Security review is a plan that will be needed for many Cloud deployment. Currently, many security review are paper in nature and lack clarity on the security requirements for many organisations. It should be a standardised process to be conducted for all applications. A checklist is one way that can be provided for developers. Template use cases can also be given to speed up the review process. Two common security to take note in your checklist is infrastructure and application.
Infrastructure security leverage on PoLP (principles of least privilege) as the guideline in the design. They are usually configured at infrastructure objects for cloud platform. These are the common checkpoints you can take note.
Secure all root and administrative access to authorised users.
Ensure network subnets are segregated from public Internet access.
Ensure that your applications and services are segregated with the right security policies.
Ensure you have the appropriate user roles and security groups.
Implement services to detect, protect and mitigate against threats like DDoS attacks.
Data or network traffic must be encrypted.
Application Security are setup or built within the application. Your checklist must include the following key points.
Authentication must be setup to prevent malicious access.
Authorisation must be enabled at functions or data level.
The above are standard checklist that can help you kickstart or speed up your security review process. It is important to develop your application with security requirements and not fix security at the last moment.
Over the years, it was still interesting to note that humans seek greater power. In software applications, they usually request more access rights and configuration control. Requests like this often becomes a topic for audit and security team. This is because the principle of least privilege (PoLP) is being practiced in many organisations.
The key advantage for PoLP is the limited access granted to user to perform the required functions. This restrict data exposure and interventions to the system. Roles, security groups and policies are some of the key Cloud concepts created for the purpose of PoLP. By default, many cloud services are PoLP in nature.
PoLP remains a major security strategy for applications and infrastructure in Cloud. The idea is to prevent security breach if any of the user account is compromised. Root account and admin role are restricted. Cloud objects are also not set to public by default. Typical security measures are to expose the required layers to the public Internet. Other prevention includes limiting the number of privileged user roles and user accounts.
PoLP is a key approach for security in major cloud platform. There is ongoing debate that PoLP creates a hassle for development. For the time being, you need to continue to educate users on the importance of PoLP.
CORS (Cross-Origin Resource Sharing) configuration will be a standard feature in many Cloud products. Most of the online applications required embedded links or AJAX calls in their web pages. By default, CORS is mainly blocked unless you enabled it. It is one of the most headache issue if you are deploying loosely coupled architecture. This are some common things that you need to take note for CORS.
Common CORS implementation involves REST API calls, embedded iFrames, cross linking of services or sharing of data like location, scripts and stylesheets. CORS is necessary because you will be sharing data like location for your application. Sometimes, there is a need to subscribe to cloud services using REST API. Majority of modern applications utilise REST API calls or AJAX. Thus, CORS is one of the most common security issues to encounter during implementation.
The CORS implementation can happen at a few layers. These are the common issues that you can check if you run into CORS errors. You will need to enable CORS if you are doing these implementations. The areas that you must check and enable CORS are usually browser and application. Luckily, many modern browsers are now CORS friendly.
If you are new to web or cloud development, one of the earliest security lessons will be CORS. Browsers are now attuned to CORS unless in the past. Many cloud setup or REST also include CORS in their configuration. Do take note to enable CORS carefully to allow your application to run smoothly.
Security review is a common process for new application. It can be time consuming and when security and application cannot align focus on a common ground. These are some tips where application team can preempt and prepare for security review.
Design for Security
Often, application design focus on security requirements prior to go live. This can be detrimental when security team do not approved the architectural design because of security concerns. It is important to consider security design from day 1. Cloud security is one key area that is standard for all cloud deployments. Thus, the rule of thumb is to design security before you start your application development.
Security review is an iterative process. Alignment with security expectations is important to secure the features. However, there are times where timeliness and cost outweighs the security request. You should iterate the security requirements and align on a common understanding. One such method is limit the exposure of your data in public subnet. Do note that it is not possible to clear security review in one setting. Thus, it is realistic to plan for security review process in your application development.
Security review is a common process for cloud development. This is because the notion of cloud is not within your own secured space. Therefore, you must include security design from the start of your project and plan for security review process. Getting the sign off from security team will lend confidence in your application.
Cloud security is a standard model for many cloud platform. This can be easily deployed with wizard in many cloud platform for the virtual cloud network. If you are new to Cloud, you may need to know some basic Cloud security first.
The basic security for cloud is data segregation. Data are secured by limiting exposure and restricted by user roles and security policies. Standard wizard network will split between private and public subnet. Most components should be within private subnet and restricted to a single access point. The plus point of cloud is that many of infrastructure security will be handled by cloud providers if you are using PaaS or SaaS.
If you are not using IaaS, majority of cloud efforts will be spend to maintain and design identity security. Identity Management is usually a common product provided by major cloud providers. The ease of integration and availability of single sign on remains the preferred choice for developers.
The basic of Cloud security is divided to cloud segregation and identity security. These are the standard security model that you will encounter if you are new to Cloud. The configuration of security is still not user friendly and it still required some basic knowledge of security to appreciate these security approach.