For the application security team at Adobe, responsibilities have changed over the course of our transition to the cloud. The proliferation of technology stacks and infrastructure flavors across different business units and product teams makes for an interesting challenge. Some teams use a built-from-the-ground-up, internally hosted bespoke data center, while others prefer using an IaaS public cloud hosting approach. Still others have used a private cloud, or even a hybrid public/private cloud. As an app security team, we have distilled our approach down to three main areas of focus to deal with these disparate configurations.
1. First and foremost, ensuring good hygiene on machine images is key. Images used for server instances are constantly updated, and new instances are deployed with the latest patches. In the cloud, vulnerable instances can be terminated quickly and without any concern for downtime. We’ve adopted an efficient patching process for software that is required to deploy our applications. We developed an automated dependency tracking tool internally to notify relevant product owners of security vulnerabilities — whatever their choice of hosting services or software stacks might be.
2. Anomaly detection is the next focal point. Given the plethora of servers that can be spun up at any time, we rely on host intrusion detection agents deployed on every instance, whether it be in the cloud or in a data center, on Linux or Windows. These keep track of changes to server configurations and monitor the system for indicators of a breach. In order to filter incoming traffic, we look to web-application firewalls as a complement to our monitoring strategy.
3. The final key area is on the response side. Keying off of our monitoring process, we look for rapid response, containment, and cleanup in the event of a security problem, with an eye toward maintaining the always important uptime. Developing an incident response process might be slightly different depending on the product team’s approach, but the goals remain the same – and being prepared to spring into action at any given moment requires a robust and mature process.
The security problem is different now that platforms can scale in minutes, but its influence on the integrity of our software remains the same, and we believe focusing on three key fundamentals can simplify the sometimes daunting task of securing hosted services. We’ve made an effort to standardize our security practices across products and to use these as a benchmark for new acquisitions to align themselves with. Our goal is to develop a framework for security in the cloud that’s compliant with our customers’ needs. Some of the challenges we face are unique given the size of the company and the varied range of products we support. Cutting-edge tools in the industry will remain a part of our security model, given their ability to provide specialized solutions reliably. In the coming months, it will also be essential for us to continue to support knowledge-sharing opportunities within the company and in the industry.