Best Practices to Implement Cloud Application and API Security

August 2, 2021

Modern cloud-native applications are more assembled than developed using a combination of VMs, containers and PaaS services, including serverless PaaS. These cloud-based applications and the delivery of their capabilities need protection from attacks.

8 Cloud Application and API Security Best Practices

1. Proactively Scan Code for Vulnerabilities in Development

Enterprise-developed applications (including serverless PaaS) need to be scanned for known and unknown vulnerabilities. The most common mistake in cloud-native applications is the use of known vulnerable OSS components and frameworks, which constitutes about 80% of the code in cloud-native applications. In addition, all exposed APIs should be scanned as well.

2. Expand your Definition Scanning for Application Risk Beyond Just Vulnerable Software

Cloud risk comes in many forms, not just misconfiguration and missing patches, but also things like embedded secrets (API keys, hard-coded passwords, encryption keys and so on). These are placed in cloud scripts, templates and in the developer’s source code. Also, ensure correct configuration of PaaS services in terms of permissions and network connectivity. All of these risks should be scanned proactively and reactively.

3. Architect for Resiliency Using Cloud-native Capabilities

Simply taking an on-premises application and running it in the cloud doesn’t make it scalable or more resilient. Design applications that can scale out using cloud-native load balancers and built-in auto scaling capabilities. Resilience across availability zones should be architected into the application.

4.Use a Cloud-native Web Application Firewall (WAF), But Expect to use a Third-party Offering

This is an area where the built-in capabilities of the cloud providers have lagged their commercial counterparts. Third-party providers or third-party rulesets may be needed to manage the policies of the built-in IaaS/PaaS provider’s WAF service. Alternatively, WAF services may be automatically inserted as part of a dynamic SASE connection. Within cloud-native applications, WAF filtering of lateral (referred to as east/west) traffic will require some form of embedded WAF or micro-WAF capability. For denial of service protection, using what the cloud provider offers built-in is sufficient.

5. Beyond WAF, Embrace Web Application and API Protection

WAF protection alone is not enough for protecting modern cloud-native applications. WAFs were designed to protect the user interface, but the UI doesn’t reflect the majority of exposed functionality in a modern cloud-native application. Specifically, cloud-native applications should also have API and anti-automation (bot) protection. This is an expanded set of capabilities we refer to as web application and API protection.

6. Use an API Gateway or Event Bus as a Control Point

Enabled only Access to serverless functions should be through the use of an API gateway or event broker. The cloud provider’s own API gateway may be used, or a third-party API gateway. Even if the serverless code is only used internally, the API gateway/event broker acts as a critical security visibility and control point.

7. Converge Operational and Security Monitoring

At the application layer, there is no need to have two separate tools (one for security, one for operations) performing detailed monitoring of the service. At a minimum, the data will be shared across teams, but ideally application performance monitoring and security monitoring will merge into application monitoring and performance supporting a single DevSecOps team. This will become increasingly important as more managed container and serverless code is used and information security won’t have an OS to instrument.

8. Don’t Treat PaaS Security as a Fundamentally Different Problem

PaaS security is not a separate problem or market. It is an emergent discipline that uses the combination of the capabilities described thus far in this research. PaaS security discipline is rooted in strong identity and access management principles, proper infrastructure configuration and hardening, continuous cloud security posture assessment, pervasive monitoring and application-layer scanning and security.

10 Best Practices on How to Use Cloud IaaS More Securely Than a Data Center?


Modern application architecture trends — including mobile access, microservice design patterns and hybrid on-premises/cloud usage — complicate API security since there is rarely a single “gateway” point at which protection can be enforced. Use a distributed enforcement model to protect APIs across your entire architecture, not just at the perimeter.

Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.

Talk to Our Migration Experts

Subscribe to our blog