Developing Secure Applications for the Cloud
By Scott Fitzpatrick
When it comes to utilizing a cloud platform for your application, security is of the utmost importance. Security starts with developers who should tailor their application security practices and strategies to the type of environment their application will be deployed in. Secure development practices can mean the difference between resting easily each night knowing your application protects the consumer data with which you’ve been entrusted, or dealing with the constant threat of a data breach that would keep any good developer on edge.
This article highlights best practices for secure development of applications that will be deployed in a public cloud such as Alibaba Cloud (where you can take advantage of a $300 credit if you’d like to get started with deploying applications to the cloud).
The Art of Protecting Consumer Data
One of the greatest responsibilities a developer has when dealing with sensitive consumer data is protecting that data from unauthorized modifications or outright theft. Security concerns are heightened when the application is both deployed to and run on a cloud platform. The act of securing this data includes both protecting data at rest, where it resides in a database, and as the data is transmitted from one server to another. A valuable and necessary protection strategy is encryption.
Encrypting data for an application that is deployed to a cloud platform provides new challenges for the development team, as the situation differs greatly from data encryption scenarios they may be accustomed to. When an application does not utilize a public cloud environment (i.e., when it runs on-premises or in a private cloud), the data being encrypted is stored on a server to which the DevOps organization typically has full access and control. This is not the scenario that plays out when an application uses a cloud platform. Therefore, it is important for the development team to take some precautions to assure that the sensitive data employed by the application is adequately protected.
One potential solution (that is often considered a best practice) is to ensure that data is protected through the use of client-side encryption when using a cloud platform. Client-side encryption is an extremely effective tactic for ensuring that data is protected as it is transmitted. This encryption practice is a form of asymmetric data encryption, where the data being sent to the remote server is encrypted prior to it being transmitted. The basic tenants of the strategy are as follows:
● Each time data is uploaded, a public key is used to encrypt the data prior to the data being transmitted to the remote server.
● The encrypted data is then stored on the cloud platform with no reference to the plain-text data.
● When downloading an object, the encrypted data is downloaded, and a private key is utilized to decrypt the encrypted object so that the plain-text data can again be viewed in its original form.
As you can see, this secure development practice provides several benefits. First, the cloud platform maintains no reference to the plain-text data. Thus, the development team can rest assured that the platform’s servers (over which they maintain no real control) are not a concern in terms of security from a data loss standpoint as the data rests on the remote server. The other main benefit is the protection of data in transit. At no point is plain-text data being transmitted to the cloud platform, eliminating the concern over data leakage.
Proper Use of APIs
Ensuring that you are properly using the APIs provided by your cloud platform can also serve to assist in developing secure applications. This may sound like an obvious practice, but it deserves a mention. Improper use of an API, in some of the worst cases, can result in unauthorized access to data or unauthorized access to application functionality that can put data integrity at risk. It is therefore imperative that the developers applying the API write code with a mindset that puts security first, while providing the API methods with all the necessary information to determine if the user should have access to perform that functionality — and if so, also ensure that the proper action is being taken as per the API documentation.
Alibaba Cloud’s Security Products
As an example of the types of services available for securing cloud applications, consider the solutions offered by Alibaba Cloud:
● Server Guard: A monitoring service that automatically detects intrusions in applications running on Alibaba Cloud.
● Anti-DDoS: A service for protecting against Distributed-Denial-of-Service (DDoS) attacks, which can make cloud-based applications inaccessible for users.
● Web Application Firewall (WAF): A firewall that cloud admins can use to protect applications and services running in Alibaba Cloud, and automatically disarm attacks based on machine learning.
These services provide the protections that organizations need to mitigate security threats against applications deployed in the cloud.
While developing for a cloud platform can provide certain challenges that are not always present when developing outside the cloud, a few simple practices can go a long way toward securing your application.
In today’s climate, where the importance of data security is at an all-time high, simply utilizing an encryption strategy such as client-side encryption can make all the difference in ensuring that a data breach doesn’t occur on your watch. Combine this with careful development to establish proper usage of the API provided by the cloud platform you are using, and you are well on your way to secure development in the cloud.