(This is a continuation from part 1 of this introduction to Cloud App Security.)
Providing a secure app or application is a fundamental requirement. This is especially true in a cloud environment. In my post about “Securing Workloads on the IBM Cloud” I discussed the various layers that realize secure cloud computing. Today, I want to focus solely on apps that are built for deployment in the IBM Cloud. What makes up a secure app? What cloud services help establishing app security? Let’s take a look together.
App Security ServicesTo focus on the application logic, the functionality and business side, developers can delegate or “outsource” some of security tasks. Here is a non-exhaustive list of services that the IBM Cloud with the Bluemix platform provides. I am going to use the list of security topics from above:
AuthorizationThe mentioned App ID service helps to implement authorized access by utilizing access tokens. The tokens are based on the JSON Web Tokens (JTW) standard. A rich ecosystem exists on which security contexts can be implemented. Many services in the Bluemix catalog, especially in the Data & Analytics category, allow to issue credentials for different roles. As examples, see my previous blog post on “Managing Service Key from the Command Line“and the documentation for Cloudant NoSQL database on using access keys.
Some authorization can also be managed through only selectively allowing network access to an app. See “Secure Routes” below.
Secure App CodeMost of us are humans (I hope). Thus, we and the code we develop are prone to errors. The service Application Security on Cloud is able to detect common security gaps in your mobile, web or desktop applications. After deploying the Application Security on Cloud service, you can set up both static code scans as well as dynamic scans of your (up and running) app.
As another option, when working with toolchains as part of the DevOps Continous Delivery process, you can integrate security services for the stages. There is also a built-in static code scan that could be utilized.
Data SecurityTo encrypt data stored in the data services on Bluemix, typically there is not much to do as data is encrypted by default. As an example you can read here for Cloudant NoSQL DBaaS. If you want to protect special application keys or other credentials, want to encrypt high volumes of sensitive data, you may want to consider the Key Protect service. Once you have the Key Protect service deployed, it can be integrated via REST API with your applications to obtain and manage keys. The keys can then be used to protect, i.e., to encrypt data.
Secure RoutesMany Bluemix users make their applications available on their custom domains. To secure the route and enable https-based access, developers can upload the domain-specific SSL certificates. If you have to securely connect between your cloud and on-premises resources, then utilize the Secure Gateway service or the VPN service. The Secure Gateway service also has ties into the API Connect service. Using the API Connect service created APIs and the exposed resources can be guarded by additional security rules and access rate limits.
The IBM Cloud with Bluemix offers several other services in the network infrastructure category to meet the various requirements for securely connect the components of a cloud-based solution.
Audit and MonitoringWant to gain insights into what is going on with your app and meet audit or compliance requirements? Then the Activity Tracker service should be of interest. The Activity Tracker is still a new service, but capable of integrating the various security-related events to generate an audit trail. Another service to take a look at is IBM Cloud Monitoring. It allows to monitor a broad set of metrics. Moreover, you can define rules for alerts. They can invoke a webhook, use pagerduty to get someones attention or send out an email.
Last but not least, to cover yet another monitoring and audit angle Bluemix has the new DevOps Insight service. It enables analysis of continous delivery, of toolchain metrics. That data can include information about failed tests, results from code scan, who was involved and much more.
ConclusionDeveloping an enterprise app usually is quite an effort. Ensuring its security should be part of early design and the entire app lifecycle. In this blog entry, I have discussed some core security topics, then introduced some of the security-related services the IBM Cloud with Bluemix offers. This should you get started with your next (enterprise) project. Secure coding!
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.
(Note: This is a repost of "Cloud App Security: What makes a secure app")