|Security for Cloud Apps|
Note that this is part 1 of 2. Part 2 is linked at the bottom.
Application SecurityBuilding and maintaining a secure app covers many aspects. Some deal with the intended (well-behaving) users, some with the “bad guys”:
- Authentication: Most of us have an identity card, passport or an (access/company) badge. We show those documents to establish our name and person. They help prove that we are the real “Henrik” and not some fake. Authentication is the process of identification, of identifying a specific user.
- Authorization: Once a person or user has been
identified (authenticated), the next step is to establish the granted
privileges. What is the user authorized to do? I am allowed to enter
building “A” on campus, but not the data center. I have read access to
some account data, but I cannot modify any order information or give
Note that often the combination of authentication and authorization are referred to as Identity and Access Management (IAM).
- Secure App Code: All experienced developers know that their code contains bugs. Some of the code defects are harmless, some cause app vulnerabilities. By applying code analysis and performing penetration tests common holes can be found. The app code can be secured.
- Data Security: When considering data security, often there is a differentiation about data-at-rest (stored data), data-in-transit (in transmission) and data-in-use (currently processed in a computer). Data that is handled by the application needs to be stored (data-at-rest) in a way, so that only authorized (required – “need to know”) users have access to it. Moreover, data encryption helps to reduce risks of unauthorized copies and low-level access. Protecting data-in-use is a matter of the cloud infrastructure which I discussed earlier.
- Secure Routes: Connections (data-in-transit) to the app as well as from the app to services and resources needs to be secured, i.e., encrypted. This makes sure others on the network cannot simply listen to the data traffic.
- Audit and Monitoring: Once the other measures are implemented and the app is in production, the app behavior and user interactions need to be monitored for anomalies. Depending on the app type, regular audits of app and data access may be needed.
To focus on the application logic, the functionality and business side, developers can delegate or “outsource” some of security tasks. We will take a look at the existing services in part 2 of this introduction to Cloud App Security.