Security aspects when moving to the public cloud – PaaS

By | April 25, 2017

So this is a follow-up on my previous blogpost on Security Aspects on public cloud –> http://msandbu.org/security-aspects-when-moving-to-the-public-cloud-iaas/ in this blog post I will focus more on what security aspects you ned to think about when considering using platform services.

Platform services comes in different shapes and colours, but in the core essence you have a vendor which delivers a service to we as a consumer and we are responsible for the data and or the application which is running on the service.

PaaS consists of a range of different services for instance
* Web Applications / Mobile Applications
* Database services
* IoT services
* Big Data Analytics
* Microservices / Container Services

So what do we need to consider?

1: Secure and protect the data
When using a platform service such as IoT services or Big Data analytics the most important factor is protecting the data which is being generated/processed. The data that is being processed or generated might contain business critical information or that might be your entire business value so it is crucial that external users do not gain access to the data.

And of course it is the other factor to consider that internal users might try to download the information and resell if to the competition, so also ensure if possible to encrypt the data where it is located so that external users cannot read the information directly outside of the platform.

Lastly you might also need x amount of copies to ensure that data is protected since most of the platform services provide data redundancy but not backup of the data. Now many of the platform services like SQL databases have a backup service included but you have to enable it, so you have copies of the data.

Important to remember that not all services include backup services, such as web services or web apps. in That matter the software repository hosting the code for the web server is the crucial piece to have backup of. For instance products like BackHub can be used to backup Github repositories –> https://backhub.co/ and also VSTS has its own built-in backup service to backup specific repositories.

2: Ensure encrypted and secure use of API’s
When working with the different PaaS services, always ensure that you are using secure API access to the different services. most PaaS  services are encrypted by default using TLS/SSL but many of the PaaS services sometimes used an API key or authentication key to access to the service so make sure that this key is not directly available, or using some form of product which can be used to manage secrets such as Vault from Hashicorp –> https://www.vaultproject.io/ or Azure Key Vault or Amazon Key Management Service for instance.

3: Verify application security
Now when it comes to hosting PaaS services such as web applications, more of the responsibility of the service is left up too us. The vendor has the physical security and the guest OS security, but it is our job to ensure that the are not application exploits in our web application which would allow hackers to access for instance the SQL backend database. We could for instance be hosting an eCommerece website and in that case our entire customer base could be stored on a database backend, in that case if someone where to gain access to that database, the damage could be unrepairable.

Now many of the cloud providers provide security tools which can assist in uncovering security exploits such as Microsoft Security Center and most of the vendors also provide Application Level firewalls which can help a great deal on blocking/detecting OWASP top 10 attacks. Make sure to check what the vendors providers in terms of these services.

4: Role based access within the platform services
Having a clear role based access control within the platform is crucial, both to ensure that job responbilities are kept in place but also to ensure that no one has access to something they should not have. Most platform vendors such as Microsoft, Google and AWS have done a great deal tn esure that we can define granular roles based access to different services. For instance we can define a particular user to only have read rights to certain services but again have full rights to a particular service such as database services.

In regards to that, identity lifecycle is important aspect of it to ensure that when a employee leaves the company his/her rights are automatically revoked. This makes sure that they cannot go to a rivaling company and login and fetch information.

5: identity policies and monitoring
If someone gets access to your account which could be a global admin users which has access to all your services in Amazon, Azure or GCP that person could destroy an entire business. Always ensure that you use MFA or some form of two-factor authentication on your cloud users, set a strict password policy. And also monitor your user activity. Many of the providers have tools so monitor user login / actions and so on. You can also often resitrct login access to a certain IP address range to ensure that only known IP addresses are allowed to login.

Screenshot which shows user activity on a single VM in Azure where events are gathered and logged for analytics purposes.

So this sums up some of the different security aspects one should consider when start to use PaaS services at a cloud provider.

Leave a Reply

Your email address will not be published. Required fields are marked *