How-tos

Tutorial: Apply End-to-End Security to Cloud Applications

Share this post:

IBM Cloud services working together to provide security

Have you ever wondered how to secure your cloud application? In a new solution tutorial, we show how different IBM Cloud services work together to apply end-to-end security to your applications. You will learn to capture and review security-related events, encrypt cloud storage using your own keys (i.e., bring your own key—BYOK), plug user authentication directly into Kubernetes Ingress, and safely manage your Docker image in a private registry and scan it for vulnerabilities.

Overview

In our new IBM Cloud solution tutorial, we walk you through all the steps to create a cloud app that incorporates several security-related services and features. We have chosen a secure file storage app as a sample scenario (see screenshot below). After authenticating, users upload files into their workspace. Those files can be shared with others via generated access links. The links expire automatically. Security-related events for the IBM Cloud account are logged and are reviewed as part of the tutorial. The app is written in Node.js and deployed as Docker container on a Kubernetes cluster.

Secure File Storage app with end to end security

Secure File Storage App

Cloud services and architecture

In the tutorial, we use the following IBM Cloud services:
  • IBM Cloud Activity Tracker to log all security-related events. This includes logging into the account, provisioning or deleting services, working with encryption keys, and more.
  • IBM Cloud Key Protect to manage encryption keys. For the tutorial, we generate a root key for envelopeencryption of stored files. You could also import your own root key (i.e., bring your own key—BYOK). We use the root key to create encrypted buckets in the IBM Cloud Object Storage service.
  • IBM Cloud Object Storage (COS) service to produce expiring links to individual files. The links can be shared with others and expire after the set amount of time so that the file cannot be accessed thereafter.
  • IBM Cloud App ID as a wrapper around Identity Providers to manage authentication and authorization through a single interface. It supports both social logins (e.g., Facebook, Google) as well as enterprise directories (SAML). The App ID service can be directly integrated with Kubernetes Ingress.
  • IBM Cloud Container Registry as a private image registry from which we deploy the application as a container into a Kubernetes cluster (IBM Cloud Kubernetes Service). The container registry includes a Vulnerability Advisors that scans for and assesses container vulnerability and then recommends fixes.
Architecture diagram for the secure file storage app with end-to-end security

Solution Architecture: Secure File Storage App

Summary

To learn more about how to apply end-to-end security to your new app on IBM Cloud, head over to the IBM Cloud solution tutorials in the documentation. Best of all, the code for the security tutorial is shared on GitHub in this repository. If you are in a hurry, it even allows you to deploy the full Node.js in Docker application and its services with the press of a button via toolchain.

Technical Offering Manager / Developer Advocate

Vidyasagar Machupalli

Technical Offering Manager & Polyglot Programmer | IBM Cloud

More How-tos stories
December 12, 2018

Deploying to IBM Cloud Private 3.1 with IBM Cloud Developer Tools CLI

IBM Cloud Developer Tools CLI version 2.1.12 adds deployment support for IBM Cloud Private 3.1.

Continue reading

December 7, 2018

Highly Available Applications with IBM Cloud Foundry

To properly deploy an application in a cloud environment and ensure maximum responsiveness, your app needs to be deployed in a certain (and easy) way that maximizes the chance of an instance always being ready to respond to a user request. This article will explain how to deploy your Cloud Foundry applications in the IBM Cloud such that you reach your target application availability.

Continue reading

December 5, 2018

Cloud Foundry Container-to-Container Networking

If you're like many developers who are deploying applications to Cloud Foundry, you probably don't think about networking too often. After all, as a PaaS, Cloud Foundry takes care of all the routing and connectivity for you. There is one feature, however, you might consider before writing your next app: container-to-container networking.

Continue reading