Are you using PaaS for your applications but not sure how to secure them?

A Platform-as-a-Service (PaaS) is a cloud computing model that provides a platform where customers can develop, secure, run, and manage web applications. It provides an optimized environment where teams can develop and deploy applications without buying and managing the underlying IT infrastructure and associated services.

Generally, the platform provides the necessary resources and infrastructure to support the full life cycle of software development and deployment while allowing developers and users access from anywhere over the internet. Benefits of the PaaS include, but not limited to, simplicity, convenience, lower costs, flexibility, and scalability.

Usually, securing a PaaS differs from the traditional on-premise data center as we are going to see.

A PaaS environment relies on a shared security model. The provider secures the infrastructure while the PaaS customers have the responsibility to protect their accounts, apps, and data hosted on the platform. Ideally, the security shifts from the on-premise to the identity perimeter security model.

This means that the PaaS customer has to focus more on the identity as the primary security perimeter. Issues to focus on include protection, testing, code, data, and configurations, employees, users, authentication, operations, monitoring, and logs.

That’s a lot to do. Isn’t it?

Don’t worry; let me guide you step-by-step.

Protect applications from common and unexpected attacks

One of the best approaches is to deploy a real-time automatic protection solution with the ability to quickly and automatically detect and block any attack. The PaaS subscribers can use the security tools provided on the platform or look for third party options that address their requirements.

An ideal tool should provide real-time protection while automatically detecting and blocking unauthorized access, attacks, or breaches.

Source: comodo.com

It should have the ability to check for unusual activities, malicious users, suspicious logins, bad bots, account takeovers, and any other anomaly that may lead to a compromise. In addition to using tools, there is a need to build security into the application so that it has its protection.

Protect user accounts and app resources

Each point of interaction is usually a potential attack surface. The best way to prevent attacks is to reduce or limit the exposure of the application vulnerabilities and resources that untrusted users can access. It is also important to regularly and automatically patch and update the security systems to reduce the weaknesses.

Although the service provider secures the platform, the customer has a more significant responsibility to protect the account and applications. This means using a set of security strategies such as a combination of inbuilt platform security features, add-ons, and third-party tools, enhances the protection of the accounts, apps, and data. Also, it ensures that only authorized users or employees can access the system.

Another measure is to keep the number of employees with admin rights to the minimum while establishing an audit mechanism to identify risky activities by the internal teams and authorized external users.

Admins should also enforce the least user privileges. With this approach, users should only have the least privileges that enable them to run applications or perform other roles properly. This reduces the attack surface, misuse of the access rights, and the exposure of privileged resources.

Scan application for security vulnerabilities

Perform a risk assessment to identify if there are any security threats or vulnerabilities in the apps and its libraries. Use the findings to improve the protection of all the components. Ideally, establish a regular scanning and schedule this to run daily automatically or any other interval depending on the sensitivity of the app and potential security threats.

If possible, use a solution that can integrate with other tools such as communication software or has an inbuilt feature to alert relevant people whenever it identifies a security threat or attack.

Test and fix security issues in the dependencies

Usually, apps will depend on both direct and indirect dependencies, which are mostly open source. Any flaws in these components have the potential to introduce security vulnerabilities in the app if not addressed.

A good practice is to analyze all the internal and external components of the apps, perform API penetration tests, check third-party networks, and more. Some of the effective means to fix the vulnerabilities include upgrading or replacing the dependency with a secure version, patching, etc.

Snyk would be worth trying to monitor security flaws in the dependencies.

Perform penetration testing and threat modeling

Penetration testing helps to identify and address security holes or vulnerabilities before the attackers can find and exploit them. Because penetration tests are usually aggressive, they may appear as DDoS attacks, and it is essential to coordinate with other security teams to avoid creating false alarms.

Threat modeling involves simulating possible attacks that would come from trusted boundaries. This helps to verify if there are design flaws that attackers can exploit. The modeling equips the IT teams with threat intelligence, which they can use to enhance security and develop countermeasures to address any identified weakness or threat.

Monitor activities & file access

Monitoring the privileged accounts allows the security teams to gain visibility and understand how the users are using the platform. It enables the security teams to determine if the activities by privileged users have potential security risks or compliance issues.

Monitor and log what the users are doing with their rights as well as activities on the files. This looks for issues such as suspicious access, modifications, unusual downloads or uploads, etc. A file activity monitoring should also provide a list of all the users that have accessed a file in case there is a need to investigate a breach.

