Security is one of the most important aspects in cloud architecture design and implementation. Security concerns data privacy, an important aspect of platform compliance.

Is Confidential Computing the Future of Cloud Security? - IEEE Innovation  at Work

With regard to security, we mostly look at the following aspects:

Identity and Access Management

Authentication (Identity Management) and Authorization (Access Management) is a foundational design aspects. We need to consider issues such as identity store, integration, SSO, attributes at all layers such as application (business traffic), container platform (e.g. Kubernetes admin traffic), and cloud platform (e.g. cloud admin traffic).

Encryption and Certificate Management

All security standards mandates the encryption of data in transit and at rest. Data in transit are encrypted by standards at different network layers. Transport Layer Security (TLS) is the most important standard in this regard and it operates on X.509 certificates, which is managed by the Public Key Infrastructure (PKI) of the organization.


Most of the enterprise cloud deployment should target certain compliance programs as part of the security initiative. Common compliance frameworks and programs include:

  • DoD SRG (Department of Defense Cloud Computing Security Requirements Guide)
  • FedRAMP (Federal Risk and Authorization Management Program)
  • HIPPA (Health Insurance Portability and Accountability Act)
  • GDPR (General Data Protection Regulation)
  • PCI-DSS (Payment Card Industry Data Security Standard)
  • CIS (Center for Internet Security) Benchmarks

The main cloud service providers provides tools to help client assess the compliance status of their cloud deployment.

More on security

  • Public Key Infrastructure 3 of 3 – PKI Implementation - After the last two post, now we can focus on PKI implementation. The use case is software testing, where we need to create and recycle a lot of short-lived certificates. Typically, we don't have to create public certificates because testing workload is internal. Also, hosting a public CA is much…
  • Public Key Infrastructure 2 of 3 – Certificate Automation - Following the last post on PKI, we'll discuss automation of certificate issuance. Two key activities to automate are: validation of the requestor and issuance of the certificate. Validation Validation isn't always required. For private CAs, the trust boundary does not go beyond the internal engineering team, there is little incentive…
  • Public Key Infrastructure 1 of 3 – Basics - In 2021, I wrote an intro to Public Key Infrastructure (PKI). Now that I have to host my own certificate authority, I decide to dive a little deeper into PKI in this series of posts. In software testing scenario, we need to issue (and recycle) a lot of certificates, and…
  • Workload Identity on Kubernetes 2 of 2 โ€“ EKS - I discussed in my previous post on workload identity and dived into how it works in AKS (Azure Kubernetes Service). In this post I will continue the topic with AWS as the example. From the perspective of CSP, we consider any running process on the cloud resource as workload. Therefore,…
  • Workload Identity on Kubernetes 1 of 2 – AKS - As applications are moved to the cloud, the application workload hosted on virtual machines need to interact with cloud resources. For this, we need an IAM solution with two mechanisms: a (non-human) identity in the cloud service platform (CSP), to represent the application; a way to grant permission to this…

Contact Digi Hunch for Professional Services.