• Managed cloud, hosting and IT security delivered by the experts.
  • 020 3745 7706
  • [email protected]
Digital Craftsmen LogoDigital Craftsmen LogoDigital Craftsmen LogoDigital Craftsmen Logo
  • Home
  • About
    • Events
    • Sectors
    • Partners
    • Case Studies
    • Methodology
  • Services
    • Automation
    • Managed Cloud
      • AWS
      • Azure
      • Google Cloud (GCP)
      • Oracle Cloud
      • Other Providers
      • Cloud Cost Assessment
      • Cloud Migration
    • Consultancy
      • 3 Step Business Reset
    • Hosting
      • Drupal hosting and migration
      • Magento Enterprise Hosting
      • Moodle hosting and migration
      • Essential Hosting
      • Growth Hosting
      • Critical Hosting
    • Server Support
    • Virtual Desktop
    • Security
      • Security Assessment
      • Website Assessment
  • Whitepapers
    • Videos
  • Blog
  • Contact
  • Sign Up
Case study: Ascensor
19 December 2016
Cloud migration: 5 considerations for a smooth transition to the cloud
3 February 2017

Secure online products and services with security best practices

Published by Ben on 18 January 2017
Categories
  • Ideas
Tags

Security-firm Fallible created an online tool to reverse engineer any android app to look for secrets and keys to AWS accounts. These keys and secrets can give full and uncontrolled access to extract and delete entire customer data sets and all the machines that go with them to run your application and site.

Fallible built the tool because of an internal need, as the company were constantly required to reverse engineer apps for their customers to examine them from a security standpoint.

The company have now reverse engineered over 16,000 apps and found that although most of the apps didn’t have any sort of key or secret in the app, they reported that “some 2,500 apps contained either secrets or third party keys”. That’s a big security risk to those apps and – ultimately – to the user.

Fallible’s findings show that lots of developers are indeed “fallible” and aren’t so good at setting up a secure infrastructure or enforcing security and separation and best practices.

How to secure online products and services

So what lessons can you learn from this to make sure your products and services are secure?

The key for developers to make sure their products and services are secure is by following security best practices. But the honest answer is that unless you are a professional systems administrator you are unlikely to know such best practices.

Here are some of the common methods that developers can use to secure their products and services:

1. Separation of concerns: Running servers and services on isolated or separate Virtual Machines or containers. Understand where your critical data is stored, and use firewalls and Access Control Lists to limit traffic to and from those network segments.

2. Password policies: To strengthen and clarify the education given to your users, you should clearly outline the requirements for using strong passwords. Make sure employment contracts and SLAs have sections that clearly define these security requirements and that your team are using strong passwords.

3. Limit permissions granted: Only allow the tool or user to do the bare minimum or what they require. By creating specific controls for all of your users, you limit their access to only the tools and systems they need to do their job or perform a task.

4. Encryption: Encrypt everywhere possible, such as in transit, at rest, within code and on your versioning system, etc. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.

5. Implement user activity monitoring: This allows you to monitor users and see what they are doing on your system and provides an audit trail. If a malicious user gains access to an employee’s system – or if an insider chooses to take advantage of their system access – you will be notified of any suspicious activity

6. Patch any security holes: Despite the hype, most hackers exploit known vulnerabilities. Make sure you are investing time in patching your systems and keeping up to date with the latest developments in the security world.

7. Automate: Your attackers are using automated tools to scan ports and identify misconfigured devices, so you should be automating your system security. Automating security tasks not only mitigates human errors, but frees up precious developer time to focus on more strategic initiatives.

8. Educate your users: Have a well-organised, well-understood, well-maintained, and well-monitored security policy for both employees and third-parties that access your system. Also make sure they undergo periodic training to keep their understanding of security policies up to date.

9. Avoid hard coding: Never hardcode plain text secrets or keys into your source code!

You can read more about security best practices on ObserveIT, Dark Reading and ZDNet.

How to secure cloud services like AWS and Azure

To add more complexity into the mix, each cloud service or provider also has a ‘best security practices’ guide – potentially for each service they provide.

For example, Amazon Web Services’ (AWS) security best practices guide provides security best practices that will help you define your Information Security Management System (ISMS) and build a set of security policies and processes for your organisation so you can protect your data and assets in the AWS Cloud.

Their guide also provides an overview of different security topics such as identifying, categorising and protecting your assets on AWS, managing access to AWS resources using accounts, users and groups and suggesting ways you can secure your data, your operating systems and applications and overall infrastructure in the cloud.

Likewise, Microsoft Azure have a security best practices and patterns guide, derived from their experience with Azure networking and the experiences of managed cloud services specialists like Digital Craftsmen.

How to make sure your system is secure

The main point to keep in mind is that security is an ongoing concern.

The security landscape is changing rapidly, which means you need to allocate resource to managing security and implementing best practice. If you do not have the expertise or resources to devote to IT security or system planning, you should consider transferring this risk to a specialist managed cloud provider such as Digital Craftsmen.

Although computing is on-demand and developers now revel in the flexibility they have to provision machines, they may not have the skill set or time to manage your production systems or the ongoing operation of your new system.

If you want discuss the security of your cloud product and services, then Digital Craftsmen are the right people to speak to. We’re managed cloud specialists and have been securing client’s online products and services with security best practices for a long time, meaning we have the skills and experience to make your cloud setup secure.

Call Digital Craftsmen now on 020 3745 7706 or email [email protected] for more information on our cloud security services.

Share
32
Ben
Ben

Related posts

17 December 2019

CTO’s To-dos before Christmas aka getting ready for 2020 IT challenge


Read more

API - Application Programming Interface, software development tool, information technology and business concept

16 December 2019

Bridging the divide: A story of two legacy applications and one API


Read more
16 December 2019

‘Add more resources’ – is not a high-availability strategy: 3 reasons why a microservices architecture may be your answer


Read more

Not sure where to start? Get started with a free online workshop with our certified solutions architects.

About Us


Digital Craftsmen is dedicated to helping organisations migrate to and operate safely and productively in the cloud. We take a personalised approach and our ethos – “simplify, automate, secure” – is at the heart of everything we do.

Let’s Connect



Address


Coppergate House
10 Whites Row
London
E1 7NF
England

Contact Us


Get in touch with the team
for all your cloud or hosting needs.

Sales: +44 20 3745 7706
info@digitalcraftsmen.com


Support: 020 7183 1555
Copyright © 2019 Digital Craftsmen Ltd | All Rights Reserved | Site by CDS | Privacy Policy           Digital Craftsmen Certifications