Addressing cloud security concerns with a self-hosted strategy
The new year brought new security concerns for DevOps professionals with reports of a security incident at cloud CI provider CircleCI. The company asked users to rotate their secret keys and later confirmed the incident was the result of malware that targeted an employee laptop and used session cookie theft to access internal CircleCI systems.
CircleCI is just the latest of multiple security incidents that occurred with cloud providers in the past year. News of the incident sparked new debates over how companies can ensure their data – and more importantly, their users’ data – is safe with third-party tools.
Circle CI states that less than 5 customers have reported being impacted by unauthorized access, but it is unknown just how many users may have actually been impacted during the nearly three-week period before the incident was recognized and addressed.
While cloud-based platform and service providers can take steps to improve security, such as completing SOC-2 compliance reports and following industry best practices, some organizations may be looking for other options to take security measures into their own hands.
Bring your own cloud
There are many benefits to using cloud-based services. The cost, personnel, and time required to set up and maintain on-premise infrastructure can be daunting, and for teams that want to focus on their core competencies and scale quickly, leveraging cloud products and services can improve velocity and offload technical responsibility.
For some organizations, using self-hosted or “bring your own cloud” solutions can provide additional security and control over infrastructure while benefiting from increased convenience of third-party tools. Achieving a balance between cloud-based and self-hosted can be an option for teams that are concerned about security.
My cloud vs your cloud
Self-hosted or “bring your own cloud” solutions means that your code and important data such as secret keys are not hosted on third-party cloud infrastructure. Instead, you host yourself using your own private cloud provider. While you are still hosting in the cloud, you have control over credentials, configuration, and monitoring of anything that happens in your own environment.
You can also use self-hosted services with local or on-premise machines, however it is increasingly popular to leverage cloud environments you are already using and paying for to host third-party services.
Some benefits of self-hosting include:
- Control over machine type and build stacks
- Reduced exposure to internet, especially if using local or VPN-access only machines
- Increased observability to identify and address security issues
Self-hosted live updates with Appflow
Appflow, Ionic’s mobile DevOps platform, takes security seriously. In addition to achieving SOC-2 Type I compliance, we recently rolled out the option for customers to self-host their own infrastructure for live updates.
Live Updates from Appflow let you push instant updates to mobile devices bypassing the app store approval processes. This critical feature helps teams deploy updates to mobile devices quickly, so critical bugs and potential security issues are addressed as soon as possible.
However, some teams were limited by security protocols or other concerns that required self-hosted infrastructure. With Self-Hosted Live Updates, customers use their own infrastructure to host their codebase and complete builds, while leveraging Appflow’s service to deliver to end users. Appflow also uses public/private key pairing to ensure the assets pulled down from customer infrastructure are unaltered before delivering to users for additional peace of mind.
Self-hosted solutions like Live Updates from Appflow give teams flexibility to pick and choose which key portions of functionality and tooling need to be self-hosted without losing the features that help them to develop and deploy quickly.
Security best practices
Regardless of whether you opt for a cloud, self-hosted, or fully on-premise solution, there are safeguards you can take to improve your security processes.
- Practice secret keys hygiene by rotating keys on a regular basis
- Complete a SOC-2 audit to review organizational security practices and systems and review your critical third party service providers for SOC 2 compliance
- Safeguard authentication, access, and credentials using high-quality authentication tools and limiting access to systems as appropriate
- Leverage monitoring to identify any potential incidents or issues
To learn more, check out some of our resources on security:
- Get Proactive About Data Security
- How to Address Mobile App Security Risks
- Top Attack Vectors for Mobile Threats
- What is DevSecOps?
You can get started with Self-Hosted Live Updates by contacting your Appflow Customer Success Manager or reaching out to our team.