Amazon Web Services provides a great foundation architecture to secure and support its shared platform and resources. The cloud platform that is highly available, scalable and efficient is proving very valuable and advantageous for organisations and developers to layer their applications on top of and the multiple tools, provided by AWS, ensuring the development process is extremely smooth and simple.
AWS maintain a Shared Responsibility Model, regarding security, with their users. For security realisation, when responsibility is shared between provider and customer (as it is here), an in-depth understanding is important.
Amazon Web Services are responsible for securing the underlying global infrastructure and foundation services that support the cloud, and the customer is responsible for everything else positioned on top of the cloud or attaching to the cloud and this includes securing the application layer appropriately.
Some customers forget that the Shared Responsibility Security Model exists for a reason. This is notable when customers choose to deploy applications utilising default AWS services and realise that very limited application security controls are present with this. The security for the application layer is not comprehensive by default, the user should ensure that the application layer is properly protected, not leaving any security gaps by taking care of their security responsibilities.
Software is becoming more complex with many areas for vulnerabilities to persist and with services like AWS, the development cycle is a lot faster. The combination of these attributes makes targeting the application layer more appealing and the necessity to secure this layer is now more important than ever.
The application layer comprises:
- Load Balancing Tier (to evenly distribute traffic to the next tier and is the entry point to your app)
- Web Tier (to send static files to users, and often to route traffic to the right endpoint in the App Tier)
- App Tier (runs your applications main process)
- Cache Tier (to store temporary data like user session information or common request)
- Database Tier (where persistent data is managed)
- Ancillary Tier (Further Instances supplementary to your application)
Reasons to consider further securing your web apps
With the data moving to the AWS cloud it is fundamental to understand the division of responsibilities. By utilising AWS, you acquire good server and infrastructure capabilities. The user can also be reassured that AWS will take the necessary measures to secure the primary elements and resources. Regardless, as a user of the AWS service you do not relinquish the responsibility for your applications and data and you must meet the security and compliance requirements expressed by law and for your business as well as your customer’s security, privacy and well being.
Most Organisations have become adept with hardening the core, now directing attackers to the application layer as an alternate entrance point.
Some areas to consider include:
Majority of organisations applications running on AWS hold or process some form of sensitive information. Information could include banking details and other personal customer data. It is a legal and regulatory requirement to ensure that any personal data remains secure and private at all times. It is also a prerequisite for many organisations in order to maintain compliance.
Vulnerabilities often present in web apps
Web apps are an area of innovation for organisations and attackers are aware of the ever-present and likely vulnerabilities that potentially exist and can be manipulated for their malicious cause. Code utilised is often an amalgamation from various sources and libraries and is being continuously updated. Businesses are often under pressure to get apps up and running speedily leaving little time for thorough vetting and secure coding practice tends to take the back seat unfortunately. These all attribute to vulnerabilities being present.
App layer is Targeted for attack
Attackers are aware of the high value information that the majority of organisations apps process and this is a growing target for attack. It seems to be the path of least resistance and thus easily targeted and mostly successful.
Attack types are varied, vast and continually evolving
Attacks on apps vary and continue to advance as the means to attack are relatively simple to develop. Multiple attack options exist and are used for malicious reasons and will have nasty repercussions when successful.
Technical and business impacts
Repercussions of a successful attack can include downtime, fines, legal ramifications and loss of customer trust and loss of customers. This can significantly damage or even destroy the business. The amount of damage caused is highly dependant on the type of data compromised.
Successful attacks can incur vast technical impacts some of which may include defacement of the site, access to internal networks and data bases, compromise and/or loss of sensitive information, malware, blacklisting and web availability issues.
Security is good way to uphold your business reputation
It is good business practice to ensure the application layer is as secure as possible. To avoid unwanted concerns and improve your overall security posture.
What can the company do to better secure apps in AWS
With the necessary precautions in place to secure the application layer your risk exposure will be greatly reduced.
Many solutions exist that aim to support the AWS platform and to support the user in realising his share of security responsibilities too. These should assist in achieving a cohesive web, database and compliance strategy through better securing app security with better detection, defences and visibility, that is centralised, improving control and management through having all your information visible in one central location.
It is likely that a multiple vendor approach to addressing all the security gaps may be necessary, this is ok, it is important to make sure that the solutions you procure are the best and some vendors accomplish certain solutions better than others. The solutions must also integrate seamlessly with the AWS platform.
The following areas need to be addressed by the user to ensure that the maximum combined security can be achieved for the application layer.
- Threat detection (rapid detection before and after deployment using multiple techniques as different vulnerabilities require different detection approaches-manual, automated, static, dynamic and behavioural)
- Monitoring, alerting, reporting and blocking capabilities are essential
- Firewall (analyse traffic) and logging
- Threat Prevention (real time threat intelligence is important to detect and block malicious activity)
- Denial of service mitigation
- Vulnerability and Event Management
- Identity and Access Management control
- Data loss prevention
- Policy enforcement must be ensured and must be consistent
- Remediation frameworks and processes are necessary
Build security into applications
It is also important to ensure that the application build is as secure as possible. Proper best practices should be followed and although time consuming, vetting of applications is important and should be undertaken. Developers must be knowledgeable of good coding practices and aware of how to highlight and remediate vulnerabilities. Staying abreast of the latest attacks and knowing the vulnerabilities that your apps may be susceptible to will assist with securing them appropriately. It is important that developers understand the security controls, these will differ from one language to the next and each has its own security issues or vulnerabilities that should be properly managed. Security controls must be consistent and applied throughout the development process, throughout the software development lifecycle, which will be unique for each organisation.
Web application vulnerabilities can be manipulated at the application layer and the detection or prevention of these types of attacks can be challenging to detect without the right security solutions and controls.
A combination of the AWS secure foundation and the solutions the organisation deploys to further secure the application layer (log management, monitoring, threat detection, web application firewalls and scanning tools) will ensure the application security is comprehensive and secure from foundation and throughout the application layer.
The organisation must heighten detection, intensify defences and be able to manage it all centrally with clarity.