Skip to main content

Technological Architectures

Microservices and Service Orientated Architecture (SOA)

Service-Oriented Architecture (SOA) is all about creating distinct, user-accessible services that operate in a black-box fashion. However, you might not hear much about it these days. Its relevance has faded somewhat as it's been largely replaced by a newer concept: microservices. Let's take a real-world example: constructing a building. SOA would be akin to building separate rooms (services) in a house (the application). Each room has a specific function but doesn't need to know the specifics of the others; it operates in a 'black-box' fashion.

Microservices are essentially more refined services that perform specific functions. They represent a modern twist on the traditional SOA model, but they're better suited for cloud computing environments. For instance, they're designed to perform optimally on containerized platforms such as Docker or Kubernetes. Continuing with our example, as times change, though, we find ourselves preferring an open-floor concept (microservices). This newer approach still has discrete areas serving different purposes, but they're more integrated, flexible, and cloud-oriented, like a modern home designed for the digital age.

At the coding level, it's crucial to spot potential vulnerabilities early in the development lifecycle. This task can be accomplished using tools such as static code analysis and dynamic testing. These should be integrated early in the Continuous Integration/Continuous Delivery (CI/CD) process. The goal is to pinpoint and correct deficiencies before the product is released, enhancing its security and reliability.

Identifying vulnerabilities in this 'construction' process is like hiring a building inspector to identify flaws in your house's design or construction. Static code analysis (SAST) is like the pre-construction blueprint examination, ensuring everything seems solid before building commences. Dynamic testing (DAST), on the other hand, is akin to checking the house's stability and function after it's been built. These are vital steps to make sure your building, or in our case, your application, is secure and functioning as expected.

Finally, think of static code analysis like a routine health check-up, except for your code. It's also known as Static Application Security Testing (SAST), which we'll dive into more in domain 8. Similarly, dynamic testing is another method of ensuring your code's health. It's also referred to as Dynamic Application Security Testing (DAST), and we'll explore it further as well.

Containerization

Containerization is a flexible, efficient way to package applications for multiple platforms, distinct from virtualization. It's akin to packing only necessary items in a suitcase, as opposed to taking your entire house on a trip.

Containers don't carry a full operating system, making them lighter and quicker than virtual machines. They share the host system's OS kernel, enhancing resource usage efficiency.

Containerization excels in software development, offering consistent functioning across various environments. It reduces discrepancies between local and production environments, improving the development lifecycle's efficiency.

image.png


In terms of security, containerization's focus spans two main areas: DevOps and application-level security. For DevOps, it offers isolation at the container level, safeguarding against potential vulnerabilities in one container affecting others. This is a key aspect of DevOps security, ensuring a contained environment for each service or microservice, reducing the risk of system-wide failures or breaches.

Regarding application-level security, containerization emphasizes authentication (AuthN) and authorization (AuthZ). Authentication verifies the identity of a user, device, or system. Authorization, on the other hand, determines what permissions an authenticated entity has, dictating what it can and cannot do. These security measures further bolster the application's protection within the container, contributing to a safer deployment and operational environment.
Hypervisors
At its core, a hypervisor, sometimes known as a VMM, is responsible for creating, managing, and operating virtual machines (VMs).
  • Type I Hypervisor is directly installed on the system hardware, the Type I hypervisor doesn’t require a host operating system. It's sometimes referred to as a "bare-metal hypervisor." Renowned examples include QubesOS, Proxmox, and VMWare ESXI.
  • Type II Hypervisor is a "hosted" hypervisor. It sits atop a conventional operating system, acting as an additional software layer. This configuration has the hypervisor leveraging the underlying OS for its operations.

APIs (SOAP or REST)

APIs, or Application Programming Interfaces, are sets of exposed interfaces that enable programmatic interaction between services. Essentially, they're like a menu in a restaurant, offering predefined ways to interact with a service.

In the past, SOAP (Simple Object Access Protocol) was the predominant standard. However, REST (Representational State Transfer) is now the more commonly adopted standard due to its simplicity and compatibility with web technologies.

A classic example of API usage can be found in Amazon's early days. Jeff Bezos instituted a policy stating that any service created should be made available for other teams or businesses through APIs. Similarly, many modern digital platforms, such as Twitter, Google, and Facebook, provide APIs for developers to interact with their services, fostering an ecosystem of interconnected apps and services.

RESTful APIs operate over the HTTP/HTTPS protocol, offering API endpoints for different services. They're stateless, meaning each request from a client to a server must contain all the information needed to understand and process the request.

When it comes to security, all communications between the client and server should be encrypted, typically using SSL/TLS for HTTPS connections. Access to APIs should be limited and controlled using API keys, acting as unique identifiers for users or services. These keys should be stored, distributed, and transmitted securely to prevent unauthorized access. Remember, the handling of API keys is as important as the protection of passwords or any other sensitive data.

Embedded Systems

Embedded systems are compact computer systems embedded within larger devices, crucial for Internet of Things (IoT) devices. Examples include printers, GPS drones, and semi-autonomous vehicles.

In a printer, the embedded system processes printing commands and manages resources. GPS drones use them to process geolocation data and control flight. In semi-autonomous vehicles, they handle tasks from obstacle detection to internal systems management.

Enforce solid, Lightweight and robust measure authentication practices, moving beyond 'implied trust'. Examples: like two-factor authentication, digital signatures, or certificate-based authentication.

High Performance Computing

Distributed computing encompasses a wide range of systems where tasks are spread across multiple machines to enhance performance, provide redundancy, or both.

  • Distributed Systems' Examples:

    • SETI Project:

      • Aim: Combing the cosmos for signs of extraterrestrial life.
      • Process: Analyzing vast amounts of data.
      • Unique Aspect: Individuals can volunteer their computing resources.

    • Cryptocurrency Blockchains:

      • Aim: Securely recording and verifying transactions.
      • Process: Decentralized nodes collaborate to validate and chronicle transactions on a communal ledger.
      • Unique Aspect: Strengthens security and consensus by jointly processing extensive transactional data.

Mobile Device and Mobile App Security

  1. Mobile Device Security Features:
  • Full Device Encryption: Encrypts all data on the device, making it unreadable without the decryption key.
  • Remote Wiping: Allows administrators or users to erase data remotely, either on the entire device or specific sections.
  • Lockout: Disables the device after a certain number of failed login attempts.
  • Screen Locks: Requires a PIN, password, pattern, or biometric data to unlock the device.
  • GPS Tracking: Can help locate lost or stolen devices or verify the location of a user for authentication purposes.
  • Application Control: Ensures only approved apps are installed and prevents malicious or unauthorized apps.
  • Mobile Application Security:
    • Key Management: Handles the generation, distribution, and storage of cryptographic keys.
    • Credential Management: Safeguards user credentials and ensures secure access.
    • Authentication: Validates the identity of users accessing apps.
    • Geotagging: Adds geographical metadata (like location) to apps or functions. Be cautious as it may pose privacy risks.
    • Encryption: Scrambles data within the app so it cannot be easily read without decryption.
    • Application Whitelisting: Only allows specified applications to run, blocking all others.
    • Transitive Trust/Authentication: Trust established based on another trusted entity (e.g., if A trusts B and B trusts C, then A might trust C).
  • Bring Your Own Device (BYOD):
    • Improved employee morale and job satisfaction.
    • Lower upfront costs for the organization in terms of hardware procurement.
    • Increased security risks, as personal devices might not be as secure as company-issued ones.
    • Hidden costs related to managing and securing a diverse range of personal devices/
    • Definition: A policy where employees use their personal mobile devices for work-related tasks, accessing company data and resources.
    Back to top