Developing Secure Applications for the Cloud

By Scott Fitzpatrick

When it comes to utilizing a cloud platform for your application, security is of the utmost importance. Security starts with developers who should tailor their application security practices and strategies to the type of environment their application will be deployed in. Secure development practices can mean the difference between resting easily each night knowing your application protects the consumer data with which you've been entrusted, or dealing with the constant threat of a data breach that would keep any good developer on edge.

One of the greatest responsibilities a developer has when dealing with sensitive consumer data is protecting that data from unauthorized modifications or outright theft. Security concerns are heightened when the application is both deployed to and run on a cloud platform. The act of securing this data includes both protecting data at rest, where it resides in a database, and as the data is transmitted from one server to another. A valuable and necessary protection strategy is encryption.

Encrypting data for an application that is deployed to a cloud platform provides new challenges for the development team, as the situation differs greatly from data encryption scenarios they may be accustomed to. When an application does not utilize a public cloud environment (i.e., when it runs on-premises or in a private cloud), the data being encrypted is stored on a server to which the DevOps organization typically has full access and control. This is not the scenario that plays out when an application uses a cloud platform. Therefore, it is important for the development team to take some precautions to assure that the sensitive data employed by the application is adequately protected.

● Each time data is uploaded, a public key is used to encrypt the data prior to the data being transmitted to the remote server.

● The encrypted data is then stored on the cloud platform with no reference to the plain-text data.

● When downloading an object, the encrypted data is downloaded, and a private key is utilized to decrypt the encrypted object so that the plain-text data can again be viewed in its original form.

As you can see, this secure development practice provides several benefits. First, the cloud platform maintains no reference to the plain-text data. Thus, the development team can rest assured that the platform's servers (over which they maintain no real control) are not a concern in terms of security from a data loss standpoint as the data rests on the remote server. The other main benefit is the protection of data in transit. At no point is plain-text data being transmitted to the cloud platform, eliminating the concern over data leakage.

Ensuring that you are properly using the APIs provided by your cloud platform can also serve to assist in developing secure applications. This may sound like an obvious practice, but it deserves a mention. Improper use of an API, in some of the worst cases, can result in unauthorized access to data or unauthorized access to application functionality that can put data integrity at risk. It is therefore imperative that the developers applying the API write code with a mindset that puts security first, while providing the API methods with all the necessary information to determine if the user should have access to perform that functionality—and if so, also ensure that the proper action is being taken as per the API documentation.

As an example of the types of services available for securing cloud applications, consider the solutions offered by Alibaba Cloud:

These services provide the protections that organizations need to mitigate security threats against applications deployed in the cloud.

While developing for a cloud platform can provide certain challenges that are not always present when developing outside the cloud, a few simple practices can go a long way toward securing your application.

In today's climate, where the importance of data security is at an all-time high, simply utilizing an encryption strategy such as client-side encryption can make all the difference in ensuring that a data breach doesn't occur on your watch. Combine this with careful development to establish proper usage of the API provided by the cloud platform you are using, and you are well on your way to secure development in the cloud.