In this article, we look at “in transit” security; getting your data from the desktop or device to a web application server without having it read or changed by others, and being assured that the exchange is only between the two. We will show that Alpha Cloud automatically configures a server to make secure connections the default.
Publicly available web applications and services are under constant attack from hackers all over the world! Security is not just a nice thing to have, but a fundamental necessity to ensure continuity of business and to meet regulatory requirements.
There are several areas that we look at when assessing the security of an application.
- Is the information being kept private, or can it be read by others?
- Is access to information limited to only those who “should” have that access?
- Is it possible to tamper with the information?
- Can we tell who had access to the information and who made changes?
When implementing a software system, we must consider the points where data might be accessed:
- While being sent from the client to the server or the server to a database; referred to as “in transit”.
- While being processed by the application code; “in use”.
- While stored by the database or other storage server; referred to as “at rest”.
In Transit Security
In transit security is generally handled by using the TLS (Transport Layer Security) protocol. You may have heard the acronym SSL (Secure Sockets Layer). This older protocol has been superseded by TLS; but the term is often used today to mean TLS.
You can think of TLS as both an encryption and an authentication process for the server. We use TLS to provide a certificate of authenticity that the web server you are contacting is the one you asked for. Once that step is out of the way, the TLS client and server negotiate a key to use to encrypt all traffic between them. As you might guess, this is a complex exchange of information and it depends on a combination of technology and a process - that of vetting and certifying that a web site is “who” it claims to be.
Secure connections between a desktop browser or a mobile device and a web application can be compromised if you don’t configure your server properly. You have to be careful to remove obsolete ciphers, hashes, and protocols. If you aren’t sure what these are, there is a good chance you haven’t got a secure server connection using TLS (also called SSL). The default Windows™ Server installation is not “hardened” in this respect.
Alpha Cloud TLS Support
Every deployed web site on Alpha Cloud is bound to a certificate authenticating that you are communicating with Alpha Cloud. In addition, you can (and should) purchase and install a certificate that renames the web site (creates a unique URL) that your users can know is you.
Every Alpha Cloud server is automatically configured, by default, to include only secure ciphers, hashes, and protocols on a Windows™ Server.
Don’t take our word for it! Below is a screen shot of the analysis of an Alpha Cloud test site done by Qualys SSL Labs.
See for yourself!
- Open your browser and navigate to https://www.ssllabs.com/ssltest/analyze.htm
- Enter the host name alphasoftware-helloworld.cloud.alphasoftware.com.
- Qualys Labs will probe the site extensively to see what protocols, ciphers and hashes are available.
Note: The probe is done on three different addresses. This is because Alpha Cloud runs deployed application a minimum of two different data centers; so failover is automatic.
Data “At Rest”
Services like Amazon RDS (Relational Database Services) and S3 (Simple Storage Service) are highly recommended in a cloud deployment. These services can provide encryption of your data when stored on physical media. You should always take advantage of these options by selecting them when you create database server instances or data storage buckets!
You can also control access to the database and storage, and you want to limit access to both by selecting the proper settings on each service.
Data “In Use”
While “In Transit” and “At Rest” are important parts of securing your application, you must also be sure that your application code itself does not compromise data in the way it behaves.
Alpha Cloud creates a sandbox for your deployed web site isolating it from the Windows Server using the principal of “least permissions”. Even in public tenancy (where your application and others may share the same virtual machine), the other applications can’t access your data and processes, and you can’t access theirs.
Alpha Cloud and Alpha Anywhere can be used to build a secure application. But, with all of the tools and features available to you, you must still take responsibility for verifying that the web application you build does not undermine what Alpha Cloud and Alpha Anywhere Application Server provide.
Other things you should consider in building a secure application:
- Do you pass data on to other services? Is that connection secure? Is the service itself secure?
- When you connect to your database from Alpha Anywhere Application Server, do you set your connection string to use TLS? If your database is hosted on Amazon RDS or Microsoft Azure, this is simply a matter of checking a box on the TLS page of the connection string dialog.
- Do you store information on a storage server such as S3? Is your connection secure? If you use Alpha Anywhere storage connection strings, data transfer is secure by default.
Security is hard! We provide you with an environment that is automatically configured using Amazon, Microsoft and Google technology and using best practices; to save you from having to become an expert in every security technology to deploy applications.
Security is never “done”. The bad guys are always trying to come up with new ways to break into other people’s applications. Keep your servers up to date, watch for new releases of Alpha Anywhere. We update Alpha Cloud whenever a new security patch is made available by Amazon. We do so without the need to interrupt your running application.
Security is a team sport. The major vendors are constantly tightening up security. By working together to keep current on features and facilities we can all protect your application and its data better.
Considering the move to Alpha Cloud for your Alpha Anywhere applications?