Wednesday, August 9, 2017

Introduction to Cloud App Security - Part 1

Security for Cloud Apps
Providing a secure app or application is a fundamental requirement. This is especially true in a cloud environment. In my post about “Securing Workloads on the IBM Cloud” I discussed the various layers that realize secure cloud computing. Today, I want to focus solely on apps that are built for deployment in the IBM Cloud. What makes up a secure app? What cloud services help establishing app security? Let’s take a look together.

Note that this is part 1 of 2. Part 2 is linked at the bottom.

Application Security

Building and maintaining a secure app covers many aspects. Some deal with the intended (well-behaving) users, some with the “bad guys”:
  • Authentication: Most of us have an identity card, passport or an (access/company) badge. We show those documents to establish our name and person. They help prove that we are the real “Henrik” and not some fake. Authentication is the process of identification, of identifying a specific user.
  • Authorization: Once a person or user has been identified (authenticated), the next step is to establish the granted privileges. What is the user authorized to do? I am allowed to enter building “A” on campus, but not the data center. I have read access to some account data, but I cannot modify any order information or give discounts.
    Note that often the combination of authentication and authorization are referred to as Identity and Access Management (IAM).
  • Secure App Code: All experienced developers know that their code contains bugs. Some of the code defects are harmless, some cause app vulnerabilities. By applying code analysis and performing penetration tests common holes can be found. The app code can be secured.
  • Data Security: When considering data security, often there is a differentiation about data-at-rest (stored data), data-in-transit (in transmission) and data-in-use (currently processed in a computer). Data that is handled by the application needs to be stored (data-at-rest) in a way, so that only authorized (required – “need to know”) users have access to it. Moreover, data encryption helps to reduce risks of unauthorized copies and low-level access. Protecting data-in-use is a matter of the cloud infrastructure which I discussed earlier.
  • Secure Routes: Connections (data-in-transit) to the app as well as from the app to services and resources needs to be secured, i.e., encrypted. This makes sure others on the network cannot simply listen to the data traffic.
  • Audit and Monitoring: Once the other measures are implemented and the app is in production, the app behavior and user interactions need to be monitored for anomalies. Depending on the app type, regular audits of app and data access may be needed.
There are more topics that could be listed for what contributes to app security. The IBM Secure Engineering Framework (SEF) lists nine categories for security requirements alone. So, it is quite complex already. Moreover, we could consider that many laws as most regulations require “state of the art” effort to protect an app and its data. Thus, it requires regular reassessments of whether all building blocks for app security are in place and are up-to-date.

To focus on the application logic, the functionality and business side, developers can delegate or “outsource” some of security tasks. We will take a look at the existing services in part 2 of this introduction to Cloud App Security.