From certificates to key vaults: Security in cloud architecture matters

September 10 2019

When I approach cloud projects, I've adopted and continue to perfect a microservices architecture. This means that I use message queues to broker events between different services. I've come to realize that small differences in architecture between different cloud providers often matter more than the underlying technology of the cloud as a whole. While features matter, nailing down a good architecture saves money and prevents headaches down the road in a cloud project. For me, taking a microservices approach, Microsoft Azure stands out because of its support for template deployments and use of key vaults.

Let's take a look at some of the areas where architecture matters most, such as security certificates, authorization and key vaults, and how these might impact a cloud project

Security standards

All programming languages and platforms support HTTP client libraries. This includes Java, .NET, Python, Ruby, JavaScript, Xamarin and many others. All four major clouds support the OAuth 2 Standard, which provides authentication for HTTP clients. Specifically, they support various types of tokens from the login or claims service. However, the types of tokens, the encryption of the Authorization headers, and the authority vary between each of them. For instance, some may support "bearer" tokens while others support "SAML" tokens.

The Authority is the claims service that authenticates you as a user and authorizes your claim to a resource. In other words, you log into the Authority and it sends back a token. The token you obtain will document which applications, groups and permissions you may use with this login. The tokens are obtained through the directory service on each cloud. You have to maintain the directories in each cloud separately, although you can federate and synchronize all of the clouds through your Active Directory service.

Key vaults: The magic bullet for security

About Tracy Rooks

Tracy Rooks was born in Florida and is a graduate of the University of Central Florida in Orlando. He was passed the Uniform Certified Public Accountants examination and worked for such prestigious firms as Price Waterhouse in Jacksonville, Florida and Coopers and Lybrand in Ft. Lauderdale, Florida. Tracy has owned several successful IT solutions startups including T Squared Software which he merged into 11Binary in 2014. Tracy currently holds the position of Chief Cloud Architect with this organization.

Tracy has built software for some of the largest and smallest companies in the world including Northrup Grumman, Winter Haven Hospital, Home Shopping Network, Jabil Circuit, Petco, Promis Solutions, TKE and MGM Resorts. In the past several years Tracy has championed and programmed a Microservices Lightweight Messaging Architecture including a Universal Data Storage component capable of handling Petabytes of data, a Universal Logic Layer capable of designing  business rules and algorithms for big data situations and finally a Universal Analytics and AI platform for predictive analytics. These tools do not require software engineers and may be used my trained business analysts.

Tracy likes to fish in the St. Johns River near his home in the historic district of Sanford, Florida near Orlando. He often travels to visit his son and grandchildren in Las Vegas and Nashville.

More about Tracy Rooks

Azure Services