AWS, Microsoft Azure and other public cloud platforms offer a massive choice of services—along with massive complexity. But surely somebody must have created some simplified, one-size-fits-most templates or frameworks that SMBs can use to securely deploy and manage their public cloud applications?
To talk about cloud application security best practices, a recent episode of The Virtual CISO Podcast features Jeff Schlauder, Founder at Catalina Worldwide LLC. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Yes, we have no simple frameworks
For SMBs looking to shake out a straightforward, scalable process for secure application deployment, Jeff flatly admits that shortcuts and Easy Buttons don’t exist.
“There are multiple ways to deploy applications securely to the cloud,” Jeff explains. “Specifically in AWS, when you are designing a solution there’s not a lot of out-of-the-box, where you just follow these two or three steps and you’re going to be all set. That’s typically not what we see, and it certainly wasn’t how we got there.”
“’It depends’ is the answer to 90% of security questions,” jokes John. “If you don’t understand the context, you can’t answer the question.”
Who will manage the infrastructure?
The lack of simple answers to public cloud app security questions stems from the many organization-specific dependencies that come into play. Your business goals, expertise/skills, tools preferences, and budget are but a few salient factors.
Jeff notes that a critical decision point is who will be managing the infrastructure. AWS and other public clouds have terrific tools and capabilities—but they’re not necessarily simple.
“It takes time to build knowledge in each of those areas,” Jeff relates. “At the end of the day, if the team that’s supporting the application and the infrastructure doesn’t have the knowledge necessary to manage it the way it was architected, that’s probably the biggest security risk. We’ve seen it happen where you can design a really great, secure solution. But it’s so complex that a mistake or not understanding how everything interrelates can cause unnecessary risk and ultimately security issues.”
Should you outsource application management along with development?
As John points out, many orgs outsource application development with the expectation that they will then manage the operational infrastructure. But if the entity doing the development isn’t thinking about the client’s ability to manage the production application environment, they could be setting the client up to fail on security.
Even fundamental issues like key management and rotation need to be carefully considered in light of available skills. Likewise, there are specific services that are helpful to leverage from the outset, provided they’re configured so the team can use them correctly.
What about containerization?
Another major contingency with cloud-based applications is whether to containerize them. According to Jeff, “95% of the time, the answer is yes.”
Then the next question becomes, do you need a portable container configuration (e.g., Kubernetes). Or can you use a built-in container service like what AWS provides?
In other words, you should be thinking about the full application lifecycle from the outset.
“When we build an application, we’re looking at it from the actual lines of code to the pipelines that need to be built, the deployment process—just soup to nuts the entire process, and then trying to understand what pieces we’re responsible for and what the customer wants to take responsibility for.”
To listen to this podcast episode with Jeff Schlauder, click here.
If your dev team has moved to an agile or DevOps methodology, where does security testing fit in? Here’s a blog post on the topic: Application Security Best Practices in a Continuous Integration Model