A virtual private cloud is a cloud service that offers an infrastructure in which various services (VPC users), of the platform offering it, share resources available in this cloud while isolated from each other. This isolation is usually achieved through having a private local network and subnetting it (could be through VLANs), assigning a subnet to each user, or group of users that need to be directly connected, for other connections a local DNS server can be used.
VPC services usually also encrypt and mask the communication between its users and the shared resources through a VPN, adding as well a layer of authentication. A VPC implements layered security and provides it As-A-Service at the cost that it is highly complicated to set up, but using it correctly can yield a system with powerful defense.
This is a technology that I’ve yet to learn, but will do so, hopefully, this summer. If there are some project ideas that you, the reader, have that may help in my learning of this technology, I’ll appreciate it if you shared them in the comments.
In this post I’ll talk about containers, how they are used, and talk a little about their implication with security.
First, what is a container? A container is a lightweight packaging of a piece of software, including everything needed to execute it: code, runtime, system tools, system libraries, settings, etc.. A container is isolated, it will run the same every time, anywhere it’s executed. When run in a single machine, they share its operating system kernel, start instantly, and use less computing power and RAM.
Isn’t that a virtual machine?
A virtual machine consists of the following:
Abstraction of physical hardware.
Each VM consists of a full copy of the Guest OS, some apps and necessary binaries and libraries.
The hypervisor allows several VM’s to run on a single machine, turning one computer into many.
Usually in the GBs.
While a container is:
Abstraction of the application layer.
Contains code and its dependencies.
Multiple containers run on the same machine sharing the Host OS kernel with other containers.
Usually in the MBs.
So yeah, it’s virtual-machine-esque but not quite. By using a container, things like environment variables, that may contain sensible data, are not exposed to the main machine, instead they are cozily packaged along with the software and running inside the container, you can couple this with a reverse proxy like NGINX, setup SSL, and you’re all set for a slightly more secure application.
A technology that’s currently leading the market is Docker, providing a hub on which to upload your own images for the world to see and download common images from which to extend your own.
This post will deal with the topic or security practice of security by layers, and a little suggestion of a technology that may serve for this purpose in a not so deep-in-configuration manner.
In Information Security, security by layers refers to the practice of combining various security control points across the pipeline of an application. That is multiple mitigating security controls to protect the application’s resources and data. There are various ways of going about this layers, there is no silver bullet in security by layers, as every system is different, but some examples may be:
Consumer Layered Security Strategy
Extended validation (EV) SSL certificates.
Single sign-on (SSO).
Fraud detection and risk-based authentication.
Transaction signing and encryption.
Secure Web and e-mail.
Open fraud intelligence network.
Enterprise Layered Security Strategy
Workstation application whitelisting.
Workstation system restore solution.
Workstation and network authentication.
File, disk and removable media encryption.
Remote access authentication.
Network folder encryption.
Secure boundary and end-to-end messaging.
Content control and policy-based encryption.
These are the common can-be-found-in-any-page-you-check strategies, in the next blog I’ll cover another topic related, in some way, to security by layers, that is using containers to deploy code.
This week me and Miguel worked with internationalization of the game, Miguel worked on the different string for the levels, a general way of handling them, and I did the selecting of the language from a querystring in the URL, and loading the strings that would be shown in the menu. With this features done, we’re just going to be designing and testing new levels.
The brief description provided by Coursera‘s Cyptography Icourse by the University of Stanford paints cryptography as a tool for protecting information in computer systems. What I’ll attempt to cover in this post is cryptography’s real-world application, why it is needed.
First let’s deal with some basic stuff regarding cryptography, starting with the classic Alice, Bob and that bastard Eve who’s always meddling, she’s more of a Lilith if you asked me. Let’s say Alice has the sudden urge to communicate some secret message to Bob, perhaps she’s going to confess her love, but Eve also likes Bob, and Alice knows this. She can’t met Bob in person, Eve would find out, she lives close by and would get in the way. THANK GODfor the cryptography course Bob and Alice took years ago, where they learned about symmetric and asymmetric cryptography . . .
Sidenote to Explain Asymmetric and Symmetric Cryptography
Based on this post on Synopsys. Encryption uses an algorithm and a key to turn plaintext, the message, into ciphertext, the encrypted message that you can then send. Symmetric Encryption uses the same key for both encryption and decryption of a message, its fast and can be used for large amounts of data, like encrypting a hard drive, the hard part is keeping that key secured. Asymmetric encryption keeps a pair of keys, a private one and a public one, that can be distributed anywhere to interact with your messages. Plaintext encrypted with a private key can only be decrypted by its corresponding public counterpart, and vice versa. A message can also be signed using your private key, so that others may decrypt the signature with your public key and verify it was sent by you. This type of encryption, though, is slow and can only be used to encrypt data smaller than the key.
Back to the gossip
Alice decided to use Bob‘s public key to encrypt her confession, Eve had a man-in-the-middle software running in Bob‘s network, and caught the message, she didn’t understood it, however, and decided to let it through, ignorant to the fact that she was about to lose Bob, her Bob, to Alice‘s encrypted message. Bob received the message and recognized the gibberish as an encrypted message, like the ones he had worked with. Bob got a hold of his private key and decrypted the message, the surprising confession got to him, and to Eve‘s dismay, reciprocated.
That’s not reality! Well, Alice is the everyday user, Bob is the destination of every operation Alice does online, and Eve is third-parties, like government agencies, interfering in these interactions. This everyday interaction is why encryption is important, to keep your privacy. These third-parties’ goal is to break these encryption algorithms, by cracking it themselves or demanding a backdoor from the developers, which was the case in the FBI-Apple encryption dispute or the whole Snowden situation, of which there’s a cool John Oliver video.