adam's notes

Cloud Application Architecture

Cryptography

  • key element of data security in the cloud
  • take into account where cryptography will be used throughout the data lifecycle

Encryption of Data at Rest

  • all data at rest should be encrypted
    • to protect from the shared used of infra
  • add extra layer of security by encrypting specific files and folders
  • primary requirement of any encryption scheme is the storage and management of keys

Whole-Instance Encryption and Full Disk Encryption

  • whole-instance encryption involves encrypting a complete system’s disk or storage
    • aka FDE
  • protects data on the device in event the device itself is lost or stolen
    • including shutdown instance or snapshot

Volume Encryption

  • Volume encryption refers to encrypting only a partition on a hard drive or cloud storage that is presented as a volume
  • useful when the entire disk does not need to be encrypted
    • doesn’t contain sensitive data

Encryption of Data in Transit

  • protects data between systems or users
  • most common method is TLS

Sandboxing

Sandboxing places systems or code into an isolated, secured environment where testing can be performed.

  • CSPs like Zscaler provide dedicated sandboxing capabilities designed to contain and analyze malware
  • others are used for application development

Application Virtualization and Orchestration

Application virtualization allows applications to be run without being directly linked to the underlying operating system.

  • does not virtualize the entire system
  • app virtualization tools insert themselves between applications and the operating system and virtualize that interface
    • allows for greater portability and segmentation
    • consumes fewer resources
  • E.g.,
    • Amazon AppStream
    • Citrix XenApp
    • Microsoft App-V
    • VMware ThinApp

Containers bundle applications with the OS components needed to run.

  • this bundle is called a container
  • highly portable
  • consumes fewer resources than VM
  • easily deployed using automated processes
  • help isolate problems to the container
    • not the underlying system

Application Programming Interfaces (APIs)

Multitenancy

  • make configurations in such a way that ensures logical isolation of tenants
  • design with the understanding that breaches, outages, and exposure of underlying infra can occur

Supplemental Security Components

Web Application Firewalls (WAF)

  • used to protect web apps from attacks by monitoring both HTTP and HTTPS traffic
  • rely on policies to analyze traffic
  • typically act as a reverse proxy
    • protect application server from systems sending requests
  • able to filter based on:
    • users
    • session information and data
    • application-specific context and content
  • have a default set of rules that stop common attacks
    • e.g., SQL injection, DoS
  • CSPs often have a WAF capability and third-party WAF virtual appliances in their marketplaces

Database Activity Monitoring

Database activity monitoring (DAM) tools combine network data and database audit information in real time to analyze database activity for unwanted, anomalous, or unexpected behavior.

  • used to:
    • monitor application activity and privileged uses
    • detect attacks using behavioral analysis techniques
  • cloud database services typically have a form of DAM tool available or a service to support them

XML Firewalls

XML firewalls are used to protect services that rely on XML-based interfaces, including many forms of web applications.

  • provide validation and filtering capabilities
  • ability to rate-limit and manage traffic flow

API Gateways

API gateways are used to manage, monitor, and aggregate APIs to produce results for requesting systems.

  • used for:
    • authorization and access control
    • traffic flow control
    • throttling
  • provide filtering capabilities
    • additional layer of security for API

Cloud Application Security Broker (CASB)

CASB are used as enforcement points between consumer and service providers to ensure that use of cloud services matches organizational intentions and policies.

  • features:
    • control use of service
    • data protection capabilities
    • threat management and monitoring
  • can be deployed in on-premises, hybrid, or cloud-hosted models
  • more heavily used in orgs that require high levels of control and assurance regarding cloud usage

Graph View

Backlinks