Cloud SaaS Security Patterns & How AWS Services Can Address Them

Top-Level Cloud Security Requirements

  • R1: Must provide protection to system’s components. This requirement concerns the protection of system’s components both the software (e.g., piece of code) and hardware (e.g., sensor devices) that are parts of system.

  • R2: Must be able to prevent unauthorized access and intrusion to system and resources. This requirement is about assuring that only genius user or application can access to application or system’s resources.

  • R3: Must be able to monitor network requests. The main goal is to monitor network requests in order to prevent potential attacks to system and its resources.

  • R4: Must have auditing option and be able to recover from a breach. This requirement concerns the auditing of system and resources usage to find out the anomaly.

  • R5: Must ensure data protection at rest and in transit. This requirement concentrates on how to protect data both in transit and at rest, especially when they are in public Cloud platform.

  • R6: Must ensure privacy protection and regulatory compliance. This requirement is about how to ensure privacy protection and regulatory compliance of data processed in the Cloud infrastructure.

  • R7: Must provide secure communication between modules. A system may be made of different modules deployed in the same or different Cloud platforms. Thus, it is important to ensure a secure communication between those modules.

  • R8: Must provide protection to system’s resources. The system’s resources here refer to the Cloud resources required to run Cloud application. How to protect Cloud’s resources from excessive and unnecessary use in order to ensure economic durability and durable availability of application running on the Cloud platform.

 

AWS Services To Rescue

Category

Pattern

Description

Required

Approach

Compliance and Regulatory

Data Citizenship

How can a Cloud-based solution achieve regulatory compliance with respect to data storage locality.

Yes

AWS Tags (Location Tags for the resources)

Cryptographic Erasure

How can a dataset be reliably and securely erased after it was stored in the Cloud. If we replicate the data in multiple regions, then this needs to be addressed

No

AWS KMS (Ensure data is encrypted in rest and KMS manage the key for it)

Shared Responsibility Model

How can a Cloud services consumer effectively manage their Cloud application legal and regulatory compliance

Yes

Usage of AWS managed services

Compliant Data Transfer

How can data be transferred for processing to other parties in potentially different jurisdictions while staying in compliance with legal and regulatory requirements

Yes

AWS Tags (Location Tags for the resources)

When we use third-party functionalities which is often exposed through an APIs, we need to adhere to data transfer guidelines

Data Retention

How long is personal information retained

Yes

Lambda function to automate the data clearing process

Data Lifecycle

How to efficiently and securely manage data lifecycle in the Cloud

Yes

AWS Data Lifecycle Manager

Intentional Data Remanence

How can data in the Cloud be protected from accidental or malicious deletion

Yes

RDS data replication/redundancy

Identification, Authentication and Authorization

Multi-Factor Authentication

How to simply, yet securely authenticate physical users of Cloud-based applications

Yes

AWS Cognito with MAF

Federation (Single Sign-On)

How to authenticate with customer provided user identities

Yes

AWS Cognito with AWS SSO

Access Token

How to control human or machine user access to Cloud APIs

Yes

AWS Security Token Service with Cognito

Mutual Authentication

How to establish identity of parties in a Cloud communication channel. Without proper authentication between communicating parties, man-in-the-middle attacks are possible

Yes

AWS Client VPN, AWS TLS/SSL certificates via Certificate Manager

Secure User Onboarding

How to securely perform initial registration of Cloud application users

Yes

Define a secure onboarding process / AWS Customer on boarding process

Identity and Access Manager

How to securely and effectively manage a user database and provide authentication and authorization functionality in a Cloud application

Yes

AWS IAM & Cognito

Per-request Authentication

How to continuously prove the identity of the user when they perform sensitive operations

Yes

Cloud Watch with events and notifications. Tools monitoring the usage activities of user from the start till the end of usage session. JWT token validation throughout the request life cycle and log user activities. Detect any abnormal activities via log analysis

Access Control Clearance

How to enforce access and usage control policies for different types of authentication

Yes

Implement a central Authorization module and validate the access in FE and BE. (Role base access)

Secure Development, Operation and Administration

Bastion Server

How to access Cloud resources without exposing them directly to the Internet

Yes

Bastion Host outside the Firewall

Automated Threat Detection

How to detect network attacks on Cloud internet endpoints

Yes

AWS Guard Duty

Economic Durability

How to establish and maintain availability of the Cloud services in the face of distributed denial-of-service attacks

Yes

AWS WAF & Cloud Watch

Vulnerability Management

How to detect and respond to found vulnerabilities

Yes

Use external tools

Privacy and Confidentiality

End-to-End Security

How to communicate a message between two parties so that its confidentiality is protected across all components in the Cloud communication channel

Yes

AWS KMS and Certificate Manager (security guarantees are needed for data in transit and at rest)

Computation on Encrypted Data

How to outsource data for computation to a Cloud service without disclosing it in the process

No

Cloud provider maintains the keys, we need to fully trust the cloud provider

Data Anonymization

How to remove personal identifiers from datasets to protect privacy, while keeping the datasets still valuable for processing

Yes

AWS Athena, Cloud Watch and Lambda to automate a scan

Processing Purpose Control

How to ensure data is used or processed in accordance with its original intended purpose

No

Automated tool to trace and audit the usage of it.

