Security Best Practices should be carried out throughout the implementation. Security concerns data privacy, an important aspect of platform compliance.
Common compliance frameworks in IT solution include:
- DoD SRG (Department of Defense Cloud Computing Security Requirements Guide)
- FedRAMP (Federal Risk and Authorization Management Program)
- HIPPA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- PCI-DSS (Payment Card Industry Data Security Standard)
- ISO 9001
At the application layer, these frameworks revolves around keeping the information to the right consumers. This requires a strong authentication and authorization mechanism, also known as IAM (identity and access management). At the infrastructure layer, the security requirement focus on encrypting the data in transit and at rest.
Read more about security:
- Creating self-signed x.509 certificate - In deployment automation, I often had to create self-signed X509 certificate for testing. This post summarized the three approaches I've taken. The OpenSSL way Traditionally, this is done in three OpenSSL commands: openssl req -x509 -sha256 -newkey rsa:4906 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Health Certificate Authority' openssl… ... Read moreCreating self-signed x.509 certificate
- Secure web application deployment - In Nov 2020, I created OrthWeb project, a deployment of Orthanc's server. Orthanc is a DICOM viewer and repo shipped in Docker container. In the deployment project, I use Terraform to provision infrastructure, including a managed PostgreSQL instance, an EC2 instance for docker runtime, and the init script to bring… ... Read moreSecure web application deployment
- Public Key Infrastructure (PKI) - A public-key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The algorithms are based on Publick-key cryptography. The format of the digital certificate is defined in X.509 standard. Certificate Authority -… ... Read morePublic Key Infrastructure (PKI)
- NTLM and Kerberos protocols - This article explains how two most common authentication mechanisms (NTLM and Kerberos) work. Both authentication protocols are based on symmetric key cryptography. The protocols themselves are platform independent. NTLM Authentication NTLM is the default authentication protocol prior to Windows 2000 and still prevalent today as backup to Kerberos. It is… ... Read moreNTLM and Kerberos protocols
- OAuth and OpenID Connect - OAuth 2.0 and OpenID Connect 1.0 are different types of protocols and they are often confused. When we talk about IAM (identity and access management), we should distinguish between AuthZ and AuthN: AutheNtication (AuthN, aka Identity Management) is about validating user's identity by verifying that the user trying to connect… ... Read moreOAuth and OpenID Connect
Contact Digi Hunch for Professional Services.