Securing your Cloud Application and API with LoadMaster

Posted on

Securing web applications in the cloud is essential to protect data and users from cyberattacks. Delivering a secure cloud application requires a multi-layered defensive strategy with continuous improvements to adapt to an ever-changing threat landscape. Progress Kemp LoadMaster is ideal for many organizations as it includes built-in features that enable secure cloud application delivery across modern deployment platforms.

What Is Cloud Application Security and Why Is It Important

Cyberattacks targeting organizations of all sizes have increased over recent years. These attacks include a variety of methods, such as ransomware, other malware, data breaches, social engineering, DoS/DDoS attacks, and supply-chain attacks. Indications are that the threat level and number of attacks will not decrease any time soon. 

As the number and sophistication of attacks have increased, cloud and web-based applications have become more common and, in many cases, are the first choice application deployment method. Cybercriminals always focus on where the users and data are, so cloud-based applications are a major target. 

Organizations need to protect their cloud-based applications and any APIs used to access them. Every cloud app must be a secure cloud application, and all cloud applications must be secure collectively. This is vital for protecting cloud applications, their data and all of the their users against cyberattacks and potential damage such as loss of sensitive or personally identifiable information (PII).

How Do I Secure My Web Application in the Cloud?

As mentioned above, delivering a secure cloud application requires a multi-layered approach. There are no magic solutions that you can deploy and forget. Several high-level steps and platform features should be considered and adopted for secure cloud application deployment.

  • Use a secure hosting platform - When selecting a cloud hosting platform, prioritize the ones that provide robust security measures and compliance certifications. Consider options such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP), as they have robust built-in security features.
  • Have strong user authentication - Use of multi-factor authentication (MFA) systems to guarantee that only authorized users or systems can access an application. MFA can include various factors such as passwords, SMS verification codes or biometric authentication.
  • Encrypt data - To ensure secure data transmission between your secure cloud application and users’ browsers, use TLS-based encryption. It is also advisable to encrypt data at rest when stored in databases or on disk to prevent unauthorized access in the event of a security breach.
  • Apply security updates ASAP - It is important to regularly update your web application and server software with the latest security patches. Be sure to apply these updates as soon as they become available to address any potential vulnerabilities, as attackers will target and exploit new vulnerabilities within hours of patches getting released.
  • Implement strong access control - Use role-based access controls (RBAC) and Privileged Access Management (PAM) to restrict access to and monitor activities within sensitive areas of your application. Restrict administrative access and regularly review and remove unnecessary privileges.
  • Conduct regular security testing - Security teams should commission regular security testing of cloud applications. It should include penetration testing and vulnerability scanning. If the security testers identify any vulnerabilities, IT teams should address them promptly via an agreed to and deliverable plan that addresses the most serious issues first.
  • Use a web application firewall (WAF) - Implement a WAF to filter and monitor incoming traffic to your secure cloud application. A WAF can help protect against common web application attacks, such as SQL injections, Cross-Site Scripting (XSS), and many other common attack methods.

Types of Cloud Application Security Solutions

Cloud application security solutions are available from many vendors and in multiple types to suit each organization’s infrastructure deployments and needs. Progress Kemp LoadMaster is ideal for many organizations as it slots into most on-premise, hybrid, and cloud deployments. 

Here are some of the features and solutions built into LoadMaster that enable secure cloud application delivery across modern deployment methods.

1. Web Application Firewall - A web application firewall complements and enhances traditional firewall security protection. A web application firewall operates between standard firewalls and web servers at Layer 7 of the network stack. It can decrypt HTTPS traffic and inspect the data contained. Using lists of known attack methods, plus anomaly detection, a WAF can deny access to web servers when malicious activity is detected. Read more about how LoadMaster WAF can help with secure cloud application delivery.

