Just when you’d thought it was safe to host your enterprise applications in the cloud, your cloud environment changes. Now, you should change how you secure those apps, with an approach every bit as agile as the process your developers used to create them.
Application security can be easy to overlook, but critical to maintain. If your company depends on its apps to generate the lion’s share of revenues, your application security can help protect more than a technology. It can also safeguard the very core of your business.
As you move your apps away from your cloud service provider’s (CSP) infrastructure-as-a-service (IaaS) space to a platform-as-a-service (PaaS) environment, nimbly adjusting how you secure them can be key to your business’s success. Microsoft Defender, a cloud-native application protection platform, can help to detect and prioritise risks while protecting against threats.
The development dilemma
PaaS has become a popular cloud alternative for the convenience it can offer, especially to development teams. But moving to PaaS comes with a caveat. Developing your apps on a cloud platform can make your developers primarily responsible for securing your apps. Are they ready for this responsibility?
Developers, after all, thrive in a fast-paced work environment, driven by the need for speed and agility. Security may take a back seat until the design process is underway, or even later. Then, they may tack security onto the finished app using APIs or code from libraries or containers, which they can obtain from security staff.
Application security isn’t a one-size-fits-all proposition. The plug-and-play approach can be risky if the added code doesn’t quite fit or if it’s improperly placed into the application.
Still, developers trained in agile processes can take an agile approach to application security, in tandem with security teams grounded in a cyber-risk-based approach and equipped with automated tools.
Modern app security: a two-pronged approach
There’s no such thing as perfect security. Trying to achieve it, you’re more likely to restrict your applications’ usefulness. But you can take application security actions that can work well in today’s fast-paced, speed-driven, cloud-based, ever-changing digital environment, be it IaaS, PaaS or SaaS.
We recommend an overlapping approach rooted in risk management and then automated by technologies:
- Know and manage your application security risks.
Understanding your business's application landscape is vital. Do you know all the applications in use, including open-source software and unauthorised apps? Are you aware of the sensitivity of data within third-party applications, where direct database access is limited? What security measures does your cloud service provider offer, and do you know where additional safeguards are needed? Who holds superuser privileges and are their activities monitored? Superusers with excessive privileges can inadvertently or intentionally compromise system integrity, leading to financial losses or data breaches. Are your identity and access management controls robust, and where can they be strengthened?
- Select tools can help you measure, maintain and monitor.
Cloud-native application protection platforms (CNAPP) are crucial for evolving cloud security, offering efficient risk-to-response and multi-cloud management. Securing applications across IaaS, PaaS, SaaS, or hybrid environments requires a shift to DevSecOps and architectural reconsideration. Previous methods like checking IaaS configurations or relying on traditional agents are inadequate for cloud-native PaaS apps.
Streamlining security with PwC and Microsoft
Microsoft Defender for Cloud, a CNAPP solution, can help you prioritise your risks, check for misconfigurations and remediate problems quicker. Defender uses data that can help provide context and help you anticipate your threats. It also can automatically check for misconfigurations and controls and help you prevent, detect and respond to threats.
Working with Microsoft, PwC has developed a security control framework that can help your developers and security teams work together more smoothly so you can secure your enterprise applications.
Traditionally, we’ve offered this framework for use with IaaS-based applications, but we’re expanding the service for use with PaaS-hosted, cloud-native apps. We can help guide you as to which Microsoft Azure services you may wish to use and which security controls can help you enable at the platform level.
For many of the platform services that you use, Microsoft can help provide a process or solution for visibility into identities and roles, accesses and permission “drift,” or individuals accumulating permissions that they no longer need.
We can also help your security teams create security-as-code or policy-as-code templates for your development teams to use as they stand up a PaaS project within Microsoft Azure. That way, developers can work at their usual fast pace, confident that their work is protected, and Defender can help monitor for suspicious activity or misconfigurations, allowing you to take timely remediation actions and helping reduce the risk of vulnerability exploitation.
This is an abridged version of an article that originally appeared in PwC’s TechEffect. If you would like to learn more, please contact Robert Di Pietro.
