Tutorial: Apply End-to-End Security to Cloud Applications
By Henrik Loeser and Vidyasagar Machupalli
IBM Cloud services working together to provide security
Have you ever wondered how to secure your cloud application? In a new solution tutorial, we show howdifferent IBM Cloud services work together to apply end-to-end security to your applications. You will learn to capture and review security-related events, encrypt cloud storage using your own keys (i.e., bring your own key—BYOK), plug user authentication directly into Kubernetes Ingress, and safely manage your Docker image in a private registry and scan it for vulnerabilities.
In our new IBM Cloud solution tutorial, we walk you through all the steps to create a cloud app that incorporates several security-related services and features. We have chosen a secure file storage app as a sample scenario (see screenshot below). After authenticating, users upload files into their workspace. Those files can be shared with others via generated access links. The links expire automatically. Security-related events for the IBM Cloud account are logged and are reviewed as part of the tutorial. The app is written in Node.js and deployed as Docker container on a Kubernetes cluster.
Secure File Storage App
Cloud services and architecture
In the tutorial, we use the following IBM Cloud services:
IBM Cloud Activity Tracker to log all security-related events. This includes logging into the account, provisioning or deleting services, working with encryption keys, and more.
IBM Cloud Key Protect to manage encryption keys. For the tutorial, we generate a root key for envelopeencryption of stored files. You could also import your own root key (i.e., bring your own key—BYOK). We use the root key to create encrypted buckets in the IBM Cloud Object Storage service.
IBM Cloud Object Storage (COS) service to produce expiring links to individual files. The links can be shared with others and expire after the set amount of time so that the file cannot be accessed thereafter.
IBM Cloud App ID as a wrapper around Identity Providers to manage authentication and authorization through a single interface. It supports both social logins (e.g., Facebook, Google) as well as enterprise directories (SAML). The App ID service can be directly integrated with Kubernetes Ingress.
IBM Cloud Container Registry as a private image registry from which we deploy the application as a container into a Kubernetes cluster (IBM Cloud Kubernetes Service). The container registry includes a Vulnerability Advisors that scans for and assesses container vulnerability and then recommends fixes.
Solution Architecture: Secure File Storage App
To learn more about how to apply end-to-end security to your new app on IBM Cloud, head over to the IBM Cloud solution tutorials in the documentation. Best of all, the code for the security tutorial is shared on GitHub in this repository. If you are in a hurry, it even allows you to deploy the full Node.js in Docker application and its services with the press of a button via toolchain.