Cloud App Security – What makes a secure app
Providing a secure app or application is a fundamental requirement. This is especially true in a cloud environment. In my post “Cloud Security and IBM Bluemix – get started” I discussed the various layers that realize secure cloud computing. Today, I want to focus solely on apps that are built for deployment in the IBM Cloud. What makes up a secure app? What cloud services help establishing app security? Let’s take a look together.
Building and maintaining a secure app covers many aspects. Some deal with the intended (well-behaving) users, some with the “bad guys”:
Authentication: Most of us have an identity card, passport or an (access/company) badge. We show those documents to establish our name and person. They help prove that we are the real “Henrik” and not some fake. Authentication is the process of identification, of identifying a specific user.
Authorization: Once a person or user has been identified (authenticated), the next step is to establish the granted privileges. What is the user authorized to do? I am allowed to enter building “A” on campus, but not the data center. I have read access to some account data, but I cannot modify any order information or give discounts. Note that often the combination of authentication and authorization are referred to as Identity and Access Management (IAM).
Secure App Code: All experienced developers know that their code contains bugs. Some of the code defects are harmless, some cause app vulnerabilities. By applying code analysis and performing penetration tests common holes can be found. The app code can be secured.
Data Security: When considering data security, often there is a differentiation about data-at-rest (stored data), data-in-transit (in transmission) and data-in-use (currently processed in a computer). Data that is handled by the application needs to be stored (data-at-rest) in a way, so that only authorized (required – “need to know”) users have access to it. Moreover, data encryption helps to reduce risks of unauthorized copies and low-level access. Protecting data-in-use is a matter of the cloud infrastructure which I discussed earlier.
Secure Routes: Connections (data-in-transit) to the app as well as from the app to services and resources needs to be secured, i.e., encrypted. This makes sure others on the network cannot simply listen to the data traffic.
Audit and Monitoring: Once the other measures are implemented and the app is in production, the app behavior and user interactions need to be monitored for anomalies. Depending on the app type, regular audits of app and data access may be needed.
There are more topics that could be listed for what contributes to app security. The IBM Secure Engineering Framework (SEF) lists nine categories for security requirements alone. So, it is quite complex already. Moreover, we could consider that many laws as most regulations require “state of the art” effort to protect an app and its data. Thus, it requires regular reassessments of whether all building blocks for app security are in place and are up-to-date.
Security Services in the IBM Bluemix Catalog
App Security Services
To focus on the application logic, the functionality and business side, developers can delegate or “outsource” some of security tasks. Here is a non-exhaustive list of services that the IBM Cloud with the Bluemix platform provides. I am going to use the list of security topics from above:
If you want to easily authenticate users, I recommend taking a look at the App ID service. The App ID servicehelps mobile and web applications to authenticate users based on different identity providers, e.g., Google and Facebook. Access tokens can then be granted to those users. More on that as part of “Authorization”. Another authentication service available in the Bluemix catalog is the Single-Sign-On service (SSO). The SSO service is able to interface with SAML enterprise directories, the IBM Cloud Directory service as well as with social identity providers, e.g., LinkedIn or Github.
The mentioned App ID service helps to implement authorized access by utilizing access tokens. The tokens are based on the JSON Web Tokens (JTW) standard. A rich ecosystem exists on which security contexts can be implemented. Many services in the Bluemix catalog, especially in the Data & Analytics category, allow to issue credentials for different roles. As examples, see my previous blog post on “Managing Service Key from the Command Line“and the documentation for Cloudant NoSQL database on using access keys.
Some authorization can also be managed through only selectively allowing network access to an app. See “Secure Routes” below.
Secure App Code
Most of us are humans (I hope). Thus, we and the code we develop are prone to errors. The service Application Security on Cloud is able to detect common security gaps in your mobile, web or desktop applications. After deploying the Application Security on Cloud service, you can set up both static code scans as well as dynamic scans of your (up and running) app. As another option, when working with toolchains as part of the DevOps Continous Delivery process, you can integrate security services for the stages. There is also a built-in static code scan that could be utilized.
To encrypt data stored in the data services on Bluemix, typically there is not much to do as data is encrypted by default. As an example you can read here for Cloudant NoSQL DBaaS. If you want to protect special application keys or other credentials, want to encrypt high volumes of sensitive data, you may want to consider the Key Protect service. Once you have the Key Protect service deployed, it can be integrated via REST API with your applications to obtain and manage keys. The keys can then be used to protect, i.e., to encrypt data.
Many Bluemix users make their applications available on their custom domains. To secure the route and enable https-based access, developers can upload the domain-specific SSL certificates. If you have to securely connect between your cloud and on-premises resources, then utilize the Secure Gateway service or the VPN service. The Secure Gateway service also has ties into the API Connect service. Using the API Connect service created APIs and the exposed resources can be guarded by additional security rules and access rate limits.
The IBM Cloud with Bluemix offers several other services in the network infrastructure category to meet the various requirements for securely connect the components of a cloud-based solution.
Audit and Monitoring
Want to gain insights into what is going on with your app and meet audit or compliance requirements? Then the Activity Tracker service should be of interest. The Activity Tracker is still a new service, but capable of integrating the various security-related events to generate an audit trail. Another service to take a look at is IBM Cloud Monitoring. It allows to monitor a broad set of metrics. Moreover, you can define rules for alerts. They can invoke a webhook, use pagerduty to get someones attention or send out an email.
Last but not least, to cover yet another monitoring and audit angle Bluemix has the new DevOps Insight service. It enables analysis of continuous delivery, of toolchain metrics. That data can include information about failed tests, results from code scan, who was involved and much more.
Developing an enterprise app usually is quite an effort. Ensuring its security should be part of early design and the entire app lifecycle. In this blog entry, I have discussed some core security topics, then introduced some of the security-related services the IBM Cloud with Bluemix offers. This should you get started with your next (enterprise) project. Secure coding!