Strategies for ensuring data security in a cloud-native environment

In this post, we will refer to the three layers of infrastructure that make up cloud-native applications as the data plane, control plane, and management plane. These layers were once part of traditional computer networking but have evolved to become essential components of cloud architectures. The diagram below illustrates how each layer plays a distinct role in the operation of a cloud application.

The data plane is responsible for handling and overseeing all traffic and data within the cloud application. The data can exist in one of the following states:

• At rest: When the data is not accessed or used by any application service or resource.

• In transit: When the data is being transported from one destination to another.

• Processing: When the data is being read, updated, or deleted by an application service.

Within the data plane, application components such as databases, storage buckets, pods, compute instances, and serverless functions operate and are responsible for interacting with one or more data states simultaneously.

For instance, databases and storage buckets are responsible for storing application data, and thus, they handle data at rest. On the other hand, serverless functions in an application may be responsible for handling data in transit. An example of this would be processing a user's credit card information during a transaction workflow.

The control plane is responsible for enforcing rules for the data plane, monitoring and responding to data plane events, and managing infrastructure operations such as resource scheduling and scaling. Components such as Kubernetes controllers and workload schedulers operate within the control plane and perform tasks such as applying new role-based access control (RBAC) to a group of compute instances.

Lastly, management planes abstract resource-level configurations and provide organisations with high-level control over data access and monitoring of data activity. In the context of cloud applications, management planes can take the form of interfaces like AWS Management consoles, APIs, or command line interfaces (CLIs). These interfaces enable organisations to create credentials, permissions, and monitoring workflows for their cloud resources globally.

Significance of securing data for applications in a cloud-native environment

The multi-layered architecture of a cloud application is inherently complex, which can make it challenging for organisations to have complete visibility into how each of their application's resources processes, stores, and controls data. As a result, vulnerabilities can be overlooked, which can lead to data breaches or exposure.

For instance, if a storage bucket is publicly accessible, malicious actors can steal sensitive data from it. Moreover, application services may inadvertently include sensitive data within their activity logs, which is a common misconfiguration that malicious actors can exploit. These vulnerabilities are prime examples of how human error can lead to data breaches.

To mitigate these types of threats, it is necessary to implement measures across a cloud application's data, control, and management planes, though the ownership of these activities may vary.

The shared responsibility model determines who is responsible for managing specific abstraction levels of cloud infrastructure.Hence, as part of the shared responsibility model, cloud providers are responsible for protecting the control plane from security threats and ensuring that it functions as expected. In contrast, organisations are responsible for managing the data plane by ensuring that the resources that directly interact with and manipulate application data are appropriately configured. Additionally, in some cases, organisations may also need to create data access controls and implement monitoring solutions within the management plane.

The data and management planes are central to an organisations data security strategy, and it's important to configure them to handle, access, and monitor data securely. In this article, we will focus on one critical best practice for securing the data plane: data encryption. By encrypting data at rest and in transit, cloud providers can ensure that a cloud application's services and resources, which are the primary operators within the data plane, are transporting, accessing, and storing data securely.

Later in this article, we will explore how the management plane's global configurations can be utilised to improve data security by implementing secrets management and authorisation and access controls, as well as by enabling organisations to monitor data activity effectively.

Encrypt sensitive data at rest & in transit

To ensure the protection of application data, it is crucial for organisations to identify when the data is in one of three states: at rest, in transit, or in use. The first step in accomplishing this is to take inventory of the data that their applications process and group it into relevant categories. This will enable organisations to have better visibility into the types of data that their applications handle, allowing them to track when sensitive information, such as credit card numbers or application tokens, enters a specific state. For instance, data in transit is vulnerable to threats such as eavesdropping attacks, where user data is intercepted or manipulated during transfer over an unsecured network. Additionally, since cloud applications store a large amount of valuable data, data at rest is also a common target for malicious actors.

Encryption is a key method for organisations to protect their data in transit and at rest. Encryption is the process of converting data from its original readable format, such as plain text, into an unreadable format using a special key. There are two primary methods of encryption: symmetric and asymmetric. Symmetric encryption uses algorithms like the Advanced Encryption Standard (AES) to provide a single key for both encrypting and decrypting data. On the other hand, asymmetric encryption uses two different but related keys for encrypting and decrypting data.

