When using cloud, it’s essential to be aware of the risks and vulnerabilities your website faces. In today’s world, it’s likely that your website is the first contact with customers. One security breach could easily lead to a disaster that affects your revenue and reputation. The latest Cloud Threat Report from Unit 42 shows that organisations continue to struggle with securing public cloud platforms, 13 years after the launch of cloud computing services. Organisations need to understand that cloud security is a shared responsibility. Cloud vendors such as AWS and Azure are responsible for the security of the cloud, while organisations are responsible for security in the cloud. Simply put, cloud vendors manage the security of the global infrastructure, and the services and software that runs in it while organisations manage the security of the customer data, applications, access management, operating systems and firewall configuration to name a few.
The ways in which applications are hosted in the cloud is continually evolving. In the early days of cloud computing, computer power was offered in the form of virtual machines. Fast forward to today, there are a plethora of serverless options aside from virtual machines, such as Web Apps, Functions, SQL DB, Cosmos DB, Event Grid and others. This article focuses on security in the cloud for Azure serverless. While it covers Azure specifically, these steps can be applied to many of the cloud platforms.
Security models depend on the risks for a particular application. Having said that, the following steps could improve the security posture of an application hosted in Azure serverless.
1. The Basics
- Secure coding practice. Application security starts at the code level. By following secure coding practices, the application is protected against known vulnerabilities as well as probably the yet to be discovered vulnerabilities. This can be achieved by regularly conducting penetration tests to reveal such exploits.
- Dependencies. Ensure that the libraries the application depends on follow secure coding practice as well. Check for online documentation and security reports for each dependency.
- Function keys. Use functions keys to protect functions/APIs from unauthorized calls.
- Monitoring and logging. Leverage Azure Monitor to collect and log security data which can be queried.
- In transit. Enforce HTTPs to encrypt data in transit thereby protecting the integrity and privacy of data while travelling the ether.
- At rest. Encrypt storage facilities including databases to protect the integrity and privacy of data from unauthorized access.
2. Principle of least privilege
A user or service must be able to access only the information and resources that are necessary for its legitimate purpose. The most common approach to manage this is through Role-based access control, also known as RBAC. In Azure, the service that facilitates RBAC is Access Control (IAM).
3. Key Vault and Managed Identities
Combining the key vault and managed identities services enable developers to write credential free codes. It ensures credentials never appear on workstations and are not checking into source control.
4. API Management
Taking the security of APIs a notch further, API management provides a layer of abstraction in securing access to APIs. By using security policies, API management allows services to consume APIs without the client having to passkeys. This further improves the security posture of the implementation as keys are not part of code that is most often than not committed into source control.
5. Firewall / Web Application Firewall
For complex systems, there are various services and moving parts that form the solution. Majority of these services are dependencies of the main service that is exposed to the public. The dependency services are meant for internal consumption hence should be locked down. A way to implement a lockdown is to apply firewall rules to restrict incoming traffic only to authorized IP address ranges and ports. A popular approach in Azure is to implement Application Gateway with WAF features enabled.
6. Security Centre
The Azure Security Centre monitors the security posture of services across subscriptions. It helps detect threats that might get overlooked.
Interested in securing your website?
Everyone should be taking cloud security seriously – you’re putting your brand at risk if you don’t. At Just After Midnight, we take security very seriously. We deploy highly secured environments for our clients, protecting their revenue and reputation. If you would like to find out how we can help improve your organisation’s security feel free to get in touch with us!