Security is one of the most important aspects in cloud architecture design and implementation. Security concerns data privacy, an important aspect of platform compliance.
With regard to security, we mostly look at the following aspects:
Identity and Access Management
Authentication (Identity Management) and Authorization (Access Management) is a foundational design aspects. We need to consider issues such as identity store, integration, SSO, attributes at all layers such as application (business traffic), container platform (e.g. Kubernetes admin traffic), and cloud platform (e.g. cloud admin traffic).
Encryption and Certificate Management
All security standards mandates the encryption of data in transit and at rest. Data in transit are encrypted by standards at different network layers. Transport Layer Security (TLS) is the most important standard in this regard and it operates on X.509 certificates, which is managed by the Public Key Infrastructure (PKI) of the organization.
Compliance
Most of the enterprise cloud deployment should target certain compliance programs as part of the security initiative. Common compliance frameworks and programs include:
- DoD SRG (Department of Defense Cloud Computing Security Requirements Guide)
- FedRAMP (Federal Risk and Authorization Management Program)
- HIPPA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- PCI-DSS (Payment Card Industry Data Security Standard)
- CIS (Center for Internet Security) Benchmarks
The main cloud service providers provides tools to help client assess the compliance status of their cloud deployment.
More on security
- Public Key Infrastructure 2 of 3 – Certificate Automation - Following the last post on PKI, we'll discuss automation of certificate issuance. Two key activities to automate are: validation of the requestor and issuance of the certificate. Validation Validation isn't always required. For private CAs, the trust boundary does not go beyond the internal engineering team, there is little incentive… ... Read morePublic Key Infrastructure 2 of 3 – Certificate Automation
- Public Key Infrastructure 1 of 3 – Basics - In 2021, I wrote an intro to Public Key Infrastructure (PKI). Now that I have to host my own certificate authority, I decide to dive a little deeper into PKI in this series of posts. In software testing scenario, we need to issue (and recycle) a lot of certificates, and… ... Read morePublic Key Infrastructure 1 of 3 – Basics
- WordPress Security Basics - Background In 2019, I moved this site to WordPress hosted on an Amazon Lightsail instance. There were few visits at that time so I lived with the single-server architecture. The website traffic has since been in steady growth but I have been too busy to catch up with the WordPress… ... Read moreWordPress Security Basics
- Creating X.509 TLS certificate in Kubernetes - In deployment automation, I often had to create self-signed X.509 certificate for testing TLS traffic into Kubernetes. Sometimes self-signed, sometimes signed by a CA. This post summarized the approaches I've taken. Create self-signed certificate with OpenSSL Traditionally, this is done in three OpenSSL commands: openssl req -x509 -sha256 -newkey rsa:4096… ... Read moreCreating X.509 TLS certificate in Kubernetes
- Secure web application deployment - In Nov 2020, I created OrthWeb project, a deployment of Orthanc's server. Orthanc is a DICOM viewer and repo shipped in Docker container. In the deployment project, I use Terraform to provision infrastructure, including a managed PostgreSQL instance, an EC2 instance for docker runtime, and the init script to bring… ... Read moreSecure web application deployment
Contact Digi Hunch for Professional Services.