"On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance." - Cloudflare
Here’s what Okta said in a public statement about this incident.
This is the second time Cloudflare had been impacted by a breach of Okta’s systems. Earlier in March 2022, a breach of Okta affected Cloudflare.(https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/)
In today's digital landscape, the internet has become an integral part of conducting business. While it offers unprecedented opportunities, it also brings a host of security threats and vulnerabilities.
Security breaches, attacks like Distributed Denial of Service (DDoS), and other malicious activities are inevitable when your application or service endpoints are exposed to the public internet.
The key to preserving business continuity in the face of these threats lies in fortifying your security entry-point.
Allocating a Separate Pipeline for Attack Rejection
To effectively protect your business against DDoS attacks and other security threats, you need a robust security infrastructure that can allocate a separate pipeline with sufficient bandwidth dedicated to rejecting these attacks.
By doing so, you ensure that your primary pipeline remains uninterrupted, safeguarding your critical services and customer experience.
Securing the First Point of Contact
The first point of contact for all incoming requests is where your security measures should be most concentrated. This entry-point must be a single trusted point that is exposed to the public internet and fortified with various security features, including:
a. IP Segregation: Restrict access based on IP addresses to reduce the attack surface and prevent unauthorised access.
b. DNS-Based Backend Mapping: Implement DNS-based routing to direct incoming requests to the appropriate backend resources, enhancing the efficiency and security of your system.
c. Web Application Firewall (WAF): Deploy a WAF solution that enforces the Open Web Application Security Project (OWASP) policies. This protects your applications against common web vulnerabilities and attacks.
d. DDoS Protection: Utilise DDoS protection mechanisms to detect and mitigate malicious traffic before it can disrupt your services.
Leveraging Security Services
You don't have to build this robust infrastructure from scratch. Cloud service providers like Cloudflare and Akamai offer comprehensive solutions that include security features designed to protect your entry-point.
Additionally, they provide Content Delivery Network (CDN) services, which make your application endpoint more flexible and scalable by distributing traffic and static assets to various locations.
Certificate Management
Secure communication is essential in today's internet landscape. To ensure the privacy and integrity of data exchanged between your application and its users, configure a robust certificate management system. This system should handle SSL certificate generation, renewal, and offloading, ensuring that your security certificates are always up to date and valid.
Mutual TLS for Zero Trust Security
In an era where third-party integrations are common, establishing a zero-trust security policy is crucial. Implementing Mutual Transport Layer Security (TLS) allows your application to verify the identity of any third-party application endpoint before establishing a connection. This approach adds an extra layer of security, ensuring that only trusted and authenticated entities can access your services.
Enabling Cloud Endpoint Security:
👉 In conclusion, securing your cloud security endpoint/entrypoint is essential to protect your business from the ever-present threat of cyberattacks.
👉 By allocating a separate pipeline, securing the first point of contact with IP segregation, DNS-based routing, a WAF, and DDoS protection, and utilising cloud security services, you can fortify your defences.
👉 Additionally, certificate management and Mutual TLS add crucial layers of security, ensuring your business remains resilient in the face of security challenges.
👉 It's a proactive approach to safeguarding your digital assets and customer trust in an increasingly connected world.
If you like this article, I am sure you will find 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments