Application Security, Access Control, & Network Security

Application Security

If you are developing a web application that will require internet users to create credentials for your application, consider instead using an authentication service known as federated identity management. Federated identity management allows internet users to authenticate to your application using federated identity servers at Google, Facebook, Twitter, and other sites where they may already have an account.

To clarify federated identity management, consider the example of a user named Bob, who wishes to log on to your web application. Bob visits your web application and notices that he can log on to your application using his Google ID. When Bob clicks the Google authentication button, his browser is temporarily redirected to Google, where he is prompted to log in using his Google credentials. After Google confirms Bob’s identity through a correct password exchange, the Google federated identity services send to your server a special token that uniquely identifies Bob, but does not disclose any of Bob’s private information. If Bob logs on again, Google will send you the same token value. This means that, instead of requiring Bob to create a unique username and password within your application, your application can rely on the value of the federated identity token to uniquely identify Bob when he logs on again in the future. Federated identity management relieves you from the security risk and liability of hosting a database of usernames and passwords, and it frees Bob from the burden of memorizing yet another username and password.

Access Control

Once you have classified your data, you should determine who requires access to the data and to what degree they should have access. For instance, you may have data that everyone, even anonymous internet users, should be able to read and access but not change. Regardless of public or private cloud, always assign users the least amount of access required, and whenever possible, assign the permissions to groups instead of individual user accounts.

In private clouds, you can assign permissions to data using internal security authorization controls, such as Windows or Linux file server permissions assigned to users or groups found in your Microsoft Active Directory listing. In public clouds, you may or may not have the ability to assign users and groups to the cloud storage locations. This is dependent upon the cloud provider and the way you have integrated your authentication and authorization systems with the cloud provider's identity and access management (IAM) services.

When working in hybrid cloud environments, you should first configure the public and private cloud providers to use the same IAM configuration. This standardizes the user and group names across the clouds before assigning permissions to the data, which in turn helps avoid accidentally assigning extra (or insufficient) permissions due to user or group naming similarities and inconsistencies.

Network Security

Publicly accessible servers on the internet are constantly exposed to attack and, when compromised, can allow an attacker to launch additional attacks inside your network from the comfort of the attacker's newly hacked server. The best plan is to isolate these public-facing servers whenever possible to minimize the damage an attack can have on your network. For example, consider hosting the server in a public cloud or within an extranet in your private cloud. An extranet is a secured region of your private network where firewalls are configured to carefully inspect traffic entering and leaving the network, and on occasion, intrusion prevention systems (IPS) are implemented within the extranet to mitigate any server-to-server attacks within the extranet.

Though you probably have a firewall facing the internet within your private cloud, you may or may not have a dedicated firewall at the public cloud provider. In either case, remember that security is a process of adding layers or barriers, and you should enable and carefully configure the operating system firewall on all your servers, even those not directly exposed to the internet. The reason for the extra security is to protect against an attacker that breached one layer of your defenses.

At some point, you will need to manage your cloud-based servers. In a private cloud, you can likely perform the administration using a private network. However, unless you are operating in a hybrid cloud environment, your public servers should be behind a firewall and not directly reachable. Instead of opening remote administrative ports or services to the internet, consider establishing a virtual private network (VPN) or a dedicated wide area network (WAN) connection to your public cloud provider to allow you to manage the servers as you would in a private cloud environment.