Both symmetric and asymmetric encryption have unique benefits that organisations can use for different purposes. Symmetric encryption is well-suited for securing data at rest as it can process large amounts of data quickly. This benefit allows organisations to utilize Full Disk Encryption (FDE) and File Level Encryption (FLE), which provide multiple layers of security for stored data. FDE secures all data on a hard drive, while FLE secures individual files or directories, even those that are in use. Cloud providers offer disk-level encryption for their storage services, such as Amazon Elastic Block Store (Amazon EBS) volumes, Google Cloud Storage, and Azure Storage Service. In these cases, data is encrypted on the server-side after the provider receives data but before it is written to disk. Providers also offer client-side libraries that allow organisations to encrypt data at the file level before uploading it to cloud storage. While client-side encryption gives organisations more control over the encryption process and generated keys, it’s generally recommended to use server-side encryption for increased security.

Symmetric encryption can also be used together with the key pairs that are generated as part of the asymmetric encryption process in order to secure data in transit. These methods enable organizations to leverage the TLS protocol to encrypt data transmitted between clients and servers, which is now a standard practice for protecting web traffic.

In the following section, we will explore how the management plane can be utilized to safeguard application credentials against potential security risks. This includes protecting sensitive information such as API keys, passwords, and encryption keys that are crucial to the security of the application.

Secrets managers for safeguarding passwords, tokens, and keys

To ensure secure access to various parts of their systems in the data plane, organizations use digital authentication credentials such as passwords and encryption keys, also known as secrets. These secrets are utilized with a wide range of application components, including service resources, application-level accounts, and parts of the development infrastructure like CI/CD pipelines. However, the number and scope of secrets can quickly become unmanageable without the security.

Data breaches are often caused by leaked secrets, as reported recently. Despite the best efforts of DevOps teams to maintain security, secrets can easily be leaked in cloud environments that rapidly scale and deploy new features. For instance, an engineer might hard-code an API key into their code temporarily to conduct tests but neglect to remove it before pushintheir changes to a repository. This scenario creates a risk of anyone with repository access viewing the engineer's API key, enabling them to gain access to the API endpoint.

In order to mitigate the risks posed by vulnerabilities, it is crucial to implement management controls throughout a cloud application's data plane. This encompasses the resources responsible for storing and transmitting data, as well as the systems that interact with it, including CI/CD pipelines. To ensure effective management of secrets, organizations should establish controls that incorporate the following mechanisms:

• Create: securely distribute and store newly generated credentials

• Expire : establish expiration dates for credentials associated with application-level accounts

• Revoke: revoke credentials that have been compromised or are no longer required

• Rotate: change or reset credentials based on a predetermined schedule or their expiration dates.

For instance, PCI DSS standards mandate that companies regularly rotate both their symmetric and asymmetric encryption keys, with a minimum frequency of once per year. By following this practice, the likelihood of an attacker using a legitimate key to gain access to systems is decreased.

There are various tools available for secret management that can assist organizations in establishing controls around the creation, expiration, revocation, or rotation of secrets. Dedicated cloud environments such as AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault offer the ability to manage secrets within their respective platforms. HashiCorp Vault is another tool that enables organizations to securely create, store, and distribute secrets across their multi-cloud environments. For containerized environments, popular options include the External Secrets Operator and Secrets Store CSI Driver, which can integrate with cloud-based secret management systems. Through these tools, organizations can centralize secrets management for all their services, resources, and application-level accounts that operate within the data plane.

Up to this point, we have reviewed the most effective methods for safeguarding critical application elements responsible for the storage and transmission of confidential data in the data plane. Moving forward, we will explore how to utilize the management plane to establish comprehensive authorization and access controls on a global scale.

Implement the principle of least privilege to regulate data access

As stated earlier, the management plane simplifies the process of configuring individual resources by offering controls at a global level. This feature also streamlines the task of restricting access to an application's data and the resources that interact with it, guaranteeing that only authorized users and services are permitted to access confidential information such as secrets.

To commence, organisations ought to establish tiers of access that adhere to the principle of least privilege. This approach advocates that users or services are granted access solely to the data or resources that are requisite for the execution of specific duties. To further reinforce this approach, organisations can implement just-in-time access to guarantee that users are only authorised to utilize specific permissions or resources for a specific period. Temporary access can be employed for high-risk permission sets and resources, such as elevated privileges that enable users to modify configurations for a sensitive data repository.

To implement these principles for cloud applications, organisations can follow these steps:

• By default, create accounts with the minimum level of privileges and add more only when necessary.

• Follow the separation of duties principle by dividing permissions by operation, role, and group.

• Restrict the number of accounts with elevated privileges to minimize the risk of unauthorised access.

• Conduct regular audits to verify that accounts are assigned the appropriate level of privileges.

By implementing these steps, it is ensured that no user or service account has access to more permissions than required. This practice makes it more challenging for malicious actors to exploit excessively permissive accounts. In addition, controlling data access with multi-layered permissions enhances visibility into who is accessing the data, which will be discussed next.

Activate audit logs for tracking data-related activities

Data encryption, secrets managers, and access controls are all essential elements of data security, but they do not always provide sufficient protection against data leaks or exposure of sensitive information. Monitoring an application's data activity, such as any resource, service, or user that accesses sensitive data, is also critical. To monitor data-related events, organizations can utilize logging, which is considered vital in reducing an application's vulnerability to security threats.

One of the key functions of the management plane is to furnish organizations with centralized user interfaces and CLIs that facilitate not only the control of data access but also the monitoring of data activity. Organizations can utilize their management plane tools, such as AWS Management Console, Azure Portal, and Google Cloud Console, to activate logging for the critical sources that interact with their data. In this section, we will concentrate on audit logs.

Audit logs offer organizations insight into who accessed their data, how it was accessed, and when it was accessed. These inquiries are essential for detecting suspicious activity within their cloud environment and identifying leaks. Each cloud provider offers various forms of audit logs for monitoring activity, as illustrated in the table below:

Irrespective of their origin, there are certain crucial logs that organizations can monitor to identify suspicious activity or potential data leaks. For instance, monitoring activities such as failed login attempts can help detect malicious actors who are attempting to compromise a service or user account to gain further access to cloud resources. This activity may appear as a series of unsuccessful login attempts followed by a successful attempt, indicating that the actor has successfully gained access.

Audit logs offer critical insight into the data activity of a cloud application, but organizations can bolster their monitoring and security capabilities by forwarding logs to a dedicated monitoring solution like Datadog.

Improve insight into data activities using SIEM tools such as Datadog

Datadog complements an organization's existing data monitoring and security strategy by collecting audit logs from various cloud providers and automatically removing sensitive data from them using tools like Datadog Sensitive Data Scanner. These capabilities provide organizations with a centralized location to track and analyze data activity, as well as create an additional layer of security for the data flowing in their cloud environments. By leveraging Datadog, organizations can gain enhanced visibility into their cloud application's data activity, detect and respond to security threats quickly, and ensure compliance with industry standards and regulations.

Datadog Cloud SIEM goes beyond visibility and offers automated monitoring of incoming logs, generating security signals for identified threats. It comes equipped with out-of-the-box rules for detecting common threats to application data, such as the following events:

• A user received multiple AccessDenied errors

• Anomalous amount of access denied events for AWS EC2 Instance

• Compromised AWS IAM User Access Key

• Encrypted administrator password retrieved for Windows EC2 instance

• Access denied for GCP Service Account

In the following signal example, Datadog found a compromised AWS IAM User Access Key by analyzing data within Amazon CloudTrail audit logs with a built-in algorithm that detects impossible travel:

The occurrence described here involved the use of a particular key within a brief timeframe, but across two geographically distant locations that could not have been traveled to within that duration. This pattern of activity strongly suggests that an unauthorised actor had gained access to a cloud account and was exploiting it to infiltrate other parts of the system.

Efficient strategies for securing data in cloud-native applications

In summary, this post covered the best practices for securing the data and management planes for cloud applications. These include encrypting data at rest and in transit, deploying secrets managers, and creating global access and authorisation controls for resources. Organisations can enhance their monitoring and security capabilities by leveraging audit logs, and using solutions like Datadog's cloud SIEM to automatically monitor incoming logs and generate security signals for identified threats. With these best practices in place, organizations can build an effective data security strategy to protect their cloud applications.

To delve deeper into these strategies and discover how they can be specifically tailored to your cloud-native applications, we invite you to explore our services. Atsky provides comprehensive consulting and professional services, designed to fortify your data security practices. We look forward to guiding you on this crucial journey towards robust data security.