Secure coding, vulnerability scanning and a layered defense provide protection against most external cyber threats. There are a couple housekeeping things you need to handle as well to guard against unauthorized or inappropriate access to web applications and data, and to ensure known vulnerabilities in your servers and web applications are mitigated.
4. Basic cloud security blocking and tackling
Now let’s talk about some basic blocking and tackling. There are plenty of basic tasks that need to be performed for a cloud security program. Two of the most important are identity and access management (IAM) and patching, both of which often don’t get enough attention - and sometimes get completely overlooked – particularly in cloud environments.
Let’s start with identity and access management. IAM is the system used to securely control user access to your cloud resources (i.e. apps, databases, etc.). The proper implementation of IAM greatly reduces your web application security risk by controlling the authentication and authorization of your users. Essentially, an effective IAM strategy will limit resource access to the right individuals at the right time for the right reasons.
Two very important considerations for building that IAM strategy: least privilege and managing permissions within groups. These will minimize who can access and make changes to your web applications and databases. Both are described below:
- Least privilege is the granting of only those permissions to users that are required to perform their tasks. When thinking through how to implement IAM for your environment, always establish what tasks your users need to perform, and then build policies for them that limit the user performance of only those tasks. This will greatly reduce risks of breach through issues such as credential theft.
- Managing permissions with groups is very important in battling “permission creep” (the steady buildup of permissions as users move around an organization). Assigning the proper permissions (i.e. administrator, database admin, developer, etc.) to a group and then adding users to those groups stops the need to assign permissions directly to the user. Adding and removing users from groups is considerably less difficult and inherently more secure than trying to add and remove permissions individually.
For more around IAM in the cloud, Amazon Web Services and Microsoft Azure have both published great resources for helping you create an effective IAM strategy. The AWS resource can be found here, and the Azure resource is here.
Patching is another area that should be a basic building block in a security framework. Yet the recent WannaCry and PetrWrap malware outbreaks provide evidence that patching is very often neglected. Both took advantage of a flaw in the SMB protocol in Windows that had been patched for months.
Fortunately, patch management is a mature market. You can purchase high-quality patch management systems that will work in the cloud (see the quick notes below for some caveats). These will help you create a regular patch cycle so you can keep up to date with patches as they come out, as well as quickly and easily apply emergency patches if a zero-day exploit is discovered
Another consideration for patching in the cloud is the use of infrastructure automation solutions like Chef or Puppet. These kinds of tools help automate patching for running instances of Linux or Windows servers, or they can also be used to keep your machine images up to date with the latest packages so that server instances in your environment can simply be refreshed regularly. Infrastructure automation tools are very powerful and offer flexibility so you approach patching in a way that best fits your environment.
Finally, Amazon Web Services and Azure both have fairly new solutions for helping you patch your systems. Both Amazon EC2 Systems Manager and Azure’s Operations Management Suite (OMS) are agent-based, meaning an agent is installed on the machines for patches to be installed. If you are using one or both of these IaaS providers, their solutions might be something to investigate further.
Two quick notes on patching:
- The cloud delivery model you are using has high relevance to patching. This post assumes you are deploying your web apps in an IaaS (Infrastructure as a Service) model, where you have full control over your environment. SaaS (Software as a Service) and PaaS (Platform as a Service) models are different animals and take different approaches.
- It is important to ensure that you test patches before you apply them, especially when patching critical systems. Though a healthy amount of testing goes into the development of patches that come from the developer, you can never be too careful. Be sure to build that testing into your patching cycle and emergency patching procedures.
In the last post of this series, we will talk about the importance of log data and the value it can provide if analyzed intelligently.
This post was a collaborative effort with Joe Hitchcock.