Non-functional Application Requirements: Security

When you’re building modern applications, security is paramount. It’s the invisible architecture that keeps user data safe, systems protected, and your organization’s reputation intact. In an era where cyber threats are not just probable but inevitable, overlooking security can have catastrophic results.

So how do you approach security in a meaningful, sustainable way?

This article dives into securing applications on the cloud, with a focus on leveraging AWS’s rich security toolkit. We’ll address the 5Ws (What, Why, When, Where, and Who) of security, explore the vital aspects of a robust security strategy, and discuss best practices that seasoned engineers employ to keep applications safe and resilient.

---

What: Understanding Security’s Scope in Cloud Applications

Security in the cloud isn’t just about blocking bad actors. It’s about creating a secure, resilient environment that preserves your application's confidentiality, integrity, and availability (CIA). Let’s break down these core components:

1. Confidentiality

Ensuring data is accessible only to authorized users and systems.

Implementation:

• Zero-Trust Architecture: Enforces strict identity verification at every access point.
• Encryption Standards: Protect data with AES-256 encryption at rest and TLS 1.3 during transmission.
• Key Management: Utilize systems like AWS Key Management Service (KMS) for secure encryption key storage and rotation.

In 2024, AT&T experienced a significant data breach affecting approximately 73 million customers, including both current and former users. Sensitive information such as social security numbers, account numbers, and passcodes was compromised. The data, believed to be from 2019 or earlier, surfaced on the dark web in mid-March 2024. This incident underscores the critical importance of robust encryption and stringent access controls to maintain confidentiality.

---

2. Integrity

Assuring the accuracy and completeness of data throughout its lifecycle.

Implementation:

• Cryptographic Hash Functions: Use SHA-256 or SHA-3 to validate data integrity.
• Immutable Audit Logs: Maintain unalterable event logs for forensic investigations.
• Version Control Systems: Employ tools like Git to track and revert unauthorized changes.

In 2024, Snowflake, a prominent data warehousing company, suffered a breach, in which hackers used stolen passwords to access data from companies like Ticketmaster, Santander Bank, and AT&T. This breach resulted in significant data loss and highlighted the necessity for robust data validation mechanisms and stringent access controls to ensure data integrity.

---

3. Availability

Ensuring systems remain operational and accessible during critical times.

Implementation:

• Multi-Region Redundancy: Host systems across multiple regions to ensure resilience.
• DDoS Protection: Utilize services like AWS Shield to mitigate attacks.

In 2024, Chinese hackers, identified as Salt Typhoon, infiltrated U.S. telecommunications networks, enabling them to geolocate millions of Americans and record their phone calls. High-profile victims included President-elect Donald Trump and senior Biden administration officials. This breach, affecting major telecom providers like Verizon and AT&T, underscores the importance of robust security measures to maintain system availability and protect against unauthorized access.

Together, the CIA triad forms the backbone of a secure cloud application and dictates how security should be implemented across various layers.

Security Domains in Cloud Applications

1. Identity and Access Management (IAM)

Securing who can access your systems and what actions they can perform.

Implementation:

• Authentication & Authorization: AWS IAM and Cognito provide robust tools for user authentication.
• Privileged Access Management: Enforce least-privilege principles for sensitive operations.

---

2. Data Security

Safeguarding data through its entire lifecycle is critical for compliance and user trust.

Implementation:

• Encryption Standards: Apply AES-256 and TLS 1.3.
• Data Retention Policies: Regularly dispose of unnecessary data to minimize exposure.

Last year, Meta (formerly Facebook) was fined €1.2 billion ($1.3 billion) for improperly transferring Facebook users’ personal data from the European Union to the U.S., violating GDPR. This significant penalty underscores the necessity for robust data security measures and compliance with international data protection laws.

---

3. Application Security

Securing codebases and runtime environments is key.

Implementation:

• Secure SDLC: Integrate security in development workflows with automated scans.
• Runtime Protection: Use tools like AWS AppRunner for secure application deployments.

