Security Best Practices should be carried out throughout the implementation. Security concerns data privacy, an important aspect of platform compliance.
Common compliance frameworks in IT solution include:
- DoD SRG (Department of Defense Cloud Computing Security Requirements Guide)
- FedRAMP (Federal Risk and Authorization Management Program)
- HIPPA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- PCI-DSS (Payment Card Industry Data Security Standard)
- ISO 9001
At the application layer, these frameworks revolves around keeping the information to the right consumers. This requires a strong authentication and authorization mechanism, also known as IAM (identity and access management). At the infrastructure layer, the security requirement focus on encrypting the data in transit and at rest.
Read more about security:
- Creating X.509 TLS certificate in Kubernetes - In deployment automation, I often had to create self-signed X.509 certificate for testing TLS traffic into Kubernetes. Sometimes self-signed, sometimes signed by a CA. This post summarized the approaches I've taken. Create self-signed certificate with OpenSSL Traditionally, this is done in three OpenSSL commands: openssl req -x509 -sha256 -newkey rsa:4906… ... Read moreCreating X.509 TLS certificate in Kubernetes
- Secure web application deployment - In Nov 2020, I created OrthWeb project, a deployment of Orthanc's server. Orthanc is a DICOM viewer and repo shipped in Docker container. In the deployment project, I use Terraform to provision infrastructure, including a managed PostgreSQL instance, an EC2 instance for docker runtime, and the init script to bring… ... Read moreSecure web application deployment
- Public Key Infrastructure (PKI) - A public-key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The algorithms are based on Publick-key cryptography. The format of the digital certificate is defined in X.509 standard. Certificate Authority -… ... Read morePublic Key Infrastructure (PKI)
- NTLM and Kerberos protocols - This article explains how two most common authentication mechanisms (NTLM and Kerberos) work. Both authentication protocols are based on symmetric key cryptography. The protocols themselves are platform independent. NTLM Authentication NTLM is the default authentication protocol prior to Windows 2000 and still prevalent today as backup to Kerberos. It is… ... Read moreNTLM and Kerberos protocols
- OAuth and OpenID Connect - OAuth 2.0 and OpenID Connect (OIDC 1.0) are different but highly related protocols and they are often confused. When we talk about IAM (identity and access management), we should first distinguish between Authentication (AuthN) and Authorization (AuthZ): AutheNtication (AuthN, aka Identity Management) is about validating user's identity by verifying that… ... Read moreOAuth and OpenID Connect
Contact Digi Hunch for Professional Services.