Cloud Security Principles: Part 2
- 5 minsThis is the second part of the series on the Cloud Security Principles. This post will look at some key principles for securing your applications. Similarly to the first post, some prior knowledge of various IT architecture and security concepts may be expected. This post was inspired by a talk I have recently done with Neha Sardana at JAX New York.
Introduction
In the first part, we have summed up all the essential elements to consider when working with Cloud and securing cloud-native applications/platforms. In this post, we would like to give you some concrete principles and tips for creating more secure applications.
Principles
Multi-Layered Defense
Keywords: general
First of all, a more generic but important principle: It would be best to look at security as a whole – integrating various security layers on multiple levels in any system. It should include cyber-security plans for:
- Devices
- Applications
- Networks
- Infrastructure
- People
Think of this principle as all the layers of clothing you wear to protect yourself from cold and bad weather. If one of the layers is compromised, there is always another to keep you warm and dry.
Identity and Access Management (IAM) Misconfiguration
Keywords: network, permissions
You need to control access and permissions meticulously and over time. Things to consider:
- Implementing role-based access control (RBAC)
- Principle of least privilege
- Routines for updating and removing permissions when they are no longer needed.
- Explore possibilities for using time-based conditions for IAM policies.
API Security
Keywords: endpoints, permissions
- APIs act as the gateways to your application and data. Securing access to and securing them from known vulnerabilities is paramount to prevent unauthorized access and data breaches.
- Utilize authentication, authorization, and API gateways to control access and protect sensitive information. Don’t forget to monitor the software or libraries that make APIs available (e.g., runtimes, middleware)
Data Encryption
Keywords: data
- Safeguarding data at rest, in transit, and during processing is critical for your applications.
- Utilize encryption, tokenization, and data masking techniques to ensure data protection. Removing unnecessary sensitive information can simplify some of these tasks.
- If a platform or a Cloud provider provides the encryption, consider if you would like to use the standard keys for encryption or “bring your own” and manage them yourself or through a third party.
- Beware: Don’t write your own crypto! Ever.
Zero Trust
Keywords: network, permissions
- The Zero Trust security model assumes that no one is inherently trustworthy, even those within your network.
- This is opposed to more traditional approaches where perimeter security was prioritized over security inside the network.
- Adopting this approach, every request, user, and device is thoroughly verified before gaining access.
- Again: Implement the principle of least privilege, where users are only granted the minimum level of access required to perform their tasks.
Software Supply Chain Security
Keywords: software, environment
- Create Software Bill of Materials (SBOM) for your software
- Governance: Know where all the building blocks (artifacts) of your software are coming from.
- Automate security checks within your CI/CD pipeline to catch vulnerabilities early and often.
- Use static code analysis with tools like SonarQube to scan your code for potential security flaws and integrate those checks into your CI/CD pipeline to ensure continuous security monitoring.
- Use tools to monitor not only the code you develop yourself but also all the third-party libraries you utilize in your code.
- With DevSecOps, automated security security is becoming integral to the development process. Adopt it if you haven’t done so already.
Secure Containerization
Keywords: software, environment
- Containerization and orchestration technologies, like Docker and Kubernetes, offer exceptional flexibility but also introduce security concerns.
- Securing containers and managing their lifecycle is vital to ensure a safe cloud environment.
- For example, use container scanning tools to identify vulnerabilities within container images before deploying them.
- Additionally, enforce strict security policies and segregate workloads using Kubernetes namespaces.
Continuous Monitoring and Incident Response
Keywords: software, environment
- The cloud landscape is constantly changing, and threats evolve rapidly. This means that we need to monitor not only for known threats but also for anomalies.
- Continuous monitoring and proactive incident response are essential to detect anomalies and respond swiftly to security incidents.
- For example, use cloud-native monitoring tools your Cloud or platform provider provides.
- Have good logging, but remember that more is not always better – log relevant information.
Human Factors (including Social Engineering, Misconfigurations, and Human Errors)
Keywords: people, human factors
- 82% of incidents are caused by human factors (2022 Data Breach Investigations Report)
- Creating secure applications also implies providing security training for the system users.
- Social engineering and human factor has proven to be essential to creating secure applications.
- Consider running security awareness campaigns and employee training from user and developer perspectives.
- Automate routine and mundane tasks – humans often don’t enjoy carrying out tasks like this and are prone to errors; computers, on the other hand, excel at tasks like this!
Conclusion
You have probably heard that nothing is stronger than its weakest link. Therefore, it is important to look at various sides of the security. Especially in the Cloud, one size does not fit all when it comes to security. Cloud platforms, software, and threats constantly evolve and add to the complexity of creating secure applications.
Here, we have seen some of the principles to consider regarding the security of the platforms and application development for the Cloud and cloud-native applications in general.
Finally, note that this is not an exhaustive list but is instead meant to serve as a stepping stone to more secure application development.
Rustam Mehmandarov
Passionate Computer Scientist