Sebastiaan Rothman, Senior Consultant Applications and Infrastructure at Altron Karabina, looks at what organisations can do to prevent cloud application attacks.
With an increase in organisations looking to modernise their applications, doing away with traditional infrastructure-based solutions and investing in service-type environments, the need for security has never been greater.
It is important to understand that accountability for some aspects of security will always reside with the user or customer, and they are ultimately responsible for maintaining the security related to these components.
Broadly, cloud-based applications typically consist of one or more of the following platforms:
- Web and Mobile Application Services
Each of these platforms have their own unique challenges when it comes to security, with varying degrees of complexity.
Web and Mobile Application Services
Securing applications services in Azure has as much to do with process and policy as it does with technology. Strong authentication, preferably multi-factor authentication, provides the first line of defence against potential data breaches.
After authentication, granular role-based access control ensures that authenticated users only have access to the resources they have been explicitly granted access to.
Secret, certificate and key protection goes a long way in ensuring that this information isn’t written into code, and locking down incoming requests to applications from specific IP addresses further reduce the potential attack surface of an application. These goals can be achieved by leveraging tools such as Azure Key Vault and properly designed networking.
It is highly recommended to install a web application firewall (WAF) in the environment to provide intelligent monitoring, filtering, and protection of web and mobile applications hosted in Azure.
Having secure access to storage resources is extremely important for obvious reasons, but ultimately this is where your information is stored, and as such extra care needs to be taken when configuring access to storage.
Configuring and using stored access signatures is preferred over the use of storage account keys.
Role-based Access Control (RBAC) should always be used to configure for access by natural persons or named processes outside of application access.
Client-side encryption for high value data, and Storage Service Encryption for data at rest must be configured and used as a minimum to secure data.
Several mechanisms and best practice exist for securing databases, specifically SQL, in Azure. As with both application and storage security, the first line of defence for databases comes in the form of efficient identity management. The use of Azure Active Directory authentication over SQL authentication is recommended, allowing for common security practice such as password rotation to happen without disruption to services.
Further technical configurations such as a limited scope of network access, and the use of Transparent Data Encryption (TDE) on databases further secures information and reduces the risk of any unauthorised access.
Securing services in Azure, like any infrastructure or hosted application, required diligent planning from the beginning to ensure risk is mitigated as much as possible. Even though the cloud provider makes all these tools and features available to help secure your environment, the onus is still on you to make sure they are correctly and effectively configured.
Relying on the cloud provider to keep your information safe is a foolish mistake, and one you will pay for dearly.