Cobra Kai's Plan to The Cloud
Considerations For Proposal
- Availability: Customers have access to the services
-
Resiliency: if one server goes down, the entire website doesn't go down
- Requires Redundancy
- Secure: no one will successfully DDOS or get access to sensitive information
- Speed: Customers can access information quickly
Proposed Architecture
Proposed Architecture - On AWS
- Front End And Application Server: EC2 Instances
- Load Balancers: Elastic Load Balancers
- Hard Disk Array: S3 Buckets
- Database: RDS or Aurora
Proposed Architecture - Key Features
- Everything is separated by load balancers
- DDOS Protection/Speed
- Front-end and Application Service have Auto-Scaling Groups
- DDOS Protection, Speed, and Cost Savings
- Database and hard-disk array have read-only backups
- Downtime protection
User Accounts/Privileges
- Four different group
- Administrator - Full Privileges - system admin
- Developer - Has administrator access to services he needs (the cloud infrastructure)
-
Technical Executive - Has view access to cloud services
- Primarily to ensure everything is on track
- Non-Technical Executive - Limited access, only has access to services to perform their job
Patching and Backup Strategy
-
Patch At Least Monthly
- Most major updates come out monthly (Windows)
- Balance between being up-to-date and serving customers
- Patch critical infrastructure more frequently
-
Tier-based backup strategy
- Front-End/Application Service - Backup live service monthly, version control source code (GitHub)
- Hard Disk Array - backup weekly (updated frequently, but not as often as the database)
- Database - backup at least daily - Constantly changing with customer data
Additional Architectural Measures
- Encrypt user data at rest - especially sensitive PII
- Easy Options on most cloud providers
- Add network and host-based firewalls
- Can help protect against DDOS and application-based attacks like SQL injection
- Add logs to both the application components and cloud dashboard/API
- Security breaches can occur in both the application in via the cloud platform
- Know if breached and how it occurred
Example of Architecture with Firewall
Other Policies - DevSecOps
Other Policies - DevSecOps
How is this helpful?
- Adding processes through Development and Operations
- Improves processes for releasing new applications while ensuring the product is operational, and compliant
- Adding DevSecOps will help to ensure PCI Complicance
Other Policies - DevSecOps
- Necessary Components to Implement
- Threat Modeling
- Code Review/Auditing
- Testing
- Monitoring
- Recovery
- Log activity
- Both on the server and on the cloud
- Check for suspicious activity in the application and in the infrastructure
Summary
- Cloud infrastructure will help in three major areas
- Availability of Services
- Increased Security
- Cost Savings
- Policy changes will ensure procedures for updating, patching, and code/infrastructure improvements are standardized
- Combination of architectural and policy changes will ensure compliance (e.g. PCI Compliance
Cobra Kai
By Ragnar Security
Cobra Kai
- 161