With the general acceptance of the benefits from cloud computing, enterprises are looking into how to leverage public cloud for more critical workloads.
Protecting sensitive data is a must, not just for legal and compliance reasons, but also to safeguard company assets.
In this blog post and the related code repository, we describe how security for popular web application frameworks can be adapted for enterprise solutions that require the highest degree of data protection. Using the Hyper Protect services on IBM Cloud, we transform a solution based on a common app framework for full authority over data. Using services on FIPS 140-2 Level 4 certified hardware, we are able to protect highly sensitive corporate data.
Overview: Hyper Protect Virtual Server
Hyper Protect Virtual Server (HP-VS) is the most recent addition to the Hyper Protect family of services, built on the high security and reliability of the IBM LinuxONE on IBM Z hardware. It allows for very fast deployment of a virtual server running the Ubuntu operating system, where you can deploy your application/code.
HP-VS offers the ability to lock down access to your instances and data, with no one except you or your designated proxy having access to these instances. The service is currently available in the multi-zone regions (MZRs) of Dallas, Frankfurt, and Sydney.
You may already have seen or even deployed our tutorial on how to apply end-to-end security to a cloud application. We are reusing that scenario of a file sharing application and replacing a few of the services with Hyper Protect services. You can find the updated code in this Github repository.
- Hyper Protect Crypto Services for key management service (KMS) and hardware security module (HSM).
- Hyper Protect DBaaS for PostgreSQL for metadata around uploaded files, encrypted via HP-CS.
- Hyper Protect Virtual Server for hosting the application.
- Cloud Object Storage for object storage encrypted via HP-CS.
- App ID for user registration and authentication.
The repository walks you through the process of creating instances for Hyper Protect Virtual Server in a single availability zone, even though all the other services are provided for across multiple availability zones.
Single-zone deployment of HP-VS
With the solution deployed in a single zone, data flows through the application as described in the following steps and as shown in the architecture diagram:
- A user opens the application and triggers a login request in the app. This kicks off the authentication process.
- App ID begins the authentication process by displaying the Login Widget.
- The user provides a username or email and password. Once identity is confirmed, the user is redirected to the application.
- The application reads/writes to a Cloud Object Storage (COS) bucket.
- The application reads/writes a table in the Hyper Protect DBaaS for PostgreSQL for metadata information on files stored in the COS bucket.
- Hyper Protect Crypto Services is responsible for encrypting the data stored in the COS bucket and the PostgreSQL database. Identity and Access Management is used to allow for the Virtual Server to access the encryption key for read/write access to the data.
Multi-zone deployment of HP-VS
With the solution deployed in a multi-zone, data flows through the application as described in the following steps and as shown in the architecture diagram:
In this scenario, three (3) virtual servers are deployed across three (3) availability zones within the region. The Cloud Internet Service is also deployed as load balancer for the application traffic and as additional security feature (SSL/TLS, DDoS protection, caching).
Log in to your IBM Cloud account and get started with our sample code on GitHub. The repository includes a complete guide to creating the environment required, along with step-by-step instructions on deploying and configuring the application.
Conclusions and feedback
With more enterprise solutions deployed in the public cloud, protecting sensitive data is a must, not just for legal and compliance reasons, but also to safeguard company assets. With this blog and the related code, we have shown how to leverage Hyper Protect services to increase existing security even more and benefit from additional protection of FIPS 140-2 Level 4 certified systems.
Want to read more?
- Tutorial: How to apply end-to-end security to a cloud application.
- Blog: Cloud App Security - What Makes a Secure App?
- Overview: IBM Cloud Hyper Protect Services
If you have feedback, suggestions, or questions about this post, please reach out to us on Twitter (@data_henrik) or LinkedIn (Dimitri, Henrik) . You can also open GitHub issues on related code samples for clarifications.