During the past few years, I’ve helped many Apprenda customers design and deliver a Platform as a Service (PaaS) solution unique to each of their data center workflows, policies, and configurations. But our requirements to enable security and compliance always seem to be on the rise. While Apprenda integrates with many data center resources, our client services team also has the obligation to make sure developers consume those resources and services securely.
Fortunately, Apprenda gives us the tools for wrapping security around guest applications by acting as a “Hub” for workload management and policy enablement. Apprenda was designed to stitch together OS instances, infrastructure, and other data-center components into a single “data center OS.” A positive consequence of collapsing the data center to a single layer via Apprenda is that there is now a central place to control security upstream and downstream from the PaaS.
There are a number of real-world, security enabling use cases I’d like to share that could enable any enterprise to secure their applications through Apprenda without hampering innovation.
Even before a developer is authorized to deploy their application to production environments, they often have to run their application through a static and/or dynamic code analyzer such as Black Duck, Veracode, or HP Fortify to identify known vulnerabilities or possible attack vectors.
Apprenda has the necessary extension “hook points” to be able to call a vulnerability scanning service during the normal deployment workflow and receive authorization or be denied deployment before any binaries are executed on an app server. As an additional preventative measure, application bootstrap policies (BSPs) on Apprenda allow enterprise security to control any portion of the application payload to always ensure your developers are using libraries that are up to date and free of vulnerabilities at deployment time. Not only does this provide for a more hardened production environment, it helps developers more readily eliminate “deployment blockers” by not having to wait for anyone other than themselves to get a compliant app up and running on the PaaS.
One item enterprises are trying to figure out is how developers can still Bring Your Own Authentication (BYOA). If you’re trying to enable developers to add their app enterprise Single Sign-On mechanisms like CA SSO (formerly Siteminder), but want to control how and when developers use SSO services for the app, the CA SSO web agent for the Apache Tomcat Servlet container is an excellent choice. When the app is running in a Tomcat container, the agent can intercept HTTP requests and determine protection status, user authentication, and resource authorization.
But how do you control how developers use this service? Again, that’s where BSPs come in. BSPs configured by security architects and enterprise IT can be configured through the Apprenda SOC and exposed to developers when they’re ready to configure and deploy their apps. If they choose CA SSO as their authentication and authorization mechanism to attach to their app, the BSP will inject the CA SSO web agent at deploy time into the Tomcat classloader.
The same BSP workflow could be used for rotating application credentials or even enabling a developer to grant an application certain permissions on the OS the app is running, but in an authorized way. Both use cases can be supported by packaging the CyberArk Application Identity Manager agent at deploy time through a BSP.
Enterprises rarely (if at all) grant developers access to production OS instances, but the app may need to run as a specific OS user based on enterprise policies. Rather than manually configuring each application and target server, a BSP that injects the CyberArk agent can enable developers from all over the enterprise to deploy an application and run as the authorized OS user. Security architects only have to configure one agent and instantly a security policy for all apps is enabled.
There are numerous use cases to automatically inject functionality into your applications by running them on Apprenda. As security restrictions and regulations become more prevalent each year in the enterprise, Apprenda can help you harden apps without limiting innovation.
Your PaaS should integrate and coordinate technology resources throughout the data center no matter the vendor, especially when it comes to security. Most enterprises invest in a variety of I&AM solutions, and Apprenda has integrations with Microsoft, CA, Ping, and others running in our customers’ data centers. By integrating with so much tech, Apprenda effectively centralizes and catalogs the usage of off-platform investments throughout the enterprise app portfolio. When it comes to managing security products and workflows, Apprenda can now be the central place to control application security upstream and downstream from the PaaS.