A recent thread about hardware and software requirements for development on the Google cloud forum made me wonder what cloud computing will mean for development, test and production environments. There are a lot of really interesting questions here, but my mind got stuck on the relationship between development and production. I’ve always been amused at the IDE feature that touts instant deployment from the developer’s desktop to the production system. Wearing my security hat, I should use the word “horrified” instead of “amused” because I can think of no worse model for deployment than developer-to-production.

I came to the conclusion that deployment of cloud-based applications will require much more engineering rigor to assure the security of the deployed application. There will, of course, be variation in the amount and type of rigor based on the type of cloud the application is being deployed to. For example, deploying to a platform as a service provider will be different than deploying to a infrastructure as a service provider where the later will require a lot more rigor. But, given the amount of manual steps involved in most of the deployments I see, I’m very worried that deployment automation will be overlooked as a required security control for cloud-based apps.

Large companies will have tools like Opsware and Bladelogic for their existing data centers, so they have a base of automation to work from. It’s the medium-large and medium sized organizations that I see as needing automation help to secure their deployments. I think these companies will be adopting cloud-based applications for their cost advantage over internally owned and managed infrastructure. But these organizations have a much more collegial relationship between development and operations and moving to operations to a service model will break these relationships. It’s the same problem that companies face when moving parts of development offshore. The solution for development is more formal API contracts and specifications. With operations, automation is an excellent way of formalizing the “API contract” between development and operations.

Security will have its part in this equation as well. All of the assumptions about who can do what with which parts of the application, who you can trust and with what credentials will have to be re-evaluated. Some of my colleagues would argue that this is the least of our worries. I would agree, but given the lack of a shared understanding of cloud security, I think that these operational concerns need to be on the list.

This entry was posted on Wednesday, February 11th, 2009 at 3:46 pm and is filed under Software Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.