Cloud Security: Encryption and Key Management

cloud Encryption
Source: elven.works

In the last post in the series on cloud computing for beginners, we analyzed the microservices features and the resources necessary for their smooth operation. In this post, we will address the issues surrounding security and encryption in cloud computing. Let’s start from the beginning. In encryption, a key is a piece of information (a parameter) that determines the function of a cryptographic algorithm. It can be of two types: symmetric and asymmetric, and have several properties depending on the intended function, such as length and cryptographic period.

For encryption algorithms, a key specifies the transformation of plain text into ciphertext and vice versa for decryption algorithms. These keys are necessary for a cryptographic algorithm to work, and can be composed of a word, number, or phrase to encrypt plain text. All possible keys and all protocols that make a cryptographic algorithm work make up what is called a cryptosystem.


Key Management


To manage cryptographic keys it is important that all keys are stored in a cryptographic vault – vault is a tool to access “secrets” safely. A “secret” in the context of encryption is anything that you want to strictly control access to, such as API keys, passwords or certificates available in the hardware security module (HSM) or isolated cryptographic service. A hardware security module (HSM) is a physical device that provides extra security for confidential data. This type of device is used to provide cryptographic keys for critical functions, such as encryption, decryption, and authentication for the use of applications, identities, and databases. In the financial market, it is common to find the use of HSM for transactions involving credit cards, for example.

That’s where key management becomes critical to the security of a cryptosystem. The management includes handling key generation, exchange, storage, use, and replacement as needed at the user level. A key management system also includes key servers, user procedures, and protocols, including cryptographic protocol design. It is the most challenging side of encryption as it involves aspects of social engineerings, such as system policy, user training, organizational and departmental interactions, and, above all, coordination between all these elements, in contrast to pure mathematical practices that can be automated.

Key management is important because it ensures strong data encryption. In addition, it ensures regulatory compliance and protects data from risks presented by privileged users. Thus, being able to own and manage the cryptographic keys becomes crucial to meet the network’s regulatory and compliance standards. Google Cloud KMS is a service that allows you to manage cryptographic keys for services both in the cloud and on-premise..

At AWS, the Key Management Service (KMS) facilitates the creation and management of cryptographic keys and the control of their use in a wide variety of AWS services and in their applications. At Microsoft, Azure Key Vault is a cloud service that protects cryptographic keys and secrets such as certificates, connection strings and passwords. As this data is sensitive and essential for business, the user needs to protect access to their key vaults, allowing only authorized applications and users.

In addition to sophisticated encryption and key management tools, it is important to be aware of some basic errors, such as code repositories. Very often, access keys from cloud providers are stored in public repositories on Github, Bitbucket and other Git hosting services.

There are countless bots browsing public code repositories and looking for cloud credentials for misuse. An administrator access key can in a few minutes create dozens of servers that will be used for malicious purposes and will bring heavy infrastructure costs to the company that exposed its credentials.


VPN Access Management


A Virtual Private Network (VPN), as the name suggests, offers a private network from a public connection to the Internet, so that the user can count on online privacy and anonymity. VPNs basically mask, therefore, the Internet Protocol (IP) address, in such a way that the actions of their connected users are virtually impossible to track. The VPN connection monitoring ensures that the private network remains protected from intruders while the data transferred over the user’s network is encrypted and transmitted quickly.

The data consists of tracking different connections, paths and tunnels, using different performance metrics. A VPN service can monitor or record all Internet activities that take place on the server; for this reason, it is always good to be careful when using free VPNs, as they can sell the data to advertisers and third parties.

A much more recommended practice is to set up VPN services in the cloud accounts that you control. This makes data management much more reliable and secure. For some years now, the access model by professionals to the cloud environments which they work is carried out through VPNs with individual accounts. Without access to the VPN, the professional cannot access anything in the corporate environment, making the availability of VPNs a critical success factor. It is recommended to use solutions such as One Platform to monitor these services in real time in each environment accessed by the technology team.

API Gateways

An Application Programming Interface (API) is a computing interface that defines the interactions between several software intermediaries. Therefore, an API gateway acts as a reverse proxy that accepts all application programming interface (API) calls and aggregates the various services necessary to fill it, and then, returns the appropriate result. In other words, the API gateway is responsible for the management between a client and a collection of backend services.

Source: github.com/AntonFagerberg/rackla


A good example of API gateway is the Netflix streaming service, available on different types of devices, including televisions, set-top boxes, smartphones, game systems, tablets, etc. Because of the wide variety of devices and their unique needs, Netflix currently uses an API gateway capable of providing a customized API for each device, which in turn executes the device-specific adapter code.

An adapter usually handles each request by invoking an average of six to seven backend services. A great benefit of using an API Gateway is that it encapsulates the internal structure of the application: instead of having to call specific services, customers simply communicate with the gateway. The Netflix API Gateway, for example, handles billions of requests per day.

One of the interesting features for API Gateways security is to limit the call flow from a given address. The original term for this is Throttling, but we can understand it as a flow control for each API. This can inhibit several denial of service attacks (DDoS), which without a flow control would generate unavailability in the accessed API.

CDN/Web Application Firewall


A Web Application Firewall (WAF) is a special type firewall that applies specifically to web applications. It monitors and filters traffic to / from a particular website, detecting and blocking any malicious contact on the network while secure traffic proceeds normally. It also protects web applications from a series of attacks at the application layer, such as cross-site scripting (XSS) and SQL injection, among others. The difference between an application firewall and a network firewall is that a network firewall protects a local network from unauthorized access to prevent the risk of attacks, while WAFs focuses on application traffic (HTTP) and the ability to provide data flow analysis. To provide maximum protection, WAF needs to be able to analyze HTTPS, and therefore will need to decrypt encrypted SSL traffic.

In the late 1990s, the Content Delivery Network (CDN) was created to provide high availability and performance through a distributed network of proxy servers and their data centers as a means of alleviating Internet performance bottlenecks. Basically, the CDN helps to minimize the delays in loading the content of a web page, reducing the physical distance between the server and the user, which allows viewing the content in high quality and from anywhere in the world without slow loading time.

CDN is actually a term that covers different types of content delivery services: video streaming, software download, web, and mobile content acceleration, licensed/managed CDN, transparent cache, and services to measure performance, load balancing, analytics, and intelligence in the cloud. Thus, CDN providers can cross-check their services with the resources associated with system security, for example, through DDoS protection and web application firewall (WAF) and WAN optimization.

With the strengthening of cloud computing over the past few years, CDNs have become a trend involving all the layers that make up this market, from SaaS services (like Google Drive) to IaaS (like AWS) and PaaS (like Google App Engine). Some of the most popular CDNs include StackPath, Sucuri, Cloudflare, KeyCDN, Rackspace, Google Cloud CDN, CacheFly, and Amazon CloudFront.


DNS service automated by configuration management tools

The Domain Name System (DNS) is a hierarchical system that translates understandable domain names into numeric identifiers (IP addresses). Being a central part of the Internet, DNS provides a way to combine names – a website you are searching on the web, for example, with numbers – the address of the website itself, called URL. 

Anything connected to the Internet, whether laptops, tablets, cell phones and, of course, websites – has an Internet protocol (IP) address made up of numbers. Domain names are alphabetic, however, the Internet is based on numeric IP addresses; therefore, a DNS server is required for computers to communicate.

So, why is this extremely critical and important in the context of cloud computing? It starts with an organization’s reputation, which can be seriously affected depending on the availability of its applications and websites. This is where attackers can do serious damage – affecting DNS services, for example, and thereby preventing users from accessing applications and websites. A cloud DNS management strategy, in this context, becomes essential.

It is worth remembering that, in a cloud computing ecosystem, each public cloud provider has its own domain management service and DNS records. These cloud management services offer a low latency solution (less than 10 seconds real-time vs. live streaming), high availability, security and savings for users to host their applications and services.

Many DNS management tools are available in the cloud computing market today. Among them, the most popular DNS management tools are: Amazon Route 53, Google Cloud DNS, DNS Made Easy, Dyn and DNSimple. Developers often choose Amazon Route 53 because of its high availability benefits over competitors, while Google Cloud DNS is often chosen for the credibility of the strong “supported by Google” commercial appeal.

In the next post, the 6th in the cloud series for beginners, we will cover the concepts of Continuous Integration, Continuous Delivery and Continuous Deployment in the cloud, from the DevOps point of view. Subscribe to our newsletter and stay tuned!