Key Areas of Security Focus

With the transition to cloud-native architectures, applications now require a multi-layered approach that spans various domains:

1. Identity and Access Management (IAM):

   • This domain centers on authenticating who can access your systems (authentication) and determining what actions they can perform (authorization).
   • Key tools include AWS Identity and Access Management (IAM), privileged access management, and single sign-on (SSO) integration.
   • Best Practices: Implement strict least privilege policies, use multi-factor authentication (MFA), and enforce short-lived access tokens for sensitive operations.

2. Data Security:

   • Protecting data, whether at rest or in transit, is crucial for compliance and user trust.
   • Key strategies include encryption standards and protocols (such as AES-256 for at-rest data and TLS 1.3 for in-transit), regular key rotation policies, and data retention and disposal practices.
   • Privacy Compliance: Adhere to regulations like GDPR and CCPA by incorporating privacy-by-design principles into data storage and processing.

3. Network Security:

   • Establishing a secure network perimeter is vital for preventing unauthorized access and segmentation of sensitive resources.
   • Core tools include microsegmentation, Web Application Firewalls (WAF), API gateways, and Virtual Private Cloud (VPC) design with network isolation.
   • Best Practices: Limit access through security groups, use VPC endpoints for private connections, and implement network monitoring for anomaly detection.

4. Application Security:

   • Application security focuses on securing the codebase and runtime environment.
   • Techniques include secure software development lifecycle (SDLC) practices, dependency scanning for vulnerabilities, container security, and runtime protection.
   • Best Practices: Emphasize secure coding standards, use automated vulnerability scanning, and implement role-based access control within your development pipeline.

5. Operational Security:

   • Operational security is about maintaining security in day-to-day operations, including monitoring, incident response, and threat modeling.
   • Key elements include continuous monitoring, incident response planning, threat modeling, and security automation.
   • Best Practices: Integrate monitoring tools like AWS GuardDuty and AWS CloudTrail for real-time insights, conduct regular security drills, and automate incident response with predefined playbooks.

The key to a comprehensive security strategy is a multi-layered approach—one that addresses each of these areas, embedding security into the application's entire lifecycle.

---

Why: The Critical Importance of Security

Security isn’t just a “nice-to-have” feature. It’s essential. Let’s consider why a robust security strategy is non-negotiable:

1. Financial Impact: The average cost of a data breach is estimated to be over $4.88 million globally—a 10% increase over last year and the highest total ever, according to IBM’s 2024 Cost of a Data Breach Report. This cost includes data recovery, legal fees, loss of business, and more. These costs can be even higher for companies that handle sensitive information, like healthcare or financial data.

2. Trust and Reputation: A single data breach can erode user trust for years. The reputational damage can lead to customer churn, media fallout, and loss of market standing—consequences that can be difficult, if not impossible, to recover from.

3. Compliance Requirements: With the rise of global data privacy regulations like GDPR, CCPA, and HIPAA, companies face strict standards around data handling, storage, and access. Non-compliance can result in heavy fines and sanctions, making security an essential part of business continuity.

4. Operational Stability: Insecure applications are more vulnerable to cyber attacks, which can lead to downtime, data loss, and operational disruption. Security ensures your application remains stable, even in the face of unforeseen events.

When security is compromised, it’s not just a technical issue—it’s a business crisis. Prioritizing security helps safeguard your organization’s financial health, reputation, and operational resilience.

---

When: Embedding Security from Day One

In today’s rapid development environments, security needs to be a part of the design and development process from the outset. The earlier security is embedded, the less costly it is to manage and mitigate threats later on. This shift-left approach to security focuses on integrating security practices throughout the entire development lifecycle.

Key Stages to Integrate Security

• Design Phase: Consider security requirements and outline data flow models to anticipate potential vulnerabilities.
• Development Phase: Emphasize secure coding practices, such as avoiding hard-coded secrets, using secure libraries, and adopting code review processes.
• Testing and QA Phase: Use penetration testing and automated vulnerability scanning to identify weaknesses before deployment.
• Deployment and Operations Phase: Implement real-time monitoring, automated patching, and incident response plans for continuous security.

