Cloud application Vulnerability assessment

Question

Do you think server side assessment of application is important when application is hosted on a cloud like Amazon?

Assessment on software used to host the application not the actual application, e.g. assessment of nginx webserver using nessus or nexpose. Security of this software should be taken care by Amazon. If there is any vulnerability in nginx webserver then the security issue should be with Amazon not the actual application. Please clarify my doubt. Is my approach correct?

Answer 1

Whilst it might be the case that Amazon have done proper configuration testing of their servers, and have full security auditing in place, do you really want to risk your operational stability and security by not testing it for yourself?

The bigger question is why you want to use "cloud" anyway, if you've got anything that's worth keeping secure. The single positive thing that comes from cloud computing is that it's cheap. Everything you hear about improved uptime is a fallacy - just look at how many long blocks of downtime major sites have had due to S3 outages. Then, from a security perspective, you have these issues:

• You're outsourcing blame, but not responsibility. Amazon have no contractual agreement with you to provide adequate security testing in a way that's applicable to you specifically as a customer. You can blame them for security failures as much as you like, but they will not be held contractually responsible.
• You're putting incident response in the hands of another company. You'll have absolutely no luck getting full-disk images that'll stand up in court if you get hacked. Amazon don't have the resources, inclination or legal clout to provide forensic-level copies and logs to customers.
• Once you put data on the cloud, it may not even be yours any more. Various governments, including the USA, have passed legislation saying that "cloud" data no longer carries ownership, and can be taken or removed.

Real security and competitive uptime costs money. If you want proper security and high uptime, get a dedicated server with an SLA and have the full stack tested by a competent security tester.