Cloud Infrastructure Complexities

Traditionally enterprise software was set up in the software provider’s on-prem infrastructure with a large rack of servers. In this environment, the software provider controlled the end to end software installation, management and maintenance. However, for the past couple of decades, cloud computing has evolved as a viable alternative. Legacy applications are retrofitted to work in this new cloud model. This approach is fraught with many pitfalls. In this short writeup, I will provide my perspective and describe the complexities associated with this software stack and why there is a need for a new and innovative approach to secure the application’s entire software lifecycle.

Cloud computing has been advancing at breakneck speed and has brought with it the ease of application deployment and usage. Users can deploy pre-built applications from a cloud marketplace or create bespoke applications and launch them with the necessary resources with just a few clicks. Public cloud providers have APIs/SDKs or cloud consoles that can be used to manage these deployments. To make things more complex, each cloud provider has its own way to set up these environments. End users are largely unaware of all the libraries or open source code that are linked within this environment. Inadvertently insecure or malicious code is making its way into products or services that are used widely.

End to end application and infrastructure stack is built upon multiple software layers. Each of these layers are interconnected with a large number of APIs or libraries that are statically or dynamically linked.

Interprocess communication uses IOCTL/pipe/socket/signal mechanisms which make it complex to validate the myriad of interactions that occur between the connected entities. Privilege escalations have been used to gain access to critical system resources. Malicious actors have bypassed user/kernel protections or memory paging isolations.

A simple misconfiguration, a missed variable initialization, or failing to perform sanity checks on memory isolation can cause havoc to the entire system. Hence it is extremely important to scan the SBOM to be free of bugs or malicious code. Always use the latest patched version of libraries or open source components. But this does not protect users from zero-day vulnerabilities which have their own specific challenges. There are a plethora of cybersecurity issues not covered in this blog (We will address them soon, in another post).

To summarize, a customer’s open source stack needs to be scanned and sanitized to be secure. We need to guarantee that the application has not been tampered with after compilation. The entire lifecycle of the application right from the beginning of coding to configuring, deploying and running needs a revisit in this modern cloud era. With the advent of AI/ML the trusted compute base and the trusted actors need to be governed.

At Pervaziv AI, we are building upon these principles in order to thwart many such issues mentioned above. In addition, we are enhancing these capabilities with custom AI/ML training models. With these added benefits we would like to secure the entire lifecycle of the application in a cloud-native infrastructure. Follow the company page or the author on LinkedIn or check back on this website to learn more!

#applicationsecurity #cloudsecurity #cloudnative #devops #enterprisesoftware #opensource

A webcomic that I have come across is this one from XKCD that shows how this environment is delicately balanced and utmost care is needed to be secure.

Source: https://xkcd.com/2347/. (No offense meant to anyone from Nebraska :))

Anoop Jaishankar (AJ)