Month: November 2014

Application Security Engineering Analyst @ LSEC

Some of you may know I work part-time for a security firm called LSEC – Leaders in Security, or if you didn’t know, now you know. Some ask me what I do and what keeps me busy, well the upcoming conference is a good chance to explain it. I have the opportunity to go to the Cloud Security Alliance EMEA conference in Rome. This is quite the opportunity, as a lot of great speakers are scheduled to give a talk (Google, Dropbox, Microsoft, LinkedIn, Atos, etc).

Cloud Security Alliance is an organization which focuses on security issues when transitioning to the cloud. Or more in general, security issues which should be considered when you’re talking about running applications in the cloud. My official function at the firm is Application Security Engineering Analyst, quite a mouthful; I know. Basically I do research on the migration to the cloud. More specifically, I will try to pin-point security issues and bundle best practices when a company wants to move their systems to the cloud.

Moving to the cloud has a lot of benefits and is thus becoming increasingly popular. Employees can work from anywhere and the company does not need to manage resources, the cloud does this for you. Scaling is no issues, if you need more resources; you simply update your agreement with the cloud service provider. But as you might sense, these advantages do not come without any issues.

When migrating your traditional software to the cloud, you’ll need to scan your code and architecture. If your software uses some shared resources (specific company data), you’ll have to make the choice to move it to the cloud or not. The outcome of this decision affects the other systems who share the resources. From a security point of view some other, additional questions may arise:

  • Does the CSP provide sufficient data encryption?
  • Does the CSP provide strong authentication (using TPM’s, smartcards, card readers, …)
  • Does the CSP support multi-factor authentication?
  • What if your software uses LDAP for example. This is typically deployed internal in the company’s network. Does it need to be made accessible to the programs running in the cloud or are we replicating LDAP in the cloud?
  • Does the CSP emergency response team respond fast on vulnerabilities (i.e. heartbleed).
  • ….

I think it’s quite clear that there’s a lot to cover when a company decides to migrate their applications to the cloud, a lot of security issues need to be taken care of and be thought well through. So the main part of my job consists of doing research in state-of-the-art security mechanism for cloud platforms and searching for possible security issues. Which is a fun job to do.

Everybody who wants to follow me on the CSA EMEA 2014 conference can check my twitter or the blog on http://www.saasificationsecurity.com!

Cheers,

H4

Advertisements