Cloud Security: Encryption and Key Management

cloud Encryption
Source: elven.works

In the last post in the series on cloud computing for beginners, we analyzed the microservices features and the resources necessary for their smooth operation. In this post, we will address the issues surrounding security and encryption in cloud computing. Let’s start from the beginning. In encryption, a key is a piece of information (a parameter) that determines the function of a cryptographic algorithm. It can be of two types: symmetric and asymmetric, and have several properties depending on the intended function, such as length and cryptographic period.

For encryption algorithms, a key specifies the transformation of plain text into ciphertext and vice versa for decryption algorithms. These keys are necessary for a cryptographic algorithm to work, and can be composed of a word, number, or phrase to encrypt plain text. All possible keys and all protocols that make a cryptographic algorithm work make up what is called a cryptosystem.


Key Management


To manage cryptographic keys it is important that all keys are stored in a cryptographic vault – vault is a tool to access “secrets” safely. A “secret” in the context of encryption is anything that you want to strictly control access to, such as API keys, passwords or certificates available in the hardware security module (HSM) or isolated cryptographic service. A hardware security module (HSM) is a physical device that provides extra security for confidential data. This type of device is used to provide cryptographic keys for critical functions, such as encryption, decryption, and authentication for the use of applications, identities, and databases. In the financial market, it is common to find the use of HSM for transactions involving credit cards, for example.

That’s where key management becomes critical to the security of a cryptosystem. The management includes handling key generation, exchange, storage, use, and replacement as needed at the user level. A key management system also includes key servers, user procedures, and protocols, including cryptographic protocol design. It is the most challenging side of encryption as it involves aspects of social engineerings, such as system policy, user training, organizational and departmental interactions, and, above all, coordination between all these elements, in contrast to pure mathematical practices that can be automated.

Key management is important because it ensures strong data encryption. In addition, it ensures regulatory compliance and protects data from risks presented by privileged users. Thus, being able to own and manage the cryptographic keys becomes crucial to meet the network’s regulatory and compliance standards. Google Cloud KMS is a service that allows you to manage cryptographic keys for services both in the cloud and on-premise..

At AWS, the Key Management Service (KMS) facilitates the creation and management of cryptographic keys and the control of their use in a wide variety of AWS services and in their applications. At Microsoft, Azure Key Vault is a cloud service that protects cryptographic keys and secrets such as certificates, connection strings and passwords. As this data is sensitive and essential for business, the user needs to protect access to their key vaults, allowing only authorized applications and users.

In addition to sophisticated encryption and key management tools, it is important to be aware of some basic errors, such as code repositories. Very often, access keys from cloud providers are stored in public repositories on Github, Bitbucket and other Git hosting services.

There are countless bots browsing public code repositories and looking for cloud credentials for misuse. An administrator access key can in a few minutes create dozens of servers that will be used for malicious purposes and will bring heavy infrastructure costs to the company that exposed its credentials.


VPN Access Management


A Virtual Private Network (VPN), as the name suggests, offers a private network from a public connection to the Internet, so that the user can count on online privacy and anonymity. VPNs basically mask, therefore, the Internet Protocol (IP) address, in such a way that the actions of their connected users are virtually impossible to track. The VPN connection monitoring ensures that the private network remains protected from intruders while the data transferred over the user’s network is encrypted and transmitted quickly.

The data consists of tracking different connections, paths and tunnels, using different performance metrics. A VPN service can monitor or record all Internet activities that take place on the server; for this reason, it is always good to be careful when using free VPNs, as they can sell the data to advertisers and third parties.

A much more recommended practice is to set up VPN services in the cloud accounts that you control. This makes data management much more reliable and secure. For some years now, the access model by professionals to the cloud environments which they work is carried out through VPNs with individual accounts. Without access to the VPN, the professional cannot access anything in the corporate environment, making the availability of VPNs a critical success factor. It is recommended to use solutions such as One Platform to monitor these services in real time in each environment accessed by the technology team.

API Gateways

An Application Programming Interface (API) is a computing interface that defines the interactions between several software intermediaries. Therefore, an API gateway acts as a reverse proxy that accepts all application programming interface (API) calls and aggregates the various services necessary to fill it, and then, returns the appropriate result. In other words, the API gateway is responsible for the management between a client and a collection of backend services.

