Over the last few months I have been writing a series of posts on some advantages of cloud software and why it is now our recommendation.
The previous posts were:
- The Big Fluffy Cloud
- Development: How You Want It, When You Want It
- Software That Grows As Your Company Grows
Today, I want to look at something that has been a problem since I started to program around the turn of the millennium and now has a very neat solution ala Microsoft’s Azure cloud: the problem of how to secure your passwords and other sensitive information for a web system.
Losing Your Keys
Imagine with me, for a minute, a large mansion of a house, one in where a family lives: a father, a mother and three teenage kids. Within the house there are many valuable items and heirlooms that require protection, so all windows and doors have locks on them to protect from unauthorised entry. However, as everyone who lives in the house must enter and exit at will, everyone carries a key. This works well for the father and the mother as they are responsible with their keys. However, the kids don’t show the same aptitude to keeping hold of and not losing keys.
As a result, two things have happened. Firstly, there are now keys out in the wild and no one knows where they are or who has them. Secondly, the family now store a key under the third stone on the right in the wall leading up to the back door. In short, although they have put thought and effort into protecting the house from unwelcome guests the security is now only as good as the lost and hidden keys.
Protecting Your Passwords
A similar situation exists with software. We spend a lot of time securing the software and only allowing access to authorised personnel. However, as the system itself needs access to certain usernames/passwords we have to store these somewhere that can be accessed by the system without someone entering a password. This, traditionally, has been a difficult egg to crack and the solutions have changed over the years.
In the early days when hacking was not something that we spent time thinking about (in the pre XP Service Pack 2 era) passwords were stored in a single file. This file was protected because it was only stored in one place on the live server and accessed by the system. This progressed to a point where we stored only a single password that then gave the system read–only access to a data store that held the rest of the passwords.
In more recent times we have started to look at encrypting the config file storing the passwords. However, all these systems have a couple of weak points. Firstly, if someone discovers the entry point, they then have access to the keys to the kingdom, and secondly there was no good system to backing up these passwords. In essence, this storage of system credentials was the security weak point – the key under the stone.
Smart Lock Security
In comes a service called Azure Key Vault. This service, when setup the correct way, allows us to hide all of our sensitive data away with enterprise–level encryption. We can then, as if by magic, allow individual apps access to these vaults without storing a username or password anywhere. This vault is also backed up and a change history recorded. This allows a project admin, not necessarily the developer, to set up access credentials that are then consumed by the application itself without anyone in between sharing a password or seeing a password. And all of this for pennies a month.
To finish our example above, this is like the family investing in a smart lock system. A system whereby the door recognised the person entering by checking their unique biometric signature and then, when it recognises the person as authorised, opening the door itself and allowing entry before closing itself behind the user. No more lost keys. No more hidden keys. No more weak points in the security.
This is just another reason, among many, as to why we recommend using the cloud as a hosting platform of choice.