Skip to main content

Secure your application on cloud


Handling sensitive data
Define sensitive data for your application. Classify as sensitive data and confidential data. Sensitive data is something like password, credit card account number, something that you should not compromise at all. Confidential data could be your customer’s health record, something that requires your permission before its usage. So, you need to define sensitive data in the context of your application.
There are many ways to protect the sensitive data in transit; the easiest way is to use SSL. This is nothing different than handling sensitive data in any traditional application.  However, make sure you apply this rule while designing your application for cloud deployment.
Alternatively, you can encrypt the sensitive data and transport. Be noted that any kind of protection you design, will have implications on performance. However this is ignorable considering the nature of sensitive data.
If you just want to protect your data from being tampered during the transit, you can employ digest verification also.
 
Handling confidential information
Now, define the confidential information in the context of your application. Confidential information can be sensitive as well. While you can employ encryption of the confidential data during the transit, make sure that they remain encrypted even when stored, especially in the context of cloud. AWS offers Windows OS and Linux flavors for its instances and you can use native support of OS to encrypt files to ensure that data remain encrypted even when stored.

Secure the access to your application APIs and also to infrastructure resources
Application can have entry points through User interface and API. Since, application client is not just restricted to human end users, but extended to non-human users like kiosks, mobile devices, hand held, tablets and other applications, so on, it is important to protect the entry points, it is imperative that application exposes REST based APIs. There are many ways to protect your APIs. Oauth is emerging as standard way of protecting APIs.
In the context of AWS cloud, AWS infrastructure offers REST API with respect to infrastructure. Just like application security, infrastructure security is also a paramount concern. Hence, the application design should consider secured access to AWS APIs as well. You can use secret key and sign the request to access AWS resources.

Manage your internal network on AWS
With VPC, it is possible to logically isolate the resources. With VPC, you will also gain the ability to directly connect to these resources exclusively from your own enterprise network. You are ensuring that the infrastructure is free from unauthorized access.
AWS offers the infrastructure as commodity and they ensure the resource availability. It is your responsibility to ensure that your deployment setup ensures availability and reliability to your customers. So, you are still in charge of your deployment setup.

Avoid using AWS credentials while interacting with AWS services
It is not a good idea to use AWS credentials while interacting with AWS service, if you have to use it, then pass the credentials during the launch or encrypt the credentials before sending over the wire. Also, do not embed AWS credentials in AMI. The better way to access the AWS services is to use IAM service from AWS, manage users and permissions for each user within AWS account. Using IAM eliminates the need to share passwords or access keys. You can also use X.509 certificate authentication to certain AWS resources.
 
Design key rotation mechanism in your application
There is a possibility of compromising access key for any reason. In such cases, you can obtain new one by rotating to new access id. If you design your application to periodically expire the existing access key and obtain a new one, will enhance the security.

Create security groups to restrict access to resources
Security group in the context of AWS is a set of rules that handles the incoming and outgoing traffic of instances. These groups provide firewall like protection and you can restrict the traffic to the level of TCP, UDP, ICMP ports. It is also possible to use firewall features of instance’s operating system. I find security groups are simple.
 
Take care of security while installing software on your instances
·         Ensure that third party software is configured with secure settings
·         Do not run processes as root or administrator unless it is absolutely required

Periodic patch administration
This is more of the maintenance aspect of the operational environment. Just like any traditional server, instance also hosts operating system and it is important to update the security patches periodically. Make sure to regularly download from vendor and update AMIs. Redeploy instances with new AMIs. Make sure that new patch application does not break your application. If possible, automate the process.

Comments

Post a Comment

Thanks for your comments.

Popular posts from this blog

Key to adopt open source product

Friends, I am working on business solution implementation on open source product called Kaltura. Kaltura is a media management solution and has loads of features that compel any business to take a peek into it. More-over this is the only complete end-to-end open source software available to handle digital assets. But it comes with its own head ache. Considering its open source, its understandable. I feel, handling these would ensure you the success in your open source product implementation. 1. In my opinion, before adopting any open source software, build the capability to deal with the inconsistency bundled in the open source software. 2. I would avoid involving external consultants for 2 reasons.      a. I am not sure, they would bring necessary expertise on to table      b. I fear that there would be little ownership, they will not see big picture of my business (neither I am interested to share it all) 3. Alternative to that is to build the tea...
1 comment
Read more

Socialism Vs Capitalism

I was discussing sociallism vs capitalism with my father, who is a retired economics professor. Found some interesting facts ... Sharing them ... Socialism believes in distributing wealth equally. For example: If there is INR 10000 and 10 people in the pool, every one gets INR 1000. Wow, that sounds great in a diversified society like ours. Will this work? My take is NO. Because, the focus is only on sharing the wealth. If every one gets equal share, high acheiver will downgrade himself or herself and low acheivers will still downgrade themselves. This is a chain reaction and will reach a point where you will not have anything to distribute. The opposite side is 'Capitalism' where only the acheiver gets the rewards for his or her efforts. India adopts hybrid policy of Socialism and Capitalism, where the distribution of wealth happens through public sector enterprises and wealth creation happens through private sectors. The policies will be made in such a way that private se...
1 comment
Read more

Plan your hosting options - CIR or Monthly transfer?

This blog provides an insight to plan your hosting options. Calculating CIR What is CIR? In simple terms, it is the quantity of bandwidth measured as Committed Information Rate in megabits. CIR allows you to channel as much web traffic as possible within a given bandwidth. CIR calculation will help you to model your deployment option, whether to avail hosted model, or host the application in one's own dedicated server, or avail hosting provider service for monthly transfer or avail hosting provider service in pro-rata basis. What are the important parameters one needs to consider? One important parameter is, total number of simultaneous sessions that your web application is expecting. With this value, we can derive certain other parameters that would help us in arriving at CIR. Do not mean that simultaneous sessions imply simultaneous connections. This only means that, if we assume each session represents one user, we have that many users using the application at any gi...
Post a Comment
Read more