Almost every organization is using cloud computing in some way today, eager to cut costs, improve IT efficiency, and make their business more agile. Many organizations have started their journey by hosting their Web sites in the cloud, hoping to take advantage of the proven scalability and test performance before making a bigger shift.
The challenge facing organizations is that Web applications are a hacker’s favorite target… one that is available and accessible from anywhere in the world. This universal accessibility makes ensuring that Web apps are secure critical, while introducing two important challenges:
- A poorly secured app can provide a direct route to valuable customer data, internal networks, databases or sensitive corporate information.
- Common Web app vulnerabilities like SQL injection and cross-site scripting are still prevalent in Web apps, and exploits are readily available.
When you combine those two factors, it’s not surprising that 22% of all hacking actions in 2013 were Web app attacks1.
So is it possible to sleep easy at night when you put a favorite hacker target in the cloud? At the recent AWS Summit in San Francisco, Stephen Schmidt, Chief Information Security Officer at AWS, shared how clients were finding that they could make their cloud-based data center MORE secure than their physical one due to better visibility, auditability and control. And this can be true for Web apps as well.
With the AWS shared security model, deploying organizations are responsible for security of the applications and data they put in the cloud. Effective security for Web apps involves a combination of regular vulnerability scanning and fast mitigation of identified issues. However, as vulnerability scanning can have impact beyond the application and platform layers, AWS requires customers to request permission in advance to run scans on their instances. This means each time a user want to run a scan, they need to fill out a request form and submit to AWS for approval. This adds manual effort and delay to the scanning process, making daily or frequent scans cumbersome and frankly, unlikely. In today’s fast-paced, high-pressure corporate environment, this is extra time and effort the overstretched IT department can ill afford, and it often translates into scanning less.
The good news is that AWS recently approved Trend Micro Deep Security for Web Apps as a Pre-Authorized Scanner. This means users of our service don’t need to request this pre-approval – they can run scans whenever they want without time-consuming manual steps and the delays they can cause.
This means Deep Security for Web Apps customers can improve security of apps hosted in AWS by:
- Frequently running application, platform and malware scans to check if changes or updates have opened new vulnerabilities – without pre-approval.
- Taking advantage of our integrated ‘Protection’ capabilities (IPS rules, virtual patching or WAF rule generation) to address discovered vulnerabilities quickly.
Find out more on Deep Security for Web Apps at TrendMicro.com/WebAppSecurity.
And look for our new Deep Security for Web Apps listing on the AWS Marketplace.
1 – Source: 2013 Verizon Data Breach Investigations Report