February 20, 2020 By Henrik Loeser
Dimitri Prosper
3 min read

With the general acceptance of the benefits from cloud computing, enterprises are looking into how to leverage public cloud for more critical workloads.

Protecting sensitive data is a must, not just for legal and compliance reasons, but also to safeguard company assets. 

In this blog post and the related code repository, we describe how security for popular web application frameworks can be adapted for enterprise solutions that require the highest degree of data protection. Using the Hyper Protect services on IBM Cloud, we transform a solution based on a common app framework for full authority over data. Using services on FIPS 140-2 Level 4 certified hardware, we are able to protect highly sensitive corporate data.

Overview: Hyper Protect Virtual Server

Hyper Protect Virtual Server (HP-VS) is the most recent addition to the Hyper Protect family of services, built on the high security and reliability of the IBM LinuxONE on IBM Z hardware. It allows for very fast deployment of a virtual server running the Ubuntu operating system, where you can deploy your application/code. 

HP-VS offers the ability to lock down access to your instances and data, with no one except you or your designated proxy having access to these instances. The service is currently available in the multi-zone regions (MZRs) of Dallas, Frankfurt, and Sydney.

Sample scenario

You may already have seen or even deployed our tutorial on how to apply end-to-end security to a cloud application. We are reusing that scenario of a file sharing application and replacing a few of the services with Hyper Protect services. You can find the updated code in this Github repository.

The application is built with Vue.js (frontend) and Node.js (backend) and the deployment environment utilizes the following: 

Deployment scenarios

The repository walks you through the process of creating instances for Hyper Protect Virtual Server in a single availability zone, even though all the other services are provided for across multiple availability zones. 

Single-zone deployment of HP-VS

With the solution deployed in a single zone, data flows through the application as described in the following steps and as shown in the architecture diagram:

  1. A user opens the application and triggers a login request in the app. This kicks off the authentication process.
  2. App ID begins the authentication process by displaying the Login Widget.
  3. The user provides a username or email and password. Once identity is confirmed, the user is redirected to the application.
  4. The application reads/writes to a Cloud Object Storage (COS) bucket.
  5. The application reads/writes a table in the Hyper Protect DBaaS for PostgreSQL for metadata information on files stored in the COS bucket.
  6. Hyper Protect Crypto Services is responsible for encrypting the data stored in the COS bucket and the PostgreSQL database. Identity and Access Management is used to allow for the Virtual Server to access the encryption key for read/write access to the data.

Multi-zone deployment of HP-VS

With the solution deployed in a multi-zone, data flows through the application as described in the following steps and as shown in the architecture diagram:

In this scenario, three (3) virtual servers are deployed across three (3) availability zones within the region. The Cloud Internet Service is also deployed as load balancer for the application traffic and as additional security feature (SSL/TLS, DDoS protection, caching). 

Getting started

Log in to your IBM Cloud account and get started with our sample code on GitHub. The repository includes a complete guide to creating the environment required, along with step-by-step instructions on deploying and configuring the application.

Conclusions and feedback

With more enterprise solutions deployed in the public cloud, protecting sensitive data is a must, not just for legal and compliance reasons, but also to safeguard company assets. With this blog and the related code, we have shown how to leverage Hyper Protect services to increase existing security even more and benefit from additional protection of FIPS 140-2 Level 4 certified systems.

Want to read more?

If you have feedback, suggestions, or questions about this post, please reach out to us on Twitter (@data_henrik) or LinkedIn (Dimitri, Henrik) . You can also open GitHub issues on related code samples for clarifications. 

Was this article helpful?
YesNo

More from Cloud

How well do you know your hypervisor and firmware?

6 min read - IBM Cloud® Virtual Private Cloud (VPC) is designed for secured cloud computing, and several features of our platform planning, development and operations help ensure that design. However, because security in the cloud is typically a shared responsibility between the cloud service provider and the customer, it’s essential for you to fully understand the layers of security that your workloads run on here with us. That’s why here, we detail a few key security components of IBM Cloud VPC that aim…

New IBM study: How business leaders can harness the power of gen AI to drive sustainable IT transformation

3 min read - As organizations strive to balance productivity, innovation and environmental responsibility, the need for sustainable IT practices is even more pressing. A new global study from the IBM Institute for Business Value reveals that emerging technologies, particularly generative AI, can play a pivotal role in advancing sustainable IT initiatives. However, successful transformation of IT systems demands a strategic and enterprise-wide approach to sustainability. The power of generative AI in sustainable IT Generative AI is creating new opportunities to transform IT operations…

X-Force report reveals top cloud threats: AITM phishing, business email compromise, credential harvesting and theft

4 min read - As we step into October and mark the start of Cybersecurity Awareness Month, organizations’ focus on protecting digital assets has never been more important. As innovative new cloud and generative AI solutions help advance today’s businesses, it’s also important to understand how these solutions have added to the complexity of today’s cyber threats, and how organizations can address them. That’s why IBM—as a leading global security, cloud, AI and business service provider—advocates to our global clients to take a proactive…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters