Security is one of the most important aspects in cloud architecture design and implementation. Security concerns data privacy, an important aspect of platform compliance.
With regard to security, we perform security review with threat model assessment on the infrastructure stack, mostly looking at the following aspects:
Identity and Access Management
Authentication (Identity Management) and Authorization (Access Management) is a foundational design aspects. We need to consider issues such as identity store, integration, SSO, attributes at all layers such as application (business traffic), container platform (e.g. Kubernetes admin traffic), and cloud platform (e.g. cloud admin traffic).
Encryption and Certificate Management
All security standards mandates the encryption of data in transit and at rest. Data in transit are encrypted by standards at different network layers. Transport Layer Security (TLS) is the most important standard in this regard and it operates on X.509 certificates, which is managed by the Public Key Infrastructure (PKI) of the organization.
Compliance
Most of the enterprise cloud deployment should target certain compliance programs as part of the security initiative. Common compliance frameworks and programs include:
- DoD SRG (Department of Defense Cloud Computing Security Requirements Guide)
- FedRAMP (Federal Risk and Authorization Management Program)
- HIPPA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
- PCI-DSS (Payment Card Industry Data Security Standard)
- CIS (Center for Internet Security) Benchmarks
The main cloud service providers provides tools to help client assess the compliance status of their cloud deployment.
More on security
- IAM Roles for any workload - Background A few month back a client of mine wanted to use GitLab pipeline to deploy infrastructure on AWS with Terraform. The key question is how to authenticate the Terraform process running in the pipeline to AWS with temporary credential. Having worked it out on GitHub, my proposal at time…
- Managing EC2 instances across accounts with Ansible - I regard AWS Systems Manager as omnipotent. Nonetheless, there are a few reasons that makes Ansible still a prevalent VM (EC2) management tool over Systems Manager (SSM). First, organizations already vested in their custom Ansible roles and playbooks want to reuse, and expand their assets in Ansible. The benefit is…
- WordPress Security Basics - Background In 2019, I moved this site to WordPress hosted on an Amazon Lightsail instance. There were few visits at that time so I lived with the single-server architecture. The website traffic has since been in steady growth but I have been too busy to catch up with the WordPress…
- EKS impression - I've worked on a few AKS projects previously. Since I joined AWS I wanted to put aside some time to check out EKS (Elastic Kubernetes Service). Here in this post, I put down my first impression on EKS, and also share my Terraform template in cloudkube project to create an…
- Istio Operation Gotchas - In this post I discuss a few aspects when putting istio in operation. Installation Istio installation can be confusing, due to architectural and guideline changes as well as renaming of operator CRDs since its release, and especially since 2020. This left lots of information outdated on the web, adding to…
Contact Digi Hunch for Professional Services.