A right solution should have the ability to identify internal threats and high-risk users by looking for issues such as concurrent logins, suspicious activities, and many failed login attempts. Other indicators include logging in at strange hours, suspicious file and data downloads or uploads, etc. When possible, automatic mitigation measures will block any suspicious activity and alert the security teams to investigate the breach as well as address any security vulnerabilities.

Secure data at rest and in-transit

The best practice is to encrypt the data during storage and when in transit. Securing the communication channels prevents possible man-in-the-middle attacks as the data travels over the Internet.

If not already, implement HTTPS by enabling the TLS certificate to encrypt and secure the communication channel and, consequently, the data in transit.

Always validate data

This ensures that the input data is in the correct format, valid and secure.

All data, whether from internal users or external trusted and untrusted sources security teams, need to treat data as high-risk components. Ideally, perform validation at client-side and security checks before data upload will ensure that only clean data pass through while blocking compromised or virus-infected files.

Code security

Analyze the code for vulnerabilities during development life-cycle. This starts from the initial stages, and developers should only deploy the application to the production after confirming that the code is secure.

Enforce multi-factor authentication

Enabling a multi-factor authentication adds an extra protection layer that improves the security and ensures that only authorized users have access to the apps, data, and systems. This can be a combination of password, OTP, SMS, mobile apps, etc.

Enforce a strong password policy

Most people use weak passwords that are easy to remember and may never change them unless forced. This is a security risk that admins can minimize by enforcing strong password policies.

This should demand strong passwords that expire after a set period. Another related security measure is to stop storing and sending plain text credentials. Ideally, encrypt the authentication tokens, credentials, and passwords.

Use standard authentication and authorization

The best practice is to use the standard, reliable, and tested authentication and authorization mechanisms and protocols such as OAuth2 and Kerberos. Although you can develop custom authentication codes, these are prone to errors and vulnerabilities, hence likely to expose systems to attackers.

Key management processes

Use strong cryptographic keys and avoid short or weak keys that attackers can predict. Also, use secure key distribution mechanisms, rotate the keys regularly, always renew them on time, revoke them when necessary, and avoid hard coding them into the applications.

Using an automatic and regular key rotation improves security and compliance while limiting the amount of encrypted data at risk.

Manage access to apps and data

Develop and enforce a manageable and auditable security policy with strict access rules. The best approach is to grant the authorized employees and users just the necessary access rights and no more.

This means assigning the right levels of access to only the apps and data they require to perform their duties. Also, there should be regular monitoring of how people use the assigned rights and revoking those they are either misusing or do not require.

On-going operation

There are several things to do.

  • Performing continuous testing, regular maintenance, patching, and updating the apps to identify and fix emerging security vulnerabilities and compliance issues.
  • Establishing an audit mechanism for assets, users, and privileges. The security teams should then review these regularly to identify and address any issues in addition to revoking access rights that users are misusing or do not require.
  • Develop and deploy an incident response plan that shows how to address threats and vulnerabilities. Ideally, the plan should include technologies, processes, and people.

Collect and analyze logs automatically

The applications, APIs, and systems logs provide a lot of information. Deploying an automatic tool to collect and analyze the logs provides useful insights into what is happening. Most often, the logging services, available as either inbuilt features or third-party add-ons, are great in verifying compliance with security policies and other regulations as well as for audits.

Use a log analyzer that integrates with the alerting system, supports your application tech stacks, and provides a dashboard, etc.

Keep and review an audit trail

It is best practice to store an audit trail of user and developer activities such as successful and failed login attempts, password changes, and other account-related events. An automatic feature can use counters to protect against suspicious and insecure activities.

The audit trail can be beneficial to investigate when there is a breach or suspect an attack.

Conclusion

A PaaS model removes the complexity and cost of purchasing, managing and maintaining hardware and software, but puts the responsibility of securing the accounts, apps, and data to the customer or subscriber. This requires an identity-centric security approach that differs from the strategies that companies use in traditional on-premise data centers.

Effective measures include building security into the apps, providing adequate internal and external protection as well as monitoring and auditing the activities. Evaluating the logs helps to identify security vulnerabilities as well as improvement opportunities. Ideally, the security teams must aim at addressing any threat or vulnerability early before the attackers see and exploit them.