Three key best practices in cloud application security protection

Source: Internet
Author: User
Keywords Security
Tags access application applications backup backup system based cloud cloud application

  

Cloud based applications are now widely used and are growing at an alarming rate. Because cloud-based applications can be accessed over the Internet and accessible to anyone anywhere, the security of the application becomes particularly important. This is why businesses that create and manage cloud-based applications must ensure that every layer of the application infrastructure that customers trust is secure.

Imagine what the consequences would be if Google's Gmail were hacked and hackers could read the contents of a user's email. Not only will Google's reputation be compromised, but Google's customers will soon start looking for alternatives to other e-mails. Inevitably, customers and funds will be greatly lost. If it turns out that the Gmail security vulnerabilities that hackers exploit can easily be blocked if a security breach is checked, how will the public react? Although this is a dramatic example, this happens every day. It is important that enterprises take appropriate measures to prevent security vulnerabilities as soon as possible, and not wait until it is too late.

In this article, I'll discuss three different strategies that organizations can use to maximize the security of cloud-based applications and prevent scary security vulnerabilities.

Discover and fix security vulnerabilities

The first way to ensure the security of cloud-based applications is to find as much as possible and deal with all possible vulnerabilities. Many techniques can be used to discover security vulnerabilities in applications, such as manual or automated source code review, stain analysis, network scanning, blur testing, fault injection, or symbolic execution. However, not all of these technologies apply to finding software vulnerabilities in Web applications. For cloud-based applications, such as the operating system or hypervisor, consider the application itself and the vulnerabilities in the lower layers. Therefore, it is advisable to use penetration testing services to check applications and to make a security report for all vulnerabilities identified.

Keep in mind that a 0 attack vulnerability may still exist even after a security review. However, the review process can eliminate the most critical vulnerabilities.

Avoid security vulnerabilities being exploited successfully

To maximize the security of your cloud application, the second strategy is to prevent existing vulnerabilities from being exploited, rather than dealing with newly discovered application vulnerabilities. There are a variety of technologies and tools that can prevent vulnerabilities from being exploited successfully, including:

• Firewalls-firewalls can be used to block ports that access certain DMZ boundaries and successfully prevent attackers from accessing vulnerable applications through the network or the DMZ.

• Intrusion Detection (IDS)/intrusion Prevention (IPS) systems-by using IPs, organizations can find known attack patterns and block attacks before they have an opportunity to reach the target application.

Web application Firewall (WAF)-waf can be used to find malicious patterns in the application layer. Vulnerabilities can be detected, such as SQL injection, cross-site scripting, and path traversal. There are two types of WAF software solutions to choose from: blacklist or whitelist. Blacklist WAF can only intercept known malicious requests, while the whitelist WAF the default to intercept all suspicious requests. When using a blacklist, it is easy to re-establish the request, so the request will never bypass the whitelist even if it is not present in the blacklist. Although it is safer to use a whitelist, more time is required to complete the setup because all valid requests must be manually compiled into the whitelist. If the organization is willing to spend time building WAF, the security of the enterprise may improve. Businesses running Nginx Web servers should consider open source Naxsi Web application firewalls, using whitelist to protect applications.

• Content distribution Network (CDN)--CDN uses domain Name System (DNS) to distribute content to multiple data centers across the Internet, making Web pages load faster. When a user sends a DNS request, the CDN returns an IP that is closest to the user's location. This not only makes the Web page load faster, but it also protects the system from denial of service attacks. Typically, CDN can also open other protection mechanisms such as WAF, email protection, monitoring uptime and performance, Google Analytics (Analytics).

• Authentication-two-factor authentication mechanisms should be used whenever possible. Using a username/password combination to log in to a cloud application is a huge loophole for attackers because information such as user name/password can be collected through social engineering attacks. In addition, attackers can crack passwords by guessing or brute force. Single sign-on can not only improve efficiency, but also ensure that all users have access to the cloud applications, while ensuring security.

Damage caused by the successful use of the control vulnerability

To improve the security of cloud applications, the last one includes the following: The attacker discovers a security vulnerability, bypassing the protection mechanism, and then using the vulnerability access system to control the resulting loss. There are several CSP scenarios, including:

• Virtualization. Applications are compromised, and their accompanying infrastructure may be compromised, although security can be increased by controlling this loss, but running applications in virtualized environments means that each application runs an operating system-a waste of resources. That's why containers are becoming more and more popular. A container is a software component in which applications are separated from the rest of the system, eliminating the need for a fully fledged virtualization layer. The more popular containers include Linux containers (LXC) or Docker.

• Sand box. Even if the hacker has access to the backend system, any attacks applied will be limited to the sandbox environment. As a result, an attacker can access the operating system only by bypassing the sandbox. There are several different available sandbox environments, including LXC and Docker.

Encryption。 Some important information, such as social Security number or credit card number, must be stored in the database for proper encryption. If the application is supported, the enterprise should send the data to the encrypted cloud.

• Log monitoring/security information and event monitoring (SIEM). When an attack occurs, it is best to have a log system/SIEM to quickly identify the source of the attack, identify the attacker behind it, and how to mitigate the problem.

Backup。 If any problems arise, it is best to have an appropriate backup system. Because creating a working backup system is difficult-and may take a long time, many companies opt to outsource the backup process.

Conclusion

Saving data in the cloud poses some new security challenges-fortunately, there are many ways to solve these problems. It is also important to identify and fix application vulnerabilities, as opposed to the successful exploitation of vulnerabilities, and it is critical to have appropriate defense mechanisms to prevent malicious attacks.

This paper presents a number of ways to protect cloud-based applications, but setting takes time and effort. Because of these constraints, enterprises do not get the return they want in time, so enterprises often ignore the importance of security. In practice, security becomes important when the infrastructure is compromised. First, take the appropriate steps to ensure the security of the application and to prevent vulnerabilities--Secondly, the plan of action taken to exploit the vulnerability is critical to the success and security of the cloud application environment, as well as to the overall viability of the Organization.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.