Saturday, July 16, 2016

Can a Cloud Help Developers "Securely" Deploy, Run, and Manage their Applications?

Can a cloud help developers deploy applications securely in a cloud and manage their steady state security? In this three part series, I will discuss this question in detail.

This part covers the challenges a developer faces in deploying applications securely, and managing their steady-state security.

Challenges in Securely Deploying Applications and Managing Their Steady-State Security

Typically, cloud is associated with scale. If an entity desires to scale their application to serve hundreds of thousands of users, cloud is the answer.

Modern applications, deployed on cloud or else, are complex. The comprise multiple components, which interact with each other over network. Each component may or may not hold state, and typically delivers a unit of functionality (micro-services etc).

In cloud, a developer writes automation code to deployed and upgrade these applications, and may leverage cloud monitoring tools to manage the application. 

Security and compliance requires a developer to deploy applications according to the acceptable best security practice of that time. Conforming to these best practices requires substantial security knowledge and expertise on part of the developer.

As an example, consider a simple application comprising a web server and a database server as shown in figure below.

To ensure the security and compliance of this application, a developer has to ensure a number of steps:

  1. Best Practices for Source code. The source code should conform to well-known security best practices. As an example, any SQL queries issued by the web server must not be prone to SQL-injection attacks.
  2. Message Confidentiality. The communication between users of this simple application and the web server, as well as web server and database server must be encrypted.
    Implementing this functionality typically requires knowledge of appropriate TLS protocols and ciphers, creation and setting of PKI certificates and encryption keys, and configuring them appropriately. While services such as LetsEncrypt make it easy to generate certificates, it is still up to the developer to configure her applications correctly with them. Moreover, these certificates need to be periodically rotated.
  3. Managing Application Keys, Certificates, and Passwords. Establishing 'trust' among various components of an application is done through keys, certificates, and passwords. While we typically associate passwords and certificates with end users, the components of an application must establish authentication and authorization among themselves to establish trust. The burden for creating, storing, and managing these credentials is on the developer.
  4. Encryption of Data at Rest. Compliance regimes such as PCI and HIPAA may require the data at rest to be encrypted. A developer has to configure database servers to encrypt the data per record or per disk, and manage the keys associated with them.
  5. Configuring Security Groups. A common feature of IaaS clouds is that they allow incoming traffic to an instance be limited to certain open ports on the instance. It is non-trivial to configure security groups correctly for an application comprising components running in tens of instances or more, due to complex interactions, high availability etc. 
  6. Collection of Logs, and Scrubbing of Sensitive Information in Logs. The logs generated by multiple application components needs to be collected to meet security and compliance as well as operational needs. The developer needs to ensure that no sensitive information such as passwords of the users of its service are present in the logs.
  7. Setting Up Intrusion Detection Systems (IDS) and Firewalls. A developer may need to setup intrusion detection and prevention systems to log any suspicious activity as well as any other firewalls. Typically, in IaaS clouds, security groups double as firewall, so a separate firewall deployment may not be needed.
  8. Admin Access to Web and Database Servers. The developer or the operator of this simple application two tier needs to manage credentials for admin access to web and database servers.
  9. Network Scan of Web and Database Servers. While a developer may have undertaken necessary steps to configure and deploy her application securely, it is still prudent to perform network scans before and after deployment, to ensure conformance to the intended model. These network scans can be as simple as port scans, or can also be application specific.
  10. Penetration Testing of Application Components. Similar to network scans, penetration tests actively try to break the application as may be attempted in wild. Such tests are customized for the application (web server in the above example).
  11. Secure Scaling of Application. When scaling web server or database server, the applications keys, certificates, and passwords need to be setup correctly and stored appropriately. Even in a simple application such as the one shown above, it is non-trivial to configure keys and certificates on load balancers or other components that are required for application to scale.
As it can be seen from this example, it is a non-trivial task developers to deploy and configure their applications securely and requires significant expertise on developer's part.

In the next post, I will describe the concept of a "Secure DevOps Pipeline", which can facilitate a developer in deploying and managing her applications in a secure manner.