Cloud-based applications are widespread these days and continue to proliferate at an impressive rate. Due to the fact that these applications are accessible over the Internet and can be used by anyone, anywhere -- their security is of the utmost importance. That's why enterprises that create and manage cloud-based applications must ensure that every layer of the application's infrastructure is secure -- their clients depend on it.
Finding and fixing vulnerabilities in applications is as important as preventing successful exploitations of vulnerabilities which is just as critical as having the proper defensive mechanisms in place to block malicious attacks.
For example, imagine what would happen if Google's Gmail was hacked by malicious attackers who were able to read the contents of user emails. Not only would Google get some really bad publicity, but its clients would quickly start looking for email alternatives. Customers -- and consequentially money -- would inevitably be lost. And how would the world react if it came to find out that the hackers exploited a security vulnerability in Gmail that could have been easily prevented had it been checked for security holes? While this is a dramatic example, situations like this happen on a daily basis. It is vital that organizations leverage the appropriate measures to prevent a security breach before it's too late.
In this tip, I will discuss the three different strategies that enterprises can use to maximize the security of their cloud-based applications and prevent the dreaded security breach.
Finding and fixing security vulnerabilities
The first approach to ensure the security of cloud-based applications is to find and fix as many vulnerabilities as possible. Numerous techniques can be used to look for security vulnerabilities in applications, such as manual or automated source code review, taint analysis, Web scanning, fuzz testing, fault injection or symbolic execution. However, not all of these techniques apply in equal measure when trying to find software vulnerabilities in Web applications. For cloud-based applications, both vulnerabilities in the applications themselves as well vulnerabilities in lower layers, such as operating systems or hypervisors, must be considered. Therefore, it's always good to employ a penetration testing service to check the application and write a security report about any vulnerabilities found.
It is critical to remember that even after a security review, there might still be zero-day vulnerabilities present. However, the review process should eliminate the most critical ones.
Preventing a successful exploitation of security vulnerabilities
The second strategy for maximizing cloud application security does not deal with finding new vulnerabilities in the application but rather preventing existing vulnerabilities from being exploited. There are several technologies and tools that can prevent successful exploitation, including:
- Firewall -- A firewall can be used to block access to certain ports in a DMZ boundary and successfully prevent an attacker from accessing the vulnerable application from the Internet or from another DMZ.
- Intrusion detection (IDS)/intrusion prevention (IPS) systems -- By using an IDS/IPS, organizations can look for known attack patterns and block the attack before it has the chance to reach the target application.
- Web application firewall (WAF) -- A WAF can be used to look for malicious patterns in the application layer. It can detect vulnerabilities such as SQL injection, cross-site scripting and path traversal. There are two types of WAF software programs to choose from: The blacklist approach or whitelist approach. Blacklist WAFs block only known malicious requests, while whitelist WAFs block all suspicious requests by default. When using the blacklist approach, it's easy to restructure a query so it isn't present on the blacklist and won't bypass the WAF completely. While the whitelist approach is more secure, it also requires more time to set up as all valid requests must be manually programmed into it. If organizations are willing to invest the time into setting up a WAF, they may end up significantly more secure. Enterprises running an Nginx Web server should consider the open source Naxsi Web application firewall as a whitelist approach to secure applications.
- Content delivery network (CDN) -- A CDN uses the domain name system (DNS) to distribute content over multiple data centers across the Internet and make webpages load faster. When a user makes a DNS request, the CDN returns the IP that's closest to the user's location. This not only results in faster loading time of webpages, but also protects systems from denial-of-service attacks as traffic flows through the CDN. Usually, CDNs also have other protection mechanisms that can be turned on, such as WAF, email protection, monitoring uptime and performance and Google Analytics.
- Authentication -- Two-factor authentication mechanisms should be adopted whenever possible. Using only a username/password combination to log into cloud applications is a huge vulnerability as attackers might be able to gather this information through a social engineering attack. Alternately, attackers could guess or brute-force attack passwords. Single sign-on can also boost productivity and ensure that all users have proper access while simultaneously maintaining security.
Limiting the damage caused by a successful exploitation
More on cloud-based application security
Cloud application security best practices
Cloud application security issues and considerations
Emerging PaaS security tactics for cloud application security
The final cloud application security scenario deals with limiting the damage caused by an attacker who has discovered a security vulnerability, bypassed protection mechanisms and exploited the vulnerability to gain access to the system. There are multiple options CSPs have, including:
- Virtualization. While it can boost security by limiting the damage a compromised application can cause to its supporting infrastructure, running an application in its own virtualized environment means an organization would need to have an operating system running for every application -- a complete waste of resources. This is why containers have become so popular. A container is a type of software component in which applications can be isolated from the rest of the system without requiring the full-blown virtualization layer. Examples of popular containers include Linux Containers (LXC) or Docker.
- Sandbox. Even if a hacker is able to gain access to the backend system, any attack on the applications would be restricted to the sandboxed environment. Therefore, the attack would need to break out of the sandbox to gain access to the operating system. There are several different sandbox environments available, including LXC and Docker.
- Encryption. Important information such as Social Security numbers or credit card numbers must be properly encrypted when stored in a database. If an application supports it, enterprises should send data to the cloud already encrypted.
- Log monitoring/security information and event monitoring (SIEM). When an attack occurs, it's a good idea to have a logging system/SIEM in place to quickly determine where the attack came from, who was behind it and how to mitigate the issue.
- Backup. A proper backup system is critical in the event that anything goes wrong. Because it's not easy to create a working backup system -- and can take quite some time to do it right -- many companies choose to outsource the backup process.
While keeping data in a cloud instead of on premises presents a number of new security challenges -- fortunately, there are many ways to alleviate these issues. Finding and fixing vulnerabilities in applications is as important as preventing successful exploitations of vulnerabilities -- and as critical as having the proper defense mechanisms in place to block malicious attacks.
See Infosec Institute’s article on Building Cryptographically Secure Cloud Applications.
As this article reveals, there are many ways to secure cloud-based applications, but it takes time and effort to set them up properly. Due to these constraints, businesses often don't see a return on investment as quickly as they would like and will disregard the importance of security. In practice, security often becomes important only after the application infrastructure has been compromised. However, taking the proper steps to secure the applications and prevent vulnerabilities in the first place -- and having a plan for what to do should vulnerabilities be exploited -- is critical to not only the success and security of a cloud application environment but also to the vitality of an organization as a whole.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance as well as security related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages and constantly writes security-related articles for his own website at www.proteansec.com.