Skip to main content

Secure your application on cloud


Handling sensitive data
Define sensitive data for your application. Classify as sensitive data and confidential data. Sensitive data is something like password, credit card account number, something that you should not compromise at all. Confidential data could be your customer’s health record, something that requires your permission before its usage. So, you need to define sensitive data in the context of your application.
There are many ways to protect the sensitive data in transit; the easiest way is to use SSL. This is nothing different than handling sensitive data in any traditional application.  However, make sure you apply this rule while designing your application for cloud deployment.
Alternatively, you can encrypt the sensitive data and transport. Be noted that any kind of protection you design, will have implications on performance. However this is ignorable considering the nature of sensitive data.
If you just want to protect your data from being tampered during the transit, you can employ digest verification also.
 
Handling confidential information
Now, define the confidential information in the context of your application. Confidential information can be sensitive as well. While you can employ encryption of the confidential data during the transit, make sure that they remain encrypted even when stored, especially in the context of cloud. AWS offers Windows OS and Linux flavors for its instances and you can use native support of OS to encrypt files to ensure that data remain encrypted even when stored.

Secure the access to your application APIs and also to infrastructure resources
Application can have entry points through User interface and API. Since, application client is not just restricted to human end users, but extended to non-human users like kiosks, mobile devices, hand held, tablets and other applications, so on, it is important to protect the entry points, it is imperative that application exposes REST based APIs. There are many ways to protect your APIs. Oauth is emerging as standard way of protecting APIs.
In the context of AWS cloud, AWS infrastructure offers REST API with respect to infrastructure. Just like application security, infrastructure security is also a paramount concern. Hence, the application design should consider secured access to AWS APIs as well. You can use secret key and sign the request to access AWS resources.

Manage your internal network on AWS
With VPC, it is possible to logically isolate the resources. With VPC, you will also gain the ability to directly connect to these resources exclusively from your own enterprise network. You are ensuring that the infrastructure is free from unauthorized access.
AWS offers the infrastructure as commodity and they ensure the resource availability. It is your responsibility to ensure that your deployment setup ensures availability and reliability to your customers. So, you are still in charge of your deployment setup.

Avoid using AWS credentials while interacting with AWS services
It is not a good idea to use AWS credentials while interacting with AWS service, if you have to use it, then pass the credentials during the launch or encrypt the credentials before sending over the wire. Also, do not embed AWS credentials in AMI. The better way to access the AWS services is to use IAM service from AWS, manage users and permissions for each user within AWS account. Using IAM eliminates the need to share passwords or access keys. You can also use X.509 certificate authentication to certain AWS resources.
 
Design key rotation mechanism in your application
There is a possibility of compromising access key for any reason. In such cases, you can obtain new one by rotating to new access id. If you design your application to periodically expire the existing access key and obtain a new one, will enhance the security.

Create security groups to restrict access to resources
Security group in the context of AWS is a set of rules that handles the incoming and outgoing traffic of instances. These groups provide firewall like protection and you can restrict the traffic to the level of TCP, UDP, ICMP ports. It is also possible to use firewall features of instance’s operating system. I find security groups are simple.
 
Take care of security while installing software on your instances
·         Ensure that third party software is configured with secure settings
·         Do not run processes as root or administrator unless it is absolutely required

Periodic patch administration
This is more of the maintenance aspect of the operational environment. Just like any traditional server, instance also hosts operating system and it is important to update the security patches periodically. Make sure to regularly download from vendor and update AMIs. Redeploy instances with new AMIs. Make sure that new patch application does not break your application. If possible, automate the process.

Comments

Post a Comment

Thanks for your comments.

Popular posts from this blog

Key to adopt open source product

Friends, I am working on business solution implementation on open source product called Kaltura. Kaltura is a media management solution and has loads of features that compel any business to take a peek into it. More-over this is the only complete end-to-end open source software available to handle digital assets. But it comes with its own head ache. Considering its open source, its understandable. I feel, handling these would ensure you the success in your open source product implementation. 1. In my opinion, before adopting any open source software, build the capability to deal with the inconsistency bundled in the open source software. 2. I would avoid involving external consultants for 2 reasons.      a. I am not sure, they would bring necessary expertise on to table      b. I fear that there would be little ownership, they will not see big picture of my business (neither I am interested to share it all) 3. Alternative to that is to build the team that is capable of debuggin
1 comment
Read more

Essential GCP services for a new age application

Identity and resource management IAM  Identity aware proxy Resource Manager Stackdriver Monitoring Stackdriver Monitoring: Infrastructure and application monitoring Stackdriver Logging: Centralized logging Stackdriver Error Reporting: Application error reporting Stackdriver Trace: Application performance insights (latency) Stackdriver Debugger: Live production debugging Development management Cloud Deployment Manager: Templated Infrastructure deployment Cloud Console: Web based management console Cloud shell: Browser based terminal/CLI Development tools Cloud SDK: CLI for GCP Container registry: Private container registry Container builder: Build/Package container artifacts Cloud source repository: Hosted private git repository Database services Cloud SQL: Managed MySQL and PostgreSQL Cloud BigTable: HBase compatible non-relational DB Cloud Datastore: Horizontally scalable non-relational (ACID) Cloud Spanner: Horizontally scalable relational D
Post a Comment
Read more