Leveraging Cloud Security: Controls to Achieve ISO27001 Compliance

HOSTING PRODUCTION WORKLOADS on the cloud and adopting industry-wide security best practices provides a secure, resilient, and highly available software as a service (SaaS) environment for customers.

Infrastructure Security

The entry point of applications should be secured with Web Application Firewall (WAF) enabled gateways to provide centralized protection from common exploits and vulnerabilities while simultaneously preventing common attacks like SQL Injection and cross-site scripting. In addition, meaningful content security policy (CSP) headers are adopted to avoid disclosing server-side information, disabling iframes, limiting cross origin calls to selective vendors and more.

We add pod security policies, which is a cluster-level resource to control multiple security sensitive aspects of the pod specifications, like having a low privileged, non-root user with read-only permissions on the image file system.

The nodes in our Kubernetes cluster are private and not accessible from the public internet, therefore considerably reducing the surface of attack. To remediate vulnerabilities, security updates are automatically applied to the nodes. These updates include OS security fixes or kernel updates, some of these updates require a node reboot to complete the process. We leverage Kubernetes reboot daemon, a Kubernetes DaemonSet that performs safe, automatic node reboots when the need to do so is indicated by the package management system of the underlying OS. Any sensitive information like connection strings, keys and certificates are secured as well.

We use a managed cloud database service with strict firewall rules added to restrict server access to select sources. We also use advanced threat protection to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Vulnerability assessment is leveraged to provide visibility into the security state of the databases and includes actionable steps to resolve security issues and enhance database security.

Application Security

Cloud developers can integrate with the customer-preferred identity provider to authenticate the users. Enabling SSO helps customers using multiple products to seamlessly login to all of them, as well as their corporate applications. Industry standard OIDC/SAML and OAuth2.0 protocols are used for authentication and authorization. User and password management is best delegated to the customer’s IAM solution, as it completely avoids bringing over PII to the developer side.

Logging is essential for debugging, incident response, and collecting outage evidence. We ensure that logs do not include any sensitive information like passwords, secrets, and connection strings.

Data Security

Cloud developers can enforce multiple data security practices to safeguard digital information throughout its entire life cycle to protect it from corruption, theft, or unauthorized access. By using cloud providers with capabilities like data discovery, classification, and dynamic data masking for seamlessly discovering, classifying, labeling, reporting, and hiding the sensitive data in our databases, we meet standards for data privacy and requirements for regulatory compliance. We believe in data isolation in our multi-tenant architecture, and we ensure the data stays separate across tenants. The production data is not synchronized with the lower environments without a scrubbing process. Data encryption at rest, which is applicable for data and log files, allows developers to follow laws, regulations, and guidelines established in various industries by encrypting data using AES and 3DES encryption algorithms, completely transparent to the applications.

DevOps & SecOps

Cloud developers can leverage a plethora of DevOps processes and principles to build and deploy workloads through a continuous integration and continuous deployment approach. There are certain vulnerabilities protection that are enforced at different layers of application build and deployment through DevOps.

We use WhiteSource for continuous monitoring and alerting of open-source software security issues and license/compliance oversights. WhiteSource integrates into the build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open-source components against standard database of open-source repositories.

We leverage the functionalities of Aqua Security’s offering, Trivy, for vulnerability, misconfiguration, and secret scanner for containers images. We have integrated Trivy as part of our build process to scan our docker images, before pushing to a container registry or deploying the application. We have integrated SonarCloud so that the pull requests are annotated based on automated rule-based reviews, so that code quality is checked as part of the build process itself. This ensures the code passes different quality gates with strict benchmarks, before merging with the main branch.

We practice continuous development, build and deployment of our infrastructure using Terraform based Infrastructure as Code. Having an automation model to deploy infrastructure guarantees standardized security controls and best practices while designing infrastructure in terms of resiliency and high availability embedded in the resource provisioning process. We use Aqua Security’s offering tfsec as a static analysis security scanner for our Terraform code. Integrated as part of our build process, to help us with detection and remediation for various infrastructure vulnerabilities.

Conclusion

We ensure that we always maintain a Microsoft Secure Score of 99% for our subscriptions to have a strong security posture by establishing all resources to comply with all the security recommendations within security control. We conduct annual security audits, vulnerability assessments and penetration tests of the web apps and mobile apps to validate and evaluate the security measures we have taken.

We try to educate our software engineering team about good security practices, to inculcate security awareness amongst the Development Team through training sessions and shift the security aspect as early as possible in our development lifecycle, making security an integral part and major feature of our cloud-based products.