Traditional product security model is challenged with the advent of SaaS offerings in the cloud
With the advent of digital transformation and increased proliferation of SAAS offerings from Enterprises, the security landscape has changed from a traditional product level security to a more end-to-end operation level security. This is a paradigm shift for many Organisation, and just like DevOps, SecOps are in big demand, creating a new role often referred to as DevSecOps. Traditionally product security looked at vulnerabilities within the software product however with the changing landscape of offering software as a service created a more complex and challenging environment for end-to-end security requirements and hence the ever-growing importance of Operational Security.
According to World Economic Forum Global Risks Landscape 2019, Data fraud or theft is among the top 10 risks in terms of likelihood while Cyber-attacks is among the top 10 risks in terms of both likelihood and impact.
Protection of digital assets is therefore a critical aspect of any service offering. The aim is to create a collection of easy to use security tools, compliance process and documentation which facilitates a digital trust in your application and service offering.
Threat Modelling
An overall threat model of your application and deployment environment during the architecture and design phase helps understand and identify threats and mitigation towards protecting your assets. Advice is to do this activity preferably early in the development phase (when the architecture is relatively matured) to help understand the complexity of the security needs. The security responsible collaborates with the Engineering team to develop the threat model and maintains it as a living document as future architectural changes will impact the model.
Protecting Personal Data
Protection of personal data is paramount within the overall security landscape. Protection involves methods, rules and processes for classification, storage, management and retention of personal data. As a part of threat modelling, a privacy impact analysis needs to be carried out to identify threats and related risks.
If you don’t need then don’t store
Some of the most frequently used compliance standards and regulations among others are –
GDPR: The EU General Data Protection Regulation is supposed to be the most important change (2018) in the history of data privacy regulation
ISO/IEC 27001:2013: It is important to have a look at the requirements set out in ISO/IEC 27001:2013 which are generic and are intended to be applicable to all organisations, regardless of type, size or nature
PCI-DSS: If your application or service stores, processes and transmits payment card information then you will have to comply with Payment Card Industry Data Security Standards
HIPAA: Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information
Development and Pipeline
Most of the modern-day software development process is DevOps driven and happens in an Agile environment where new features (mostly micro-services deployed in containers) are dropped to production as soon as it is ready and verified (the more the better – to stay ahead). This is facilitated by a well-defined continuous integration (CI) and continuous delivery (CD) pipeline that connects development environment to deployment environment. Most often the increase in frequency of production deployment happens as the expense of security requirements which are overlooked in the pipeline process making new features vulnerable.
It is imperative to build continuous and automated security validation process within the CI/CD pipeline so that manual security intervention and approval is not required for every feature delivery to production which may be several per day. The types of key security checks that can be performed are Static code analysis, Pen tests, SSL scans etc.
Deployment
Security within the deployment environment protects your digital assets from external attacks. Protection must be configured at several levels starting from the network periphery to internal data store. Some of the key security aspects to consider here are –
Traditional Firewall settings
Web Application Firewall (WAF) settings
Application logging – audit and alerting capabilities
Network Security Groups – subnet isolation and protection
VM level protection – system updates, vulnerabilities, patches, hardening, encryption
Data Security (Database) – data access, data encryption methods, retention rules
Third party libraries – security compliance and regular updates
Digital Certificates – secure communication
User & API Access Management
To prevent unauthorised changes in your system, user access management (also known as Identity and Access Management - IAM) is as important as protecting your assets. Role based access control (RBAC) becomes vitally important in terms of giving users access to digital assets and capabilities to view and/or modify them.
With Organisations increasingly favouring mobile workforce, logging into corporate network is no longer restricted from on-site laptops and computers. People are increasingly using mobiles, tablets and other communication devices to communicate with protected digital assets over public internet. This poses a serious threat to data security and hence sophisticated access control mechanisms needs to be in place. These includes – Single Sign-On (SSO), Multi-Factor Authentication (MFA), end-to-end encryption using IPSec tunnel etc.
Also, equally important is to protect the system via API access. Public APIs meant for Enterprise Integration (such as REST) needs to be secured (such as HTTPS) and protected with appropriate technologies (such as tokens, keys and roles).
Access should be based on “deny all” principle
Keys and Password Management
Passwords and keys are a prime target of cyber-attacks and hence storing such secrets in a secure way (creation, transit, encryption, expiry, etc) is as important as access control strategies. Often automated jobs (such as version control, CI/CD pipeline etc) needs access to these credentials to execute. A comprehensive secret management solution needs to be in place to centrally control and protect these credentials.
We have thus seen some of the key areas of operation security and where Organisation needs to focus on for protecting their digital assets. A comprehensive business continuity programme also needs to be defined when a breach is detected. Information security is a culture that needs to be developed across the Organisation and we need to come out of the mind-set that it can be retrofitted later for the sake of compliance. Security is one of the key non-functional requirement of a software architecture and should be treated with respect.