A closer look at what makes a secure app and which cloud services help establish app security.
In my previous blog posts, I touched on how to keep a secure environment after an employee leaves by rotating credentials and tracking their usage.
Today, I am looking at individual apps on IBM Cloud. Providing a secure app or application is a fundamental requirement, and this is especially true in a cloud environment. The IBM Architecture Center guide on cloud application security provides a good overview, and I am going to use it as a foundation to answer questions like: "What makes a secure app?" and "Which cloud services help establish app security?"
What makes a secure app?
Building and maintaining a secure app covers many aspects. Some deal with the intended (well-behaving) users, some with the “bad guys”:
Most of us have an identity card, passport, or an (access/company) badge. We show those documents to establish our name and person. They help prove that we are the real “Henrik” and not some fake. Authentication is the process of identification—of identifying a specific user.
Once a person or user has been identified (authenticated), the next step is to establish the granted privileges. What is the user authorized to do? I am allowed to enter building “A” on campus, but not the data center. I have read access to some account data, but I cannot modify any order information or give discounts.
Note: Often, the combination of authentication and authorization are referred to as Identity and Access Management (IAM).
Secure app code
All experienced developers know that their code contains bugs. Some of the code defects are harmless, some cause app vulnerabilities. By applying code analysis and performing penetration tests, common holes can be found. The app code can be secured.
When considering data security, there is often a differentiation about data-at-rest (stored data), data-in-transit (in transmission), and data-in-use (currently processed in a computer).
Data that is handled by the application needs to be stored (data-at-rest) in a way so that only authorized (required/“need to know”) users have access to it. Moreover, data encryption helps to reduce risks of unauthorized copies and low-level access.
Protecting data-in-use is a matter of the cloud infrastructure, how compute resources are shared and secured, etc.
Connections (data-in-transit) to the app and from the app to services and resources need to be secured, (i.e., encrypted). This makes sure others on the network cannot simply listen to the data traffic.
Audit and monitoring
Once the other measures are implemented and the app is in production, the app behavior and user interactions need to be monitored for anomalies. Depending on the app type, regular audits of app and data access may be needed.
There are more topics that could be listed for what contributes to app security. The IBM Secure Engineering Framework (SEF) lists nine categories for security requirements alone. So, it is quite complex already.
Moreover, we could consider that many laws and most regulations require “state of the art” effort to protect an app and its data. Thus, it requires regular assessments of whether all of the building blocks for app security are in place and are up-to-date.
Which cloud services help establish app security?
To better focus on the application logic itself—the functionality and business side—developers can delegate or “outsource” some of security tasks. Here is a non-exhaustive list of services that IBM Cloud provides. I am going to use the list of security topics from above to help organize the relevant IBM Cloud services:
If you want to easily authenticate users, I recommend taking a look at the App ID service. The App ID service helps applications to authenticate users based on different identity providers. It uses the standard protocol OAuth2 and supports OIDC for its simple utilization, including configuration discovery.
On the backend, App ID works with SAML-based enterprise directories, social identity providers like Google and Facebook, or you can manage users in the service's own Cloud Directory. App ID supports several authentication flows to integrate in to different app scenarios.
The above-mentioned App ID service helps to implement authorized access by utilizing access tokens. The tokens are based on the JSON Web Tokens (JTW) standard.
The app—and, thereby, its users—may also have access to IBM Cloud resources, such as provisioned services. Many services in the IBM Cloud catalog allow you to issue credentials for different roles, such as Reader or Writer. Moreover, service IDs can be utilized to separate an app from a developer (account users).
Some authorization can also be managed through only selectively allowing network access to an app. See “Secure Routes” below.
Secure app code
Most of us are humans (I hope); thus, we and the code that we develop are prone to errors. Depending on your deployment method and compute platform, you may utilize tools like Vulnerability Advisor or IBM Cloud Security Advisor. You may also integrate automated code scans and tests into stages of your delivery pipeline and then use DevOps Insights to look for patterns and trends in test results.
To encrypt data that is stored in the data services on IBM Cloud, typically there is not much to do since data is encrypted by default. As an example, you can read here for Cloud Object Storage and Cloudant. If you want to protect special application keys or other credentials, want to control encryption root keys, or even bring your own keys to IBM Cloud, you may want to consider using either the Key Protect or the Hyper Protect Crypto Services. They provide integrations with data storage and database services for an additional layer of data security.
To take encryption one step further, try using IBM Cloud Data Shield to protect the data that is in use by your containerized applications. The Hyper Protect database and compute services offer protection based on LinuxONE security features and shields access to data at rest and in use.
Many IBM Cloud users make their applications available on custom domains. To secure the route and enable https-based access, developers can utilize Certificate Manager to either order or upload and manage SSL certificates. If you have to securely connect between your cloud and on-premise resources, then utilize the Secure Gateway service or one of the VPN services.
To securely route traffic from the app to services, consider the configuration of private service endpoints.
Audit and monitoring
Want to gain insights into what is going on with your app and meet audit or compliance requirements? Then Activity Tracker with LogDNA should be of interest. The Activity Tracker integrates the various security-related events to generate an audit trail.
Another service to take a look at is IBM Cloud Monitoring with Sysdig. It allows you to monitor a broad set of metrics and to understand the app performance and health. Both the Activity Tracker and the Monitoring allow to set up alerts to get notified about, for example, unusual system or app behavior.
Last, but not least, the already mentioned DevOps Insights enables analysis of continuous delivery and toolchain metrics. That data can include information about failed tests, results from code scan, who was involved, and much more.
Developing an enterprise app usually is quite an effort. Ensuring its security should be part of early design and the entire app lifecycle. In this blog entry, I have discussed core security topics, then introduced some of the security-related services IBM Cloud offers. This should help you get started with your next (enterprise) project. Secure coding!
Note: This article is an updated version of a post initially published August 4, 2017 in the IBM Cloud Blog.