How to Securely Store Your Configurations on Alibaba Cloud

  1. Sensitive data, such as database connection strings containing passwords, is stored in the configuration file on the production environment’s server.
  2. Sensitive information is packaged into a configuration file in the project, and release to various environments.
  3. During Docker orchestration, sensitive information is stored directly in environment variables.

Brief History of Configuration Development

  1. Static Plaintext Configuration: The configuration was initially placed locally in the form of a plaintext file or environment variables.
  2. Configuration Center-Based Plaintext Configuration: With the rise of microservices and configuration center technologies such as Alibaba Cloud’s ACM, configuration began to shift to the configuration center.
  3. Configuration Center-Based Configuration Security Enhancements: The configuration center begins to integrate various security tools for configuration enhancements.

Security Problem Overview

Security Problems with Static Plaintext Configuration

  1. In a multi-environment packaging release, all sensitive information of the application gets included in the development project; this is easily accessible to internal employees.
  2. A container orchestration system also contains all the application’s sensitive information, and most of the container orchestration systems pass the confidential information through the environment variables; this is displayed as plaintext in the container and can be obtained directly through the environment variables.

Security Problems with Configuration Center-Based Plaintext Configuration

  1. The configuration no longer needs to be stored on the server in plaintext. On the application side, the configuration center connection information gets stored without any sensitive data. All configuration details get stored in the configuration center. On the application side, the configuration information can be stored in the RAM throughout the whole process and not be persisted to the local hard disk; this gets done to minimize the sensitive information leakage.
  2. At the same time, sensitive information is separated out and stored in the configuration center. All configuration information can be hierarchically configured to ensure that different administrators only access the configuration information they need.

ACM’s Configuration Security Enhancement Measures

ACM Security Configuration Management Design Overview

  1. Application Configuration Management (ACM): The primary function of ACM is to store and release the configuration. However, in the security configuration solution, ACM transfers most of the security functions to KMS. KMS encrypts the configuration stored in the ACM server, and the ACM server itself does not directly provide the decryption function; this dramatically improves the security of the configuration. In the reading of the encrypted configuration, the configuration gets finally decrypted by calling the KMS by the ACM client.
  2. Key Management Service: In security configuration management, it mainly provides users with encryption/decryption services. When configuring encryption/decryption at the ACM based on KMS, users can specify their customized key pair, or use the default KMS key pair provided by ACM to simplify management.
  3. Resource Access Management: In Alibaba Cloud