Source: github.com/AntonFagerberg/rackla


A good example of API gateway is the Netflix streaming service, available on different types of devices, including televisions, set-top boxes, smartphones, game systems, tablets, etc. Because of the wide variety of devices and their unique needs, Netflix currently uses an API gateway capable of providing a customized API for each device, which in turn executes the device-specific adapter code.

An adapter usually handles each request by invoking an average of six to seven backend services. A great benefit of using an API Gateway is that it encapsulates the internal structure of the application: instead of having to call specific services, customers simply communicate with the gateway. The Netflix API Gateway, for example, handles billions of requests per day.

One of the interesting features for API Gateways security is to limit the call flow from a given address. The original term for this is Throttling, but we can understand it as a flow control for each API. This can inhibit several denial of service attacks (DDoS), which without a flow control would generate unavailability in the accessed API.

CDN/Web Application Firewall


A Web Application Firewall (WAF) is a special type firewall that applies specifically to web applications. It monitors and filters traffic to / from a particular website, detecting and blocking any malicious contact on the network while secure traffic proceeds normally. It also protects web applications from a series of attacks at the application layer, such as cross-site scripting (XSS) and SQL injection, among others. The difference between an application firewall and a network firewall is that a network firewall protects a local network from unauthorized access to prevent the risk of attacks, while WAFs focuses on application traffic (HTTP) and the ability to provide data flow analysis. To provide maximum protection, WAF needs to be able to analyze HTTPS, and therefore will need to decrypt encrypted SSL traffic.

In the late 1990s, the Content Delivery Network (CDN) was created to provide high availability and performance through a distributed network of proxy servers and their data centers as a means of alleviating Internet performance bottlenecks. Basically, the CDN helps to minimize the delays in loading the content of a web page, reducing the physical distance between the server and the user, which allows viewing the content in high quality and from anywhere in the world without slow loading time.

CDN is actually a term that covers different types of content delivery services: video streaming, software download, web, and mobile content acceleration, licensed/managed CDN, transparent cache, and services to measure performance, load balancing, analytics, and intelligence in the cloud. Thus, CDN providers can cross-check their services with the resources associated with system security, for example, through DDoS protection and web application firewall (WAF) and WAN optimization.

With the strengthening of cloud computing over the past few years, CDNs have become a trend involving all the layers that make up this market, from SaaS services (like Google Drive) to IaaS (like AWS) and PaaS (like Google App Engine). Some of the most popular CDNs include StackPath, Sucuri, Cloudflare, KeyCDN, Rackspace, Google Cloud CDN, CacheFly, and Amazon CloudFront.


DNS service automated by configuration management tools

The Domain Name System (DNS) is a hierarchical system that translates understandable domain names into numeric identifiers (IP addresses). Being a central part of the Internet, DNS provides a way to combine names – a website you are searching on the web, for example, with numbers – the address of the website itself, called URL. 

Anything connected to the Internet, whether laptops, tablets, cell phones and, of course, websites – has an Internet protocol (IP) address made up of numbers. Domain names are alphabetic, however, the Internet is based on numeric IP addresses; therefore, a DNS server is required for computers to communicate.

So, why is this extremely critical and important in the context of cloud computing? It starts with an organization’s reputation, which can be seriously affected depending on the availability of its applications and websites. This is where attackers can do serious damage – affecting DNS services, for example, and thereby preventing users from accessing applications and websites. A cloud DNS management strategy, in this context, becomes essential.

It is worth remembering that, in a cloud computing ecosystem, each public cloud provider has its own domain management service and DNS records. These cloud management services offer a low latency solution (less than 10 seconds real-time vs. live streaming), high availability, security and savings for users to host their applications and services.

Many DNS management tools are available in the cloud computing market today. Among them, the most popular DNS management tools are: Amazon Route 53, Google Cloud DNS, DNS Made Easy, Dyn and DNSimple. Developers often choose Amazon Route 53 because of its high availability benefits over competitors, while Google Cloud DNS is often chosen for the credibility of the strong “supported by Google” commercial appeal.

In the next post, the 6th in the cloud series for beginners, we will cover the concepts of Continuous Integration, Continuous Delivery and Continuous Deployment in the cloud, from the DevOps point of view. Subscribe to our newsletter and stay tuned!

Experimente agora, grátis!