What about ‘Security’? is perhaps the most frequent question I get around cloud migrations.   I like to break up the ask into two components – Infrastructure Security and Application Security.  Unlike traditional datacenter hosted apps, a developer needs to be intimately familiar with networking security in their chosen public cloud.

Infrastructure Security

While this list isn’t exhaustive, it contains some of the more common aspects to securing cloud resources using a combination of cloud networking constructs and on-premises constructs (VPN software, customer gateways..)

  1. VPCs and Subnets
  2. Security Groups
  3. VPN
  4. Bastion Hosts

Application Security (including Data Security)

Securing applications is, of course, radically different from securing a network. While static and dynamic code analysis is still necessary to catch any OWASP vulnerabilities, there are aspects beyond code analysis that factor into a public cloud hosted app.

  1. User Authentication  – e.g. using Azure AD
  2. Line to Line Security for a web app (Data Transit Encryption) – e.g. web tier to redis, web tier to sql azure, web tier to CDN . Each of these entails a different set of networking constructs and possibly, encryption.
  3. Data encryption at rest

Summary

The key takeaway is that prior to creating any these networking artifacts, one needs to understand their entire application portfolio. Which applications are public facing, which are internal facing and which are both? Which applications require access to on-premises datastores, Token Providers (STSes), Authentication providers (AD) etc.? Unless these questions are answered upfront, you will spend an unnecessary amount of time tearing down and rebuilding your networking components. In a lot of cases, you would end up with ‘network sprawl’ – tons on redundant VPCs, Subnets and  Security Groups.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.