Securing Cloud Native Apps

If you talk to any developer around about the toughest part of the SDLC, I will be surprised if you don't hear about the hurdles of passing the Security Checklist put up by the Security Architect. In the traditional enterprise world, we have been discussing several layers of security and have several test tools around to mitigate threats. So while the term “cloud-native” is now one of the main topics of discussion in the developer community, “cloud-native apps security” is also taking its own place.
Let's first discuss what changes Cloud Native has brought in terms of security implementation compared to traditional enterprise security.
So the biggest misconception in the developer community (especially those who are new to the cloud) is that once we move to the cloud, all those security compliance headaches are now the cloud provider's problem; but that is not the case. System security is a shared responsibility between application developers and cloud providers. Providers need to ensure they provide a platform that secures the infrastructure underneath and enables the developer to configure/customize the rules of application security as per their organization's needs.

The Security Features That a Cloud Platform Provides

  1. Immutable Containers - Most cloud platforms provide immutable containers to run your applications. That means the application and the data are isolated, i.e. they cannot be changed from the outside.
  2. RBAC (Role Based Access Control) - Cloud platforms provide access to their platforms based on user roles and they control authorization with some kind of UAA server.
  3. Isolation Segments - most cloud platforms provide options for a segmented environment to isolate systems and resources. These are mostly required for PCI compliance or for financial apps which are data sensitive.
  4. Frequent Patches - Cloud platforms enable automated deployment of new patches. This helps to fix vulnerability issues at the infrastructure level very fast. Also, this doesn't allow the malware to sit there and do damage.
  5. Security Groups - Security groups are like virtual firewalls to secure inbound and outbound traffic to instances. This has become a core functionality for any cloud platform.
  6. Encrypt Connections - Cloud platforms provide encryption in transit with SSL/TLS across platform services.
  7. Logging and Monitoring - All platforms provide built-in logging and monitoring tools to see what’s happening in the environment and application. They also provide metrics and alerting features as well.
  8. Pen Testing - Some cloud platforms also provide penetration testing features to simulate cyberattacks.
  9. Rotating Credentials -  Some platforms are now coming up with a new feature where credentials and keys can be rotated frequently without impacting the actual application changes or downtime.
There's a lot more detail we could go into, but the above features are the most common features you will come across. But the security of any system doesn't stop with these features only. As discussed earlier, it has to be taken care of at the application layer as well.

What Are the Responsibilities of Application Developers'?

  1. Authentication - Authentication is sometimes confused with authorization. Authentication identifies that a user is who they claims to be and authorization defines whether a user is allowed to do something. The application has to be configured to check if an authenticated user is trying to access it. There are many options available to authenticate a user. Some of them are:
    • User Name and Password - These can be stored either in LDAP or DB and can be validated against user inputs.
    • Token-based credentials - This is much safer than User Name and Password.
    • Login with an existing account like Twitter, Google, Facebook, etc. using SSO.
    • Fingerprints, bio-metrics.
    • Two-factor authentication- where the first factor is a username/password and the second factor is either an OTP or secret pin.
  2. Authorization - Authorization gives permission to the user to perform a specific action against a particular resource. The following are different ways to perform authorization:
    • Role-Based Access Control – This is the simplest access control protocol, where resources are allocated based on the user's role, e.g. Admin, Manager, Reviewer, etc.
    • Attribute-Based Access Control – It defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.)
    • OAuth 2.0 - The HTTP-based OAuth 2.0 framework allows an app to obtain access to a resource exposed by your API. The application does send the request to the OAuth 2.0 authorization server, checking each incoming call for an access token. It then validates the call with the authorization server. The response from the authorization server will indicate whether the access token is valid. Also, it will define the scope of access provided by that token.
  3. The Security Assertion Markup Language (SAML) - A SAML Assertion can be issued by an Identity Provider in one security context and be inherently understandable by an Identity Provider in another context. SAML assertions typically convey information about the User including the organizational groups to which the user belongs, together with the expiry period of the assertion. The identity provider which has to validate the assertion must have a trust relationship with the issuing identity provider.
  4. Session Management - Sessions are generally created by setting a session id inside a cookie. The session id is sent by a user’s browser in subsequent requests. The security of these identifiers depends on them being unpredictable, unique, and confidential. If an attacker can obtain a session identifier by guessing it or observing it, they can use it to hijack a user’s session.
  5. Input Data Validation - Data entered by the user through a form or web service call (JSON, XML) must be validated to ensure that they meet the application requirements. Missing that can cause attackers to take control of your application, e.g. passing JavaScript with HTML can get an application's cookies information, passing a DB query can delete system data, etc.
  6. Denial of Service - DoS attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim's resources and make it difficult or impossible for legitimate users to use said resources.
  7. Handle Cross-Site Scripting (XSS) – These attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. To prevent this, several techniques have to be combined, e.g. data validation, content security policy, etc.
  8. Handle SQL Injection - A SQL injection is a code injection technique that might destroy your database. SQL injection usually occurs when you ask a user for input, like their username/user id, and instead of a name/id, the user gives you a SQL statement that you will unknowingly run on your database. SQL parameter binding is one of the known ways of mitigating this risk.
  9. Encryption in Transit - Allow only inbound and outbound SSL connections for the application. Some clients even prefer to have MASSL setup to secure their applications.
  10. Handle User Passwords – That is one of the common issues, and, indeed, password leaks can be a big issue. Application credentials need to have an expiry date and keep changing frequently. Now, even some cloud platforms help to rotate passwords without changing the application code.

Common Misconceptions About Application Security

  1. We Use a Web Framework, So We Do Not Need to Worry About SecurityIt will take care every aspect of security.
    1. This is not true.
  2. Our application is accessible via VPN only so why worry about security?
    1. What if an attacker uses social engineering and gains access to your VPN and hacks application?
  3. We have backups for our websites so we don't need to worry about hacking.
    1. Backing up your system can be helpful, but, during an attack, whatever damage happens can be significant.
  4. We don’t collect sensitive data, so why bother?
    1. There are many other kinds of damage hackers can do other than stealing sensitive data, e.g. Denial of Service, sending spams to all users, etc.
  5. There is no ROI with security audits.
    1. Security is like insurance for an application; so it doesn't have direct ROI but you'll never regret having it (especially if you're ever hacked). 
  6. The website Runs on SSL (HTTPS) so it's secured.
    1. This protocol can only encrypt data that is in transit but it cannot secure your site from other vulnerabilities.

Food for Thought

  1. Is container-to-container networking an anti-pattern for security?
  2. Is connecting a source code repo (GitHub, SVN, etc.) to cloud platform containers secure? 
  3. What are the patterns available to secure the CI/CD pipeline so that it doesn't deploy malware in the cloud?

No comments: