How-tos

Tutorial: Apply End-to-End Security to Cloud Applications

Share this post:

IBM Cloud services working together to provide security

Have you ever wondered how to secure your cloud application? In a new solution tutorial, we show how different IBM Cloud services work together to apply end-to-end security to your applications. You will learn to capture and review security-related events, encrypt cloud storage using your own keys (i.e., bring your own key—BYOK), plug user authentication directly into Kubernetes Ingress, and safely manage your Docker image in a private registry and scan it for vulnerabilities.

Overview

In our new IBM Cloud solution tutorial, we walk you through all the steps to create a cloud app that incorporates several security-related services and features. We have chosen a secure file storage app as a sample scenario (see screenshot below). After authenticating, users upload files into their workspace. Those files can be shared with others via generated access links. The links expire automatically. Security-related events for the IBM Cloud account are logged and are reviewed as part of the tutorial. The app is written in Node.js and deployed as Docker container on a Kubernetes cluster.

Secure File Storage app with end to end security

Secure File Storage App

Cloud services and architecture

In the tutorial, we use the following IBM Cloud services:
  • IBM Cloud Activity Tracker to log all security-related events. This includes logging into the account, provisioning or deleting services, working with encryption keys, and more.
  • IBM Cloud Key Protect to manage encryption keys. For the tutorial, we generate a root key for envelopeencryption of stored files. You could also import your own root key (i.e., bring your own key—BYOK). We use the root key to create encrypted buckets in the IBM Cloud Object Storage service.
  • IBM Cloud Object Storage (COS) service to produce expiring links to individual files. The links can be shared with others and expire after the set amount of time so that the file cannot be accessed thereafter.
  • IBM Cloud App ID as a wrapper around Identity Providers to manage authentication and authorization through a single interface. It supports both social logins (e.g., Facebook, Google) as well as enterprise directories (SAML). The App ID service can be directly integrated with Kubernetes Ingress.
  • IBM Cloud Container Registry as a private image registry from which we deploy the application as a container into a Kubernetes cluster (IBM Cloud Kubernetes Service). The container registry includes a Vulnerability Advisors that scans for and assesses container vulnerability and then recommends fixes.
Architecture diagram for the secure file storage app with end-to-end security

Solution Architecture: Secure File Storage App

Summary

To learn more about how to apply end-to-end security to your new app on IBM Cloud, head over to the IBM Cloud solution tutorials in the documentation. Best of all, the code for the security tutorial is shared on GitHub in this repository. If you are in a hurry, it even allows you to deploy the full Node.js in Docker application and its services with the press of a button via toolchain.

Technical Offering Manager

Vidyasagar Machupalli

Technical Offering Manager & Polyglot Programmer | IBM Cloud

More How-tos stories
October 19, 2018

Part 1: Build Messaging Solutions with Apache Kafka or Event Streams for IBM Cloud

As part of the iterative approach described in the main introduction blog of this series, the first step is to building messaging solutions is to identify the use case requirements and quantify these requirements as much as possible in terms of Apache Kafka and Event Streams.

Continue reading

October 18, 2018

Mount iSCSI Block Storage on VMware ESXi 6.5U2

It seems like pretty much everyone is using VMware ESXi virtualization nowadays. In this article, I'll cover how to mount IBM Cloud Block Storages onto this popular hypervisor using the iSCSI protocol.

Continue reading

October 18, 2018

Journey to Cloud – Moving On-Premise Mobile Foundation Apps to IBM Cloud

IBM MobileFirst Platform Foundation powers many on-premise customers in more than 50 countries, delivering the best-of-the-best apps and serving a large number of users. IBM Cloud Mobile Foundation Service offers all the same capabilities available in on-premise MobileFirst Foundation, with the additional benefits of fully managed service with instant deployment and scale-out option.

Continue reading