Wednesday, August 9, 2017

Introduction to Cloud App Security - Part 2

(This is a continuation from part 1 of this introduction to Cloud App Security.)
Providing a secure app or application is a fundamental requirement. This is especially true in a cloud environment. In my post about “Securing Workloads on the IBM Cloud” I discussed the various layers that realize secure cloud computing. Today, I want to focus solely on apps that are built for deployment in the IBM Cloud. What makes up a secure app? What cloud services help establishing app security? Let’s take a look together.

App Security Services

To focus on the application logic, the functionality and business side, developers can delegate or “outsource” some of security tasks. Here is a non-exhaustive list of services that the IBM Cloud with the Bluemix platform provides. I am going to use the list of security topics from above:


Security Services
If you want to easily authenticate users, I recommend taking a look at the App ID service. The App ID service helps mobile and web applications to authenticate users based on different identity providers, e.g., Google and Facebook. Access tokens can then be granted to those users. More on that as part of “Authorization”. Another authentication service available in the Bluemix catalog is the Single-Sign-On service (SSO). The SSO service is able to interface with SAML enterprise directories, the IBM Cloud Directory service as well as with social identity providers, e.g., LinkedIn or Github.


The mentioned App ID service helps to implement authorized access by utilizing access tokens. The tokens are based on the JSON Web Tokens (JTW) standard. A rich ecosystem exists on which security contexts can be implemented. Many services in the Bluemix catalog, especially in the Data & Analytics category, allow to issue credentials for different roles. As examples, see my previous blog post on “Managing Service Key from the Command Line“and  the documentation for Cloudant NoSQL database on using access keys.
Some authorization can also be managed through only selectively allowing network access to an app. See “Secure Routes” below.

Secure App Code

Most of us are humans (I hope). Thus, we and the code we develop are prone to errors. The service Application Security on Cloud is able to detect common security gaps in your mobile, web or desktop applications. After deploying the Application Security on Cloud service, you can set up both static code scans as well as dynamic scans of your (up and running) app.
As another option, when working with toolchains as part of the DevOps Continous Delivery process, you can integrate security services for the stages. There is also a built-in static code scan that could be utilized.

Data Security

To encrypt data stored in the data services on Bluemix, typically there is not much to do as data is encrypted by default. As an example you can read here for Cloudant NoSQL DBaaS. If you want to protect special application keys or other credentials, want to encrypt high volumes of sensitive data, you may want to consider the Key Protect service. Once you have the Key Protect service deployed, it can be integrated via REST API with your applications to obtain and manage keys. The keys can then be used to protect, i.e., to encrypt data.

Secure Routes

Many Bluemix users make their applications available on their custom domains. To secure the route and enable https-based access, developers can upload the domain-specific SSL certificates. If you have to securely connect between your cloud and on-premises resources, then utilize the Secure Gateway service or the VPN service. The Secure Gateway service also has ties into the API Connect service. Using the API Connect service created APIs and the exposed resources can be guarded by additional security rules and access rate limits.
The IBM Cloud with Bluemix offers several other services in the network infrastructure category to meet the various requirements for securely connect the components of a cloud-based solution.

Audit and Monitoring

Want to gain insights into what is going on with your app and meet audit or compliance requirements? Then the Activity Tracker service should be of interest. The Activity Tracker is still a new service, but capable of integrating the various security-related events to generate an audit trail. Another service to take a look at is IBM Cloud Monitoring. It allows to monitor a broad set of metrics. Moreover, you can define rules for alerts. They can invoke a webhook, use pagerduty to get someones attention or send out an email.
Last but not least, to cover yet another monitoring and audit angle Bluemix has the new DevOps Insight service. It enables analysis of continous delivery, of toolchain metrics. That data can include information about failed tests, results from code scan, who was involved and much more.


Developing an enterprise app usually is quite an effort. Ensuring its security should be part of early design and the entire app lifecycle. In this blog entry, I have discussed some core security topics, then introduced some of the security-related services the IBM Cloud with Bluemix offers. This should you get started with your next (enterprise) project. Secure coding!

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

(Note: This is a repost of "Cloud App Security: What makes a secure app")