Secure Architecture

Virtual Network

How to connect components of a Cloud application architecture without unnecessarily exposing them to the Internet

Yes

AWS VPC

Web Application Firewall

How to protect web API endpoints from unauthorized access and abuse

Yes

AWS Firewall

Secure Element

How to securely provide and strongly protect identity of IoT devices or external services

Yes

Using a unique identity, PKI should be the foundation of any IoT security strategy / external service

Secure Cold Storage

How to protect the availability of large amounts of data securely and cost-effectively

Yes

AWS Glacier for Cold storage with encryption

Certificate and Key Manager

How to securely and effectively create, provision and revoke certificates and keys for securing data at rest and in transit

Yes

AWS KMS and Certificate Manager

Hardware Security Module

How to best protect the cryptographic secrets owned by Cloud tenants while still enabling Cloud processing infrastructure to compute on the tenant data

No

CloudHSM

Secure Auditing

How to record and report security-related behavior in an operating Cloud system

Yes

AWS security audit check list

https://aws.amazon.com/blogs/security/auditing-security-checklist-for-aws-now-available/

 

Read More

Twelve factors to consider when developing cloud native applications (SaaS)

This is a basic introduction to cloud native application development. First we will get a basic idea about the cloud concept and then move in to the 12-Factors.

 

What is cloud computing environment?

It’s a dynamic environment, which have the capability to allocate resources and release of resources from a virtualized, shared pool. This elastic environment enables more flexible scaling options for a high demand applications.

 

What is cloud native application?

Applications or processes which are run in software containers as isolated units. Applications or services (microservices) are loosely coupled with explicitly described dependencies. There are set of best practices which you need to follow when you’re planning moving to cloud with your application. Those are known as the 12-factors. Let’s investigate on those 12-factors.

 

 

Twelve factors

The 12-factor application methodology was drafted by developers at Heroku. The factors represent a set of guidelines or best practices for portable, resilient applications that will thrive in cloud environments (specifically software as a service applications). Let’s move in to each factor and get a high level idea on how we can achieve / implement this in our application.

  1. There should be a one-to-one association between a versioned codebase: Main idea is not to have different codebases for your application versions. You can have branches for different versions as a solution to avoid repository complexity.

 

  1. Services should explicitly declare all dependencies, and should not rely on the presence of system-level tools or libraries: Main recommendation here is that avoid in pre-installed software in the system level which has a dependency with your application. As a solution we should try our level best to put application dependencies in our application manifest. Tools like Apache Maven can be used to maintain these dependencies in your application.

 

  1. Configuration that varies between deployment environments should be stored in the environment: In this scenario the recommendation is to avoid having environment (Development, Staging and Production) specific configuration with in your application code. If you have any environment specific configurations those need to be stored in the environment not in the application. To have the configuration files in a centralized location we can use the spring config server

 

  1. All backing services are treated as attached resources, which are managed (attached and detached) by the execution environment: Firstly backing service is any service that your application integrate with to perform its normal operations. So, examples for backing service would be database, web services, SMTP server or ftp server. Main idea of this practice is to treat those backing services as your own service.

 

  1. The delivery pipeline should have strictly separate stages: Build, release, and run: When we consider the three stages,
    • Build: Takes the source code and bundle to a package which referred as the build
    • Release: Combine the build and the config and create a release for deploy in an environment. Each release will have a unique identifier and related to a release management tool. It will ensure a quick rollback time.
    • Run: Referred as the runtime. Execute the application in the corresponding environment

 

  1. Applications should be deployed as one or more stateless processes: Specifically, transient processes must be stateless and share nothing. Persisted data should be stored in an appropriate backing service.

 

  1. Self-contained services should make themselves available to other services by listening on a specified port: This means each application are self-contained and expose access over a HTTP port that is bound to it. Spring boot framework is a good example for this, which is having a inbuilt server where you can configure the HTTP port easily

 

  1. Concurrency is achieved by scaling individual processes (horizontal scaling): Idea behind this is having multiple processes with distributed load. The application should be able to scale horizontally and handle requests load-balanced to multiple identical running nodes of the application. In addition application should be able to scale out processes or threads for parallel execution of work in an on-demand basis. This feature comes automatically with the JVM with multi-threading.

 

  1. Processes must be disposable: Fast startup and graceful shutdown. If we elaborate more our application should minimize the startup time like using backing services rather than using in-memory caching. Also in shutdown process, when we stop the application it should not accept new work and let existing work to finish. We can use a queue to push the work and then shutdown if required.

 

  1. All environments, from local development to production, should be as similar as possible: Development environment to production environment should be identical. It will ensure unexpected behavior in the application due to environment inconsistencies. Containerized environment like Dockers is a good solution for this.

 

  1. Applications should produce logs as event streams (for example, writing to stdout and stderr), and trust the execution environment to aggregate streams: Application should not attempt to write to or manage logfiles. This stream output should mainly managed by the execution environment. This stream can be shipped to a log indexing systems such as Splunk, ELK stack which facilitate as a centralized logging system.

 

  1. Run admin/management tasks as one-off process: If admin tasks are needed, they should be kept in source control and packaged alongside the application to ensure that it is run with the same environment as the application

References

Read More