All applications go through a lifecycle, which means that organisations must undertake Application Modernisation at some point. This can be for a range of reasons, such as; the application going out of support, no longer meeting the organisation’s needs, not being scalable, or being insecure. Application Modernisation comes in many forms, and organisations may choose to either upgrade their existing applications, create or host a new application on a private or public Cloud, or opt for a Software-as-a-Service approach. Regardless of the route taken, security should be one of the highest priorities.

This article explores some of the most important security areas that should be considered when modernising an application in the Cloud.

Cost of Security

Before implementing any security controls, a risk assessment on the application should be carried out. This will determine the risk to the organisation and any costs that may occur in the event of a security incident. The total cost of implementing security controls on the application must be less than the potential cost of loss incurred by a security incident.

Application Platform

As more applications are being migrated to the Cloud, some of the responsibility of security will lie with Cloud providers for managing the underlying platform. This is referred to as the shared responsibility model. The allocation of responsibility largely depends on the Cloud services that are used.

Using the Cloud Security Alliance’s Cloud Control Matrix (CCM), a security framework based on industry standards can assist organisations in selecting their Cloud provider by assessing security risks.

The use of technology such as host-based intrusion detection, high availability, content delivery networks, and load balancing can help the application to scale when a security incident is occurring. Using these tools is easier when using a microservices design pattern for the application.

Development

A development, security, and operations (DevSecOps) culture can be adopted by an organisation. DevSecOps takes security into consideration during every step of the application development process. Access controlled automation of the development process can help secure the application along with the automation of testing. Automation also provides the advantage of being able to react quickly when an exploit has been discovered.

The Open Web Application Security Project (OWASP) is an international community that provides numerous frameworks and tools that can help secure web applications. They maintain a top 10 list of the most critical risks that an organisation can face with their applications. The list should be reviewed against any application that is being developed and deployed.

The current OWASP Top 10 (2017) of critical risks are: 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring

Making use of a secrets manager to manage application keys will improve security. These tools provide a centralised location for application service credentials and eliminate the need for hardcoding of credentials within an application. Benefits include key encryption, credential rotation and implementation of lifecycle rules.

Testing

Static testing is the review of an application’s code and its associated documentation. It does not check the application while in its running state. This can be done manually or it can be automated.

Dynamic testing checks the functional behaviour of the application while it is being executed.

Penetration tests are simulated attacks against a system or application and can help discover any vulnerabilities that an application may have. Making use of static, dynamic and penetration testing will help to identify security issues prior to deployment. Integrating the testing into the DevSecOps pipeline can automate the testing and reporting.

Authentication, Authorisation, and Accounting

Authentication refers to validating user credentials such as username and password. Implementation of a password policy (e.g. password policy, complexity, and reuse) should be mandatory.

Multi-factor authentication is a method by enforcing the user to provide a second piece of information when authenticating to an application. This is typically implemented by the use of a code on a user’s mobile device. MFA can significantly increase security by introducing an additional layer of defence.

Implementing single sign-on (SSO) allows users to only have to sign in once to gain access to many applications and resources. It also provides organisations with centralised management of user accounts.

Authorisation occurs after authentication and determines access to resources inside the application. The Principle of Least Privilege should be implemented. This principle states that access should be limited to the minimum set of resources for a task to be carried out. Regular privilege reviews should be conducted to ensure that all users have the correct access.

Accounting is the auditing of user access and actions. This will provide information when malicious activity occurs and can alert for unauthorised authentication and actions.

Organisations may prefer using an Identity as a Service (IDaaS) offering which manages identities on behalf of the organisation and comes with a range of security benefits such as manged MFA and reduced maintenance.

Data Protection

Data protection is one of the most important aspects of securing applications. There will be a requirement to secure data at rest and in transit. If the application is storing any sensitive data, it should be encrypted. The keys that are used to encrypt data should be rotated regularly. If data is either being received or sent by the application, secure protocols should be used such as SSL and making use of a VPN.

The location of the data used by the application will be important. There may be a legal or regulatory requirement to ensure the data resides in a specific location. This would also apply to the location of any data backups.

Data should not be kept longer than it is either required or mandated by law. A backup archiving and deletion mechanism should be in place to purge any data that is no longer required.

Response

Organisations should expect a security incident to occur. A security policy, business continuity and disaster recovery plan should be created, reviewed and maintained. Simulations of security incidents should be carried out regularly to practice the actions required in the event of an incident.

Application metrics should be monitored to understand normal behaviour. Anomalies to the baseline can identify a security incident occurring. Implementing alerts based on unexpected behaviour of the application can allow the operations team to respond and investigate.

Summary

All applications will need to be modernised at some point in their life. When undertaking the modernisation, security should be made a priority. Making use of services and tools made available in the cloud can greatly improve application security. Having a DevSecOps approach will ensure security is implemented at every step of the journey. Application attacks are becoming more advanced and it is insufficient that a single security mechanism is implemented. Organisations should be prepared for an application breach by having business continuity and disaster recovery plans in place and by simulating security incidents. It should always be a question of “when” and not “if” a security breach will occur and therefore being primed is of vital importance.

About the Author

Sat Gainda is a Cloud Solutions Architect at Version 1, working on enterprise-level engagements that utilise innovative Cloud systems. Stay tuned to Version 1 on Medium for more Cloud-focused posts from Sat.