The Doppler Quarterly Summer 2016 | Page 22

The application level . Since applications are authorized to read and write to a database , you need to focus on security there as well . This means setting up identity-based access to the application itself and monitoring activity to ensure that the user does not display hacker patterns , such as coming in from an unknown IP address , missed log-ins , and so on .
2 . It ’ s all about identity .
Use identity and access management ( IAM ) technology to initiate , capture , record , and manage user identities and related access permissions . IAM ensures that access privileges are granted according to policy set by both the developers and security administrators . Moreover , IAM verifies that all individuals and services are properly authenticated , authorized , and audited .
Cloud application developers must understand IAM . Don ’ t just attach it to resources such as data and services , but build it right into your applications . IAM systems include APIs that you can use for such things as rechecking that the user is authorized to access the application , the platform , the services , and the data . Any of these can be de-authorized at any time , and so it ’ s never an all-or-nothing approach .
IAM systems should automate the initiation , capturing , recording , and management of user identities that use a centralized directory service . This central directory prevents credentials from ending up recorded haphazardly in files and sticky notes , which is the way humans respond to security systems that are too intrusive and complex . It ’ s your job as the developer to ensure that your cloud application is easy to use as well as secure .
3 . Move from DevOps to DevSecOps .
The rise of DevOps , and the use of public clouds as the target platform for applications , provides a lot of additional exposure for security breaches , but it also presents opportunities to improve security . You need to focus more on DevSecOps , or development security operations , where you deal with testing security within the DevOps processes . DevSecOps means that when you do continuous testing , you include continuous security testing as well . You must constantly check applications for the proper use of IAM services , encryption , and other security processes that should
20 | THE DOPPLER | SUMMER 2016