Cloud Application Architecture It is important that we examine the mechanisms behind the scenes that make application security and software development for the cloud work, as well as the weaknesses and vulnerabilities associated with each.
The readers need to understand how to evaluate and discover these for the customer.
Application programming interfaces (APIs) are the coding components that allow applications to speak to one another, generally through a web interface of some kind.
To do so, we will now examine APIs in more detail.
What Does Cloud Application Programming Interface (Cloud API) Mean?
There are two common types of APIs in use with cloud-based applications today that the readers must understand will discuss in the Cloud Application Architecture section.
The first is RESTful APIs. REST stands for Representational State Transfer..
It is based on guidelines and best practices for creating these scalable web applications.
These standards, when followed, allow web applications to access other applications, databases, and so on in order to extend their functionality.
In cloud application architecture Other characteristics of the REST model include the following.
- It’s lightweight.
- It uses simple URLs.
- It is not reliant on XML.
- It’s scalable.
- It outputs in many formats (CSV, JSON, and so on).
- It’s efficient, which means it uses smaller messages than XML.
Some examples of situations in Cloud application architecture where REST works well are
- When bandwidth is limited
- When stateless operations are used
- When caching is needed
The other common type of APIs is SOAP APIs.
Simple Object Access Protocol (SOAP) is a protocol specification providing for the exchange of structured information or data in web services.
It also works over other protocols that plays important role in cloud application architecture such as SMTP, FTP, and HTTP.
In cloud application architecture some of the characteristics of SOAP include the following
- Reliant on XML
- Highly intolerant of errors
- Built-in error handling
Some examples of situations in Cloud application architecture where SOAP works or fits in better are
- Asynchronous processing
- Format contracts
- Stateful operations
Neither API format is necessarily better than the other.
They each have their place and work in different ways depending on their use and the needs of the application.
Later we will revisit APIs as they relate to the software development life cycle and supply chain management.
In addition, there may be other APIs in play that a user is not aware of but that are used on the same system.
What cloud is multitenancy? | Multitenant architecture?
Multitenancy refers to the notion of hosting multiple cloud tenants on a single host while sharing resources.
A typical host machine can support numerous virtual tenants based on the amount of CPU, RAM, and storage it has.
These tenants, while running on the same host, are maintained separately in their virtual environments.
This is known as tenancy separation.
It is vitally important that configurations be made in such a way as to ensure absolute adherence to this principle.
If not, such issues as data leakage and corruption could occur. Imagine an accounting program computing with someone else’s data. The results could be disastrous.
On the other hand, imagine that another company has gotten access to your personal information because of storage misconfigurations.
The tenant could be exposed to regulatory, legal, or financial damages should such an instance occur. And, as we have stated repeatedly, it is the data owner who is ultimately responsible.
If a misconfiguration were to occur, you might have recourse with your provider, but that does not preclude you from bearing legal responsibility for your users.
Both cloud providers and cloud customers may consider using mainframes in circumstances where tenancy separation is paramount and other solutions aren’t suitable.
What is cryptography in cloud computing?
What Does “Encryption of Data at Rest” mean in cloud computing ?
Data at rest, whether it be short-term or long-term storage, should be protected from multitenancy issues and similar problems.
When working in the cloud or cloud application architecture, you are in a shared environment and must always be aware of possible data leakage.
Therefore, encrypting data at rest is a great way to prevent anyone from seeing data that they are not authorized to see.
Encryption involves the use of keys and play important role in the cloud application architecture. Without access to the proper keys, the data is unreadable and unusable, which ensures its safety from prying eyes.
This use of encryption also protects the consumer from what might ultimately be determined to be lawful but unwanted access to their data.
There may be situations where, while your data is logically separated from someone else’s data.
Both sets of data are physically stored together on a hard drive that is confiscated for legal reasons.
You would not want the police or other prying eyes to have access to your data even though they have a valid warrant for other data on the same drive.
What Does “Encryption of Data in Transit” mean in cloud computing?
Encryption of data in transit is necessary for many of the same reasons, with the added threat that while data is being transmitted, unauthorized eyes might land on it or redirect it, causing data leakage.
Encrypting data in transit also uses encryption keys, typically in the form of SSL certificates.
The proper care of those certificates is paramount. If compromised, you have lost the keys to the kingdom. Cloud-based certificate providers spend millions of dollars on securing their operations as well as cloud application architecture for this very reason.
What Does “Encryption of Data while in use”
mean in cloud computing?
Another use case of encryption that is not anywhere close to widespread adoption is something called homomorphic encryption.
The idea is that if we could keep a dataset encrypted while being manipulated in memory or shared with another application, we would then never have to decrypt it, making the data transaction safer on an order of magnitudes.
Another way to look at this is that homomorphic encryption will produce the same result when operating on ciphertext as would occur using the same data in cleartext.
Therefore, it is not an effective solution today while building during cloud application architecture.
The single most effective way to combat multitenancy issues, data leakage and similar problems are by using encryption.
We call the field of dealing with encryption cryptography. It has to do with different types, strengths, and uses of encryption to protect datasets from unauthorized access.
We have mentioned the notion of data at rest, data in transit, and data storage or archiving.
Each of these uses slightly different encryption technology to achieve the same result, which is to keep prying eyes from seeing what they should not be allowed to see and to provide for integrity or nonrepudiation.
How “Transport Layer Security (TLS)” works in cloud computing?
TLS is a protocol designed to ensure privacy when communicating between applications.
This can occur between two servers such as two SMTP servers passing mail, or between a client and a web server as in the case of an application that passes confidential or protected information of some type.
In years gone by, this type of encryption put a burden on both the server and the client, but today’s advanced application-specific integrated circuits (ASICs) solve that problem.
These chips are designed specifically to handle cryptographic functions and are therefore much faster and efficient than having the main CPU in a machine handle the encryption.
This is known as crypto offloading, but that term is not included in the actual Cloud application architecture.
How “Secure Sockets Layer (SSL)” works in cloud computing?
Invented and first adopted by Netscape back in the mid-1990s, SSL was originally meant to encrypt data transmissions between servers, much like its replacement TLS.
SSL was deprecated in 2015 but is still used in many enterprises since it was ubiquitous and upgrading or transitioning can be costly and time-consuming.
What is “Virtual Private Networks (VPNs)” in cloud computing?
Virtual private networks were developed as we began to acquire more and more bandwidth to satisfy the needs of remote workers to securely access data on their company’s internal networks.
There are two types of VPNs: purely virtual and virtual with security.
The first is what you still see in Multiprotocol Label Switching (MPLS) networks (somewhat similar to the older frame relay circuits used in the 1990s) whereby a shim is attached to each packet traversing the MPLS network.
This is much like a Layer 2 VLAN shim, but it moves the data across a WAN. However, while the packet, in theory, cannot be seen to any other packets because of its distinguishing shim, it is not encrypted.
It is a VPN but without the benefit of encryption.
An encrypted VPN should technically be referred to as an IPSec VPN, meaning it is a VPN of the IPSec (IP security) type.
This then accomplishes the idea of having a worker remotely connect from their workstation or laptop to the corporate VPN or IPSec gateway.
What is “Whole-Instance Encryption” in cloud computing?
Better known as whole-disk encryption (WDE), this is the idea of encrypting all of a system’s data at rest in one instance.
Rather than having special folders, the entire storage medium is encrypted.
In today’s world of lightweight and super-fast smart devices and laptops, it is a good idea to encrypt your entire data storage.
Again, consider the issue of the criminal who is sharing space with you in a cloud multitenant environment who gets arrested, and the police seize all the cloud hard drives, including the one with your data, even if you are not part of the problem.
Without some form of encryption, your entire dataset is at risk of being exposed.
In addition, in a virtualized environment such as cloud computing, snapshots are made of the virtual machines for recovery purposes.
These, too, can be seized or accessed if not properly encrypted.
And lastly, as mentioned previously, in years past this type of encryption would generally destroy the performance of anything but the most powerful machines.
But with the advent of stronger and faster processors, even a small smart device can be totally encrypted without harming performance.
What is “Volume Encryption” in cloud computing?
Much like encrypting an entire device, volume encryption refers to only encrypting a partition on a hard drive as opposed to the entire disk.
This is useful when the entire disk does not need to be encrypted as only the protected sections have data of any value.
You may have a cloud-based accounting application that stores and manipulates financial data.
You certainly want the data of your finances encrypted to protect them, but it may not be necessary to also have the part of the volume or disk with the software encrypted since it contains no data of any value.
Sometimes customers or users will add an additional layer of protection by encrypting files or folders.
This way, they hold the keys to unencrypt the data, should the disk or volume be breached in some manner.
Keep in mind that the key (no pun intended) to securing any encryption scheme is the safe storage and management of the keys used to encrypt and decrypt.
What dose “Sandboxing” mean in cloud computing?
Sandboxing can mean many things today but in the realm of cloud computing.
Sandboxing refers to the concept of a protected area being utilized for testing untested or untrusted code or to better understand if an application is working the way it was intended to work.
These sandboxes are usually protected areas in memory that will not allow processes of any kind to run outside the environment or allow access inside from any other application or process.
Many developers today will rent such cloud platforms specifically for testing.
Because the model is based on metered usage, the developer only has to pay for it as long as they are using it.
Once the application development has been completed, they can turn the service down and stop paying for it.
What is “Application Virtualization” in cloud computing?
Application virtualization is a somewhat misunderstood term. The idea of application virtualization has to do with running applications in a trusted virtual environment.
It is a little like sandboxing, but instead of sandboxing a process, application virtualization allows you to run full applications in a protected space.
In addition, because you are doing this virtually, you can run applications that would otherwise not run on the host system.
The best example of this is the Linux application WINE.
WINE is itself an application virtualization platform that then provides a Linux machine with the ability to run Windows-based applications.
This also provides for a space where new apps can be tested, for instance with Windows, without allowing the app to touch what would normally be the external Windows machine.
Microsoft App-V and XenApp also allow users to perform application virtualization.
All of these mechanisms are designed to allow testing applications for such things as whether they will work appropriately in the cloud.
However, there are other considerations as well that need to be accounted for.
These include processes to define and assert some type of software assurance and validation.
We must be able to articulate the processes involved in ensuring that our applications function as needed and required, while also mitigating the risks of any vulnerabilities, defects, and malicious code.