Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the fourth part of the series, and it will teach you why and how to easily enable encryption and save yourself headaches down the road.
Here's a new motto: encrypt everything! When securely moving to cloud-native technologies, building encryption in from the start will save us a lot of headaches later. And it's actually anything but a headache to enable encryption while setting up your cloud-native development workflows. Here I’ll explain why enabling encryption will come in so handy, and what tools will help you do this with the greatest ease.
A Scenario on Why You Need to Enable Encryption
Imagine the following scenario: you have been tasked with a quick and dirty POC for an upcoming service release. You design it and build something that works, but for reasons we don’t need to go into, the release has been pushed up, and now we need to make our POC into a production service.
When it was initially built, you created it quickly with minimal requirements. Now it’s in production and the compliance folks are asking about why our object storage isn’t encrypted, and why the database contains sensitive information and isn’t encrypted, and why the logs are also not stored on encrypted volumes. Going back and enabling this may seem to not be too big of a task. But in the case of object storage, enabling encryption on the storage only encrypts new objects. The current unencrypted objects as well log files will need to be encrypted as well, which will require extra effort.
This use case is common, but one of the many benefits of cloud-native technologies is that we can enable encryption very easily as we are setting things up with little to no extra effort. In some cases, it may be turned on by default, but in others we just need to check the box or turn it on in our Infrastructure as Code.
We won’t get specifically into the different types of encryptions that can be used. Our compliance or security folks can give us the specifications of what the requirements are for each dataset that we are working with. Cloud providers now offer industry standards like AES-256 for data at rest. As well as other options for the key management part.
Both Azure and AWS DO NOT charge for encryption on object storage which would also include where our log files get stored. Additionally, encryption is enabled by default for new services being created, but we may have to ensure our legacy applications and services have it enabled as well.
Tools that Help Easily Enable Encryption
The main thing we need to ensure for enabling encryption: encryption is turned on. We have a host of cloud tools that will tell us if we missed any endpoints that should have encryption turned on. We can list the “Right Way” to do it, and the “Fun Way”.
The “Right Way”
AWS has Security Hub that can be enabled and integrated with other AWS services that can then alert when something is created that should have encryption.
Azure has Microsoft Defender for Cloud. This service is the equivalent of the AWS counterpart Security Hub. It provides recommendations for securing services which include identifying places where encryption should be enabled among many other things.
Why it’s important: Using a cloud-native tool that is integrated into messaging and alerting helps to identify when a resource is out of compliance and can be addressed. This allows action to be taken immediately as opposed when we manually discover that it doesn’t have encryption, which in my experience is usually during an audit...
The “Fun Way”
Terminal tools are always more fun. ScoutSuite by NCC Group is a very helpful tool for auditing cloud environments (AWS, Azure, GCP, Oracle, and Alibaba). It runs on python3.6 – python3.8 and scans all resources it has access to. It returns a nice html report that can be acted on. ScoutSuite is easy to run and gets results fast. Simply running it generically to get all checks, you simply run ‘scout <cloud provider>’.
It outputs a report in this format:
We can see our instance is running on a volume that is not encrypted. This may or may not be an issue, but we can see it is flagged to investigate.
Why it's important: One auditing tool that can scan each of our different cloud infrastructures. We might have services running in multiple clouds, but one tool can scan them all. It’s open source! It’s simple and speedy!
Takeaways
Encrypt your data, traffic, logs, and storage volumes. NIST has some good resources at: Cryptographic Standards and Guidelines | CSRC (nist.gov). OWASP is also a good resource and has information on key management.
As you develop in cloud-native tools, you will not doubt make use of these resources:
Next time in part 5, we’ll talk about Secrets Management. See you then!