Secure Cloud App
Upcoming SlideShare
Loading in...5

Secure Cloud App






Total Views
Views on SlideShare
Embed Views



2 Embeds 4 3 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Secure Cloud App Secure Cloud App Presentation Transcript

  • Secure Cloud AppBuild and host cloud system with highly-sensitive data for a start-up.Full blog is here.
  • Solution Overview
  • IntroductionObjective was to deliver service-oriented architecture foronline system to store and to search through a highlysensitive data using budget effective approach.Captivated by the benefits of cloud computing decided totake a plunge into the new world.Objectives: high-security of the data at all time, ability tomove around cloud providers and the world, minimaldowntime due to outage, disaster or even court shutdownorder.
  • Challenges and DecisionsTechnology selection: Microsoft stack primarily due tohigher productivity using well-supported software/tools andamount of information available from community.Cloud Provider Selection: Azure, Amazon, Rackspace,and etc.- decided to try few of the above, with objective tobe able to move between cloud providers and sharedhosting providers with no source code changes.Multi-Level Security: username/password forauthentication, end-user identity token through all layers ofapplication, data-in-transit encryption, data at restencryption, backup encryption.
  • Software ArchitectureFront-End: Html 5 and JavaScript over Https withemphasis on streamlined and lean user-interfaces with fastresponse whether on Desktop, on Internet Tables, or onSmartPhone.Web Server - IIS 7.5 the latest available as of time ofdevelopment. Coding - C# MVC3 with Razor syntax as thelatest flavour for web application development.Service Layer: WCF over Https on IIS7.5. EntityFramework with C# POCO objects for WCF serialization inN-tier environment. Connection to the Db TCP/IP over SslBack-End: Sql Server 2008 R2 Enterprise Edition withTransparent Data Encryption for data protection at rest.
  • Security ArchitectureFront-End: User authentication at first using Verisign OpenId,and later switched to Username/Password with passwordhashed and stored in Sql Server - users did not like theintermediate step during sign-in. All traffic is over Https.Service Layer: End-user time-sensitive token issued uponauthentication and is being used to validate user identity andpermission on each service operation request. All traffic is overHttps.Back-End: Application account with permission to execute fewstored procedures to validate user credentials and user-token.Secondary application account with full access using 15 mintime-to-leave password and encrypted for each user-token. Allconnections encrypted using Ssl. Data at-reset protected by SqlServer TDE, ISP administrative account(s) disabled.
  • Hosting ArchitectureFront-End: Windows Azure Web Role with two instances for load-balancing and fault tolerance purposes. Since there is no credentialsstored here - the web application can be deployed anywhere includingshared hosting.Service Layer: Amazon EC2 Windows Server 2008 R2 two instanceswith load-balancing enabled. Encrypted credentials for limited accessdatabase account - not end of the world even if hacked.Back-End: few were tried: Virtual on Amazon EC2 Windows Server R2(robust but not cheap), Virtual on Go-Daddy VPS (cheap but slow), andiHost physical server for best combination of cost and performance.Hosting company must have no login credentials to the box.Backup: few tried and rejected due to lousy security practices -confirmation email sent contained password. One that supported in-transit and at-rest data encryption was selected, additionally Sqlbackup file was also encrypted by TDE itself - no unencrypted dataanywhere.