Example Cloud Security Architecture
Hybrid Cloud Architecture, supporting 1000s of users, using AWS with legacy DB integration
User application access:
- Users access the application portal using browsers via HTTPS.
- Users are authenticated by usernames and passwords. It is important for users to use strong passwords.
- Policy around password complexity, time-duration implemented within AWS and the App DAO layer.
Network security
Port filters:
- Only specific IP ports are allowed for external access from Global Network, namely SSH (22), HTTPS (443), HTTP (80).
- SSH is secure encrypted protocol that is used only for system administrators access.
- HTTPS is secure encrypted protocol that is used for user application communication.
- HTTP is not secure, not encrypted protocol that is immediately switched to HTTPS as soon as user’s browser tries to reach HTTP. HTTP is open only for user convenience.
- FTP (20,21,47304) is open only for access from Corporate IP 216.aa.bbb.55.
- All other ports are closed, including ICMP (ping, traceroute).
- There are two levels of port filtering:
- AWS network policies
- System Firewall
Application Server certificate and traffic encryption:
- Domain name yyyy.com is secured by certificate registered at trusted certificate authority.
- All browsers have certificate verification capabilities. The site with correct certificate will have “Green Lock” icon near URL, that indicates the site is verified and trusted.
- All user’s traffic goes via HTTPS only and is encrypted.
- Browsers use HTTPS. When they try to enter via HTTP, they are automatically switched to HTTPS by the web application.
- Application uses HTTPS and certificate verification as well.
- It is safe to access web applications from public networks.
FTP application access:
- User synchronizes required data from legacy non-AWS database to app database, via file transfers.
- There are some limitations of legacy DBs to use contemporary encrypted protocols (like SSH).
- Files are transferred via FTP protocol, which is not encrypted.
- To mitigate this vulnerability, access to FTP is allowed only from Corporate IPaa.bbb.55. This is set by AWS IP filter policy and system firewall.
System administration access:
- System administrators access systems only via SSH using RSA keys and strong passwords.
Attack detection and prevention
System attack detection:
- Perimeter system software monitors unsuccessful attempts to login to SSH protocol and blocks an attacker IP for couple of hours after several unsuccessful attempts.
Application attack detection:
- Special software monitors unsuccessful attempts to login to the application and blocks an attacker IP for couple of hours after several unsuccessful attempts.
- Corporate IP will be never blocked because that would cause blocking of all other users working from within the VPN.
Rootkit/virus detection:
- Special system software monitors possible rootkits/virus’s installations and alerts system administrators if this is detected.
The above categories and solutions are a minimum for an AWS premised distributed app, used by many thousands of users, with legacy system integration. They conform to NIST and CSBP. Importantly security is centralized, documented and constantly monitored.