2. Strong authentication - LoadMaster supports multiple authentication methods to deliver enhanced security and single sign-on across cloud applications. LoadMaster can bridge gaps in built-in app authentication by providing pre-authentication services that control access earlier in the access chain. It supports the following methods:

  • LDAP
  • Radius
  • RSA-SecurID
  • SAML
  • Certificate Authentication
  • OIDC/OAuth
  • Kerberos
  • Multi-Factor Authentication
Integration with Microsoft 365 and Azure AD is also core to LoadMaster. Microsoft has validated this integration, and organizations using AD Federation and Azure AD can use accounts that are in AD via LoadMaster to authenticate users to legacy applications alongside modern ones.

3. Zero Trust Network Access (ZTNA) - Zero Trust treats every network connection as potentially hostile, regardless of its source. This means that a connection originating from a secure desktop PC within a corporate HQ and one from an unfamiliar IP address through a VPN must undergo the same rigorous scrutiny. For access, each connection request must provide precise authentication details and responses. Zero Trust ensures that no connection gets preferential treatment based on its origin.

After clients are authenticated, they gain access based on a policy, which allows them to connect to their resources with just the right amount of authorization. LoadMaster serves as a ZTNA gateway, and using policies defined through an API, makes integration with other security toolsets easy. One major application of ZTNA is managing application-to-application access, particularly when LoadMaster assumes the role of an API gateway.

4. TLS/SSL Policy & Certificate Lifecycle Management - Ensuring security certificates do not expire is vital for secure cloud application defense. LoadMaster supports automatic renewal of certificates issued by Let’s Encrypt, and easy updating of certificates issued by other providers such as Digicert.

5. IP Reputation blocking at the network level - A significant amount of cyberattack traffic comes from known sources and Organizations should block traffic from domains bad actors are known to use. Blocking an IP address or a set of IPs from making a connection is a good way to reduce attacks. 

LoadMaster can block based on IP Reputation lists that auto-update from trusted sources. System administrators can create manual lists to use alongside those from trusted sources. There is also an option to block all traffic from particular countries, but attackers often use VPNs to hide their country of origin. For those that require it, LoadMaster can also block all connections except those specifically allowed and contained in an allowed list.

6. Rate limiting of network traffic - Rate Limiting is useful to prevent services from getting overloaded by a bad actor — e.g., from a denial-of-service attack. This ability can also be useful to slow down attacks that use a high rate of activity, such as repeated login attempts. Rate limiting has settings based on whether you want to limit user or API access.

7. Content rules - LoadMaster can modify the incoming requests for access to apply more stringent security than what is in the original request. For example — force HTTPS use, append close connection commands to the end of successful sessions, remove any requests for Server info to obscure details of the infrastructure, route requests from the root in a web service to specific secure cloud application directories and rewrite URLs to obscure paths.

Loadmaster can also use Content rules for traffic blocking. This is useful in various situations. For instance, if an application has an /admin URL that nobody should access from outside, you can create a rule and block traffic or send an appropriate HTTP response code. It is also useful to have the ability to modify response codes, especially with APIs. For example, the 405 Method Not Allowed response code indicates that the resource exists. However, if you want to hide this resource completely, you can send a 404 Not Found code, which doesn’t provide any information to potential attackers.

What Makes an API Secure?

To make sure that an API used to access a cloud (or web) application is secure requires the combined use of several security factors:

  • Secure authentication
  • Access control and authorization
  • Network traffic encryption
  • Data encryption
  • Input validation and sanitization
  • Rate limiting and throttling
  • Error logging and handling
  • API security testing & updating to address issues
As shown in previous sections, LoadMaster can help deliver all of these except for the last (which is in the realm of external penetration testing and software development). But as stated in the introduction, no single solution will deliver complete cybersecurity and provide your organization with perfect secure cloud application delivery. It requires a multi-layered approach, and LoadMaster can assist in strengthening the security posture at multiple layers. 

We have a recorded webinar on this topic that you can view on demand at https://www.youtube.com/watch?v=O6S-R2t-5Zo.  

If you want to learn more, see https://kemptechnologies.com, where you can find numerous resources and a contact page to reach out to our expert team. 

 

Posted on

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug has also served as Executive Editor of Network World, Editor in Chief of AmigaWorld and Editor in Chief of Network Computing.