Security is one of the most important aspects in cloud architecture design and implementation. Security concerns data privacy, an important aspect of platform compliance.
With regard to security, we mostly look at the following aspects:
Identity and Access Management
Authentication (Identity Management) and Authorization (Access Management) is a foundational design aspects. We need to consider issues such as identity store, integration, SSO, attributes at all layers such as application (business traffic), container platform (e.g. Kubernetes admin traffic), and cloud platform (e.g. cloud admin traffic).
Encryption and Certificate Management
All security standards mandates the encryption of data in transit and at rest. Data in transit are encrypted by standards at different network layers. Transport Layer Security (TLS) is the most important standard in this regard and it operates on X.509 certificates, which is managed by the Public Key Infrastructure (PKI) of the organization.
Most of the enterprise cloud deployment should target certain compliance programs as part of the security initiative. Common compliance frameworks and programs include:
- DoD SRG (Department of Defense Cloud Computing Security Requirements Guide)
- FedRAMP (Federal Risk and Authorization Management Program)
- HIPPA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- PCI-DSS (Payment Card Industry Data Security Standard)
- CIS (Center for Internet Security) Benchmarks
The main cloud service providers provides tools to help client assess the compliance status of their cloud deployment.
More on security
- WordPress Security - Background In 2019, I moved this site to WordPress hosted on an Amazon Lightsail instance. There were few visits at that time so I lived with the single-server architecture. The website traffic has since been in steady growth but I have been too busy to catch up with the WordPress… ... Read moreWordPress Security
- Creating X.509 TLS certificate in Kubernetes - In deployment automation, I often had to create self-signed X.509 certificate for testing TLS traffic into Kubernetes. Sometimes self-signed, sometimes signed by a CA. This post summarized the approaches I've taken. Create self-signed certificate with OpenSSL Traditionally, this is done in three OpenSSL commands: openssl req -x509 -sha256 -newkey rsa:4096… ... Read moreCreating X.509 TLS certificate in Kubernetes
- Secure web application deployment - In Nov 2020, I created OrthWeb project, a deployment of Orthanc's server. Orthanc is a DICOM viewer and repo shipped in Docker container. In the deployment project, I use Terraform to provision infrastructure, including a managed PostgreSQL instance, an EC2 instance for docker runtime, and the init script to bring… ... Read moreSecure web application deployment
- Public Key Infrastructure (PKI) - A public-key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The algorithms are based on Publick-key cryptography. The format of the digital certificate is defined in X.509 standard. Certificate Authority -… ... Read morePublic Key Infrastructure (PKI)
- NTLM and Kerberos protocols - This article explains how two most common authentication mechanisms (NTLM and Kerberos) work. Both authentication protocols are based on symmetric key cryptography. The protocols themselves are platform independent. NTLM Authentication NTLM is the default authentication protocol prior to Windows 2000 and still prevalent today as backup to Kerberos. It is… ... Read moreNTLM and Kerberos protocols
Contact Digi Hunch for Professional Services.