By shifting security left, you address potential issues early, reducing the risk of costly fixes and rework down the road.

---

Where: Leveraging AWS Security Services

AWS offers a broad array of services that cover different aspects of application security. Let’s explore some of the key tools and how they align with specific security needs:

1. AWS Identity and Access Management (IAM): Centralized access control that enables granular permissions and the principle of least privilege.
2. AWS Cognito: Provides secure, scalable user authentication and authorization, which is ideal for applications with user sign-ups and logins.
3. AWS Key Management Service (KMS): Facilitates data encryption at rest and ensures sensitive information is only accessible to authorized users.
4. AWS Shield and AWS Web Application Firewall (WAF): Protects against DDoS attacks and filters incoming traffic to block malicious activity.
5. Amazon GuardDuty and AWS CloudTrail: Enables threat detection and continuous monitoring, providing insights into suspicious activity.
6. AWS Config and AWS Inspector: Ensures compliance by auditing configurations and automatically scanning for vulnerabilities.

AWS makes it possible to implement a multi-layered security approach tailored to your specific needs, whether you’re building a simple application or a complex, distributed architecture.

---

Who: The Roles and Responsibilities in Security

Security is a shared responsibility, not just within your organization but also with your cloud provider. In AWS’s Shared Responsibility Model, AWS manages the security of the cloud infrastructure, while you are responsible for securing what you deploy on it.

Roles Within Your Organization

1. Developers: Responsible for secure coding, dependency management, and building secure APIs. Developers ensure that code meets security standards before it reaches production.
2. Cloud Architects and DevOps Engineers: Focused on infrastructure security, automation of security tasks, and managing access and identity controls.
3. Security Analysts: Monitor security alerts, conduct risk assessments, and respond to incidents. They implement and oversee security policies across the application lifecycle.
4. Compliance and Legal Teams: Ensure the application meets regulatory and data protection standards, working closely with technical teams to interpret compliance requirements.

By fostering a security-minded culture and involving each role, you create a more resilient, secure application environment.

---

Security Best Practices: Building a Resilient Application

1. Embrace the Principle of Least Privilege: Only grant access permissions that are absolutely necessary, and regularly audit permissions to prevent “scope creep.”
2. Encrypt Everything: Use AWS KMS to encrypt data at rest and HTTPS for data in transit. Encrypting sensitive data helps prevent unauthorized access, even in the event of a data breach.
3. Regularly Patch and Update: Outdated software and libraries can be security vulnerabilities. Automate patching to keep your stack up to date and minimize security risks.
4. Implement Multi-Factor Authentication (MFA): Enforce MFA for both root and user accounts, adding an additional layer of protection against unauthorized access.
5. Continuously Monitor and Respond: Use AWS CloudTrail and GuardDuty to detect unusual behavior, and implement automated alerts for faster incident response.
6. Audit for Compliance: Regularly assess your application against regulatory requirements. AWS Config and AWS Artifact can simplify auditing and reporting processes, making it easier to stay compliant.
7. Conduct Regular Security Reviews: Schedule periodic penetration testing and security assessments to identify vulnerabilities that automated tools might miss.

A security-first approach isn’t just about prevention; it’s about preparation. The best security strategies ensure that if an incident occurs, it’s managed swiftly and effectively.

---

A Security-First Mindset

In today’s world, security is a differentiator. Applications that prioritize security not only protect data and maintain compliance, but they also build trust. Users are more likely to stay loyal to a product they trust with their information.

Adopting a security-first mindset involves viewing security as an enabler rather than an obstacle. By following best practices, leveraging AWS’s rich suite of security tools, and embedding security at every stage of development, you can create applications that are as secure as they are functional.

Building applications in the cloud has made it easier to scale and innovate, but it has also introduced new security challenges. With AWS’s powerful security tools and a clear, robust security strategy, you can meet these challenges head-on.

Remember: A secure application isn’t just a technical asset; it’s a valuable part of your brand. Make security a priority, and build trust one secure interaction at a time.

---

Cover Image: AWS re:Invent 2023 - Keynote with Dr. Werner Vogels