriately.
It is important to abide by the following principles when securing any software application. These principles are not limited to cloud software applications only.
Principle of Least Privilege
Only provide access to needed resources, and nothing more
Secure by Default/Secure by Design
Assume malicious intent by default and act accordingly
Separation of Duties
Assign responsibility for key roles to different people
Process not Features
Information security is abuot managing risk, not checking off a list
Sure, but the cloud does add one more set of secrets to protect Cloud provider management credentials are "keys to the kingdon". Provider API tokens for automated tasks are equally important! Principles are principles, regardless of the environment. Anthem, Target, and Heartland made fundamental mistakes.
Choosing a provider can be a difficult task, but asking the following questions will help you determine which provider is right for your application.
Are they trustworthy?
Established providers may already have a public track record (e.g. AWS). Lesser-known providers need to earn your trust through transparency.
What kind of physical protections are put in place?
How is the data center protected? How are individual servers protected?
Are there written guarantees?
If you need regulatory compliance, will it be provided? Can the provider guarantee a certain level of service?
An attack surface is defined as the sum of different points where an unauthorized user can try to enter or extract data from an environment. It is important to minimize the surface area by following adbiding by the proper principles.
Close/restrict computer ports taht don't need to be exposed.
Expose only essential services to the internet-at-large.
Apply security patches on a regular basis
Authentication is the process of proving that someone is who they claim to be. Multi-factor autentication is an extremely secure means of authenticating your users. Multi-factor authentication (MFA) requires at least two different identifiers for a user to log in to the system. This typically includes a password and one other, such as a text-message verification code, biometrics, or an authentication token from an application such as Google Authenticator. Make sure you exchange sensitive information securely. If you need to send a password to a user, encrypt it and use multiple means of communication so that all of the sensitive data is not in one place.
Authorization is defining the access rights based on a user's identity. Use a granular access control model:
Role-based security
Access control is based on the roles a user occupies
Claims-based security/access control lists
Access control is based on the resources a user can access
These two models can be combined together for a greater effect.
Remeber that checklists are a tool, not a final step. Use checklists to perform audits, not to claim security is "finished". Log access attempts wherever possible; most applications will do this when configured appropriately. Make sure you monitor access attempts. Many cloud providers offer infrastructure monitoring. Open-source and commercial tools exist as well. Make sure to follow up if something happens! Target had all of the monitoring and tools, but did nothing when suspicious activity was detected.
Security principles apply everywhere - the cloud is no different. Remember the Principle of Least Privilege. Use strong passwords and multiple authentication factors. Make authorization policies as granular as necessary. Finally, make security an ongoing process, not items on a list.