Security Design Patterns Overview

Some Key Security Patterns that can be implemented within Cloud platforms are below covering keys, encryption and data protection.  Patterns are simply a method of solving a common problem.  They are reusable templates you will adjust to the project demands.  They are fundamental to IT deployment.  A Pattern book (security, applications, infrastructure, integration, testing, compound patterns, etc); is a reusable, scalable IP artefact that every IT professional within Cloud needs to develop.  A good set of templates can be found at: http://cloudpatterns.org/design_patterns.  Pattern books by Thomas Erl are worth buying and referencing. There are dozens are security patterns that we can use.  Some common ones are listed below.

Cloud Key Management
Pattern Name Description
PAT-CKM Managing Private/Public Encryption Keys
Solving Issues While encryption is foundational to cloud security, the management of encryption keys is one of the most difficult challenges in cloud computing. Failure to adequately manage encryption keys can lead to a range of administrative and security problems.
Explanation of pattern / Resolution in the cloud A cloud key management system is employed, available either as a physical or virtual network attached device.  This pattern can be combined with Cryptographic Key Management System, Hardware Security Module patterns to create a compound pattern.
Implementation A cryptographic key management system (CKMS), optionally using a hardware security module (HSM) for key protection, consisting of systems, personnel and policies is implemented to manage keys for encryption of all required data for both on-premise and cloud resources
Structure  
Benefits Azure is IaaS and PaaS – not SaaS, note the ideal model if want only to consume the data.  Stable, HA, console based management.
Notes It is recommended that firms mandate no Shadow IT and force end-users to migrate their own Access DBs or other Shadow IT into Sharepoint
Cryptographic Key Management
Pattern Name Description
PAT-CKM Key management compliance with regulatory audits
Solving Issues Service components within a Cloud system need to have keys to render secure access.  The problem is managing the keys in compliance with regulatory policies.
Explanation of pattern / Resolution in the cloud The cryptographic key management system (CKMS) consists of policies, procedures, components and devices that are used to protect, manage, and distribute cryptographic keys and certain specific information, called metadata. A CKMS includes all devices or sub-systems that can access an unencrypted key or its metadata. Encrypted keys and their cryptographically protected metadata can be handled by computers and transmitted through communications systems and stored in media that are not considered to be part of a CKMS..
Implementation A cryptographic key management system (CKMS), optionally using a hardware security module (HSM) for key protection, consisting of systems, personnel and policies is implemented to manage keys for encryption of all required data for both on-premise and cloud resources
Structure

CKMS managing the organization’s keys. Many industry regulations require organizations to control their own keys, which can be done on-premise or from a trusted third-party service. It shows the requirement for multiple administrators to accomplish management tasks requiring multiple split keys to perform a cryptographic operation.

Benefits Keys are locked down.
Notes HSM is an AWS implementation (3rd party products available as well)

 

Federated Cloud Authentication
Pattern Name Description
PAT-FCA Federated certificate implementation to avoid CRL failure
Solving Issues If the certificate revocation list (CRL) corresponding to a cloud consumer’s certificate is unavailable, either from communication or public key infrastructure (PKI) failure, cloud service providers are unable to authenticate submitted certificate credentials.
Explanation of pattern / Resolution in the cloud Federated authentication allows cloud services to authenticate cloud consumers incorporating a certificate status checking responder on the local area network (LAN), which supports authentication independently when the CRL for a given organization is unavailable due to failure.
Implementation A local certificate validation service (CVS) is implemented to check the revocation status of submitted certificates from multiple organizations.
Structure

 

The component as a cloud service consumer sends the required certificate to an authentication service to be authenticated (1). The authentication service sends a request to the CVS that includes the issuer and serial number of the certificate (2). The CVS compares the serial number with the associated issuer’s CRL to determine if the certificate is revoked (3). The CVS signs a response indicating if the certificate is good, revoked, or unknown (4). The CVS also checks to see if the CRL is valid. If the CRL is stale and the CVS cannot retrieve a current one, the CVS can be configured to send an alert to a cloud resource administrator (5).

Benefits With the implementation of a CVS, the availability problems associated with an expired CRL are mitigated.

 

Secure Cloud Interfaces and APIs
Pattern Name Description
PAT-SCI-API Securing APIs against unauthorised access
Solving Issues On-premise and cloud-based resource interfaces and APIs are, by default, vulnerable to attacks through a number of vectors and methods.
Explanation of pattern / Resolution in the cloud A cloud identity and access management (IAM) system is instituted to differentiate intruders from legitimate consumers.

Application: An authentication gateway service (AGS) and an IAM system are implemented to identify and authenticate legitimate consumers and grant them access, while denying access to intruders.

Implementation Mechanisms: Authentication Gateway Service, Identity and Access Management
Structure  
Benefits The AGS authenticates cloud consumers for access to APIs.
Notes

 

Encryption of Data at Rest
Pattern Name Description
PAT-EDR Encrypting Data at Rest
Solving Issues Data stored in a cloud environment requires security against access to the physical hard disks forming the cloud storage device.
Explanation of pattern / Resolution in the cloud Secure data on the physical hard disks in order to prevent unauthorized access.
Implementation An encryption mechanism supported by the physical storage arrays can be used to automatically encrypt data stored on the disks and decrypt data leaving the disks.
Structure

 

Data can be secured on physical disks by encrypting the data as it enters the physical storage array and decrypting data as it leaves the physical hard disks.

Benefits NIST compliant
Notes EBS volumes need to be encrypted by default

 

Data Breach
Pattern Name Description
PAT-EDB Protecting Enterprise Data from a breach
Solving Issues Unprotected data is vulnerable to a wide variety of breaches by attackers that can have significant consequences on the cloud architecture security and/or the organization’s business itself.
Explanation of pattern / Resolution in the cloud A system is established that provides encryption of sensitive data so that if it is lost, it is not readable by an attacker.  Encryption, governance and policies are merged.
Implementation Using validated encryption and governance that meets enterprise security assurance levels, data at rest is encrypted.  Key management, encryption, asset config inventory, and data inventory automation.
Structure

The use of enterprise encryption for sensitive data.

Benefits Enterprise protection
Notes Would use IAM, volume encryption, HTTPS, TLS

Related to Encryption