A simplified way to prioritize and resolve security vulnerabilities
Clairvoyant understands the importance and value of the security at every stage of the project execution. It is at the heart of our operational model to provide highly secure solutions to our customers. We explore security concepts in-depth and employ security measures at each step of our project.
We have been managing multiple enterprise data infrastructures and enabling companies’ data security policies by leveraging AWS to ensure no intrusions. This blog aims to walk you through prioritizing security vulnerabilities and resolving them with the help of AWS.
With the growth of businesses, organizations start migrating their applications and other assets to cloud infrastructure and services to leverage one or more of high availability, cost reduction, scalability, security, better resource organization, etc. As more and more application(s) assets migrated to the cloud, the need for securing these applications also grows.
It might be helpful to understand and differentiate the responsibilities of the customer and the cloud service provider as sometimes the boundary may blur. Usually, the cloud service provider’s responsibilities include securing the infrastructure itself, patching and upgrading host machines and physical networks. While, the customer’s responsibilities include - a) user and access rights management, b) safeguarding of cloud-managed accounts from unauthorized access, and c) encryption of important application data.
The following section discusses an approach to design secure systems, known as Threat modeling. It is the approach to identify risks in order to mitigate them in different ways.
In a typical web application architecture, multiple risks are involved with different resources — resources like web application, web server, backend database, etc. All of these risks are not of equal importance or intensity. So, it becomes critical to understand the effect of the risk. Based on this assessment only, organizations can prioritize their efforts in addressing such risks. SANS analyst Shaun McCullough provided a way to assess the vulnerabilities associated with web applications and web application firewalls. The process is called Threat Modeling. Threat modeling helps prioritizing the vulnerabilities and setting up security for identified resources.
Shaun suggested that any risk to the application can be addressed in one of four ways:
Mitigate— We mitigate the risk by reducing the probability of risk occurrence. The risk is still there but we take an action to mitigate the risk. Putting a firewall in front of the webserver can be an example of risk mitigation.
Eliminate— Eliminating the risk involves fundamentally changing the way the asset of the resource is used. This might need a change in the application architecture and it can be costly too.
Transfer— Migrating the application infrastructure from on-premise to cloud is an example of transferring the risk. Now, it shall be taken care of by the cloud service provider.
Accept— This can be the last option when an organization is unable to mitigate, eliminate or transfer the risk. The acceptance of a risk can be temporary or permanent. The risk might be assessed in a later stage if it is accepted temporarily.
Risk assessment models
Broadly, there are two categories of risk assessment models that exist:
Qualitative risk assessment— The risks are prioritized based on a pre-defined rating scale in these models. Each risk will be scored based on the probability of its occurrence.
Quantitative risk assessment — In these models, the risks are further given a quantitative rating to perform probabilistic analysis on top of the qualitative risk assessment.
In the following section, we will understand a quantitative risk assessment model, known as DREAD model.
DREAD Risk Assessment Model
The DREAD risk assessment model can be used to prioritize the vulnerabilities. DREAD risk assessment model helps teams identify the impact of the risk attack. The model also helps prepare a risk assessment matrix. The DREAD model works on the following risk-rating categories:
Each vulnerability is rated between 0 to 10 for each resource like application, web server or database, etc. The higher the rating, the higher the impact of the vulnerability is exploited. Once all the vulnerabilities are rated for the risk based on the DREAD model, the average risk rating (called DREAD average) is calculated for each resource. The resource with a higher risk rating shall be the first one to be addressed.
Following are some of the use cases from a web application security perspective:
Securing the application (or 3rd party application) credentials
Securing the application from SQL injection
Securing the application from identity spoofing
Securing the application from attacks like DDoS
AWS services help address these risks:
The Shield is an AWS solution to prevent DDoS attacks. AWS Shield is available in two variants — Standard and Advanced. The standard AWS shield is included with AWS services without any additional costs. To enable expanded protection against DDoS attacks, an organization can choose an advanced AWS shield.
WAF stands for Web Application Firewall. The AWS WAF enables organizations or teams to monitor the HTTP requests that are forwarded to various web application resources deployed on AWS services like CloudFront distribution, Amazon API Gateway REST API, load balancer, AppSync GraphQL API, etc. WAF also features configuration-based access management to resources deployed on AWS infrastructure. AWS WAF works based on the AWS Rules, Rules Groups, and Web ACLs.
AWS Firewall Manager
The AWS firewall manager enables the organizations or teams to perform management and administration tasks in a simplified manner. It can be configured to help protect the resources across multiple accounts of a particular type, resources based on a specific tag, apply access rules to members of specific user groups, etc.
By employing these AWS tools, we can transfer the responsibility of addressing the risks associated with the application resources to the AWS services.
For organizations and teams, it is advisable to have the risk assessment and prioritization model embedded within the development cycle itself once the teams become comfortable with the model. To learn about the best security practices for AWS S3 data, head to this blog.
Looking to cater your cloud based services requirements, reach out to us and experience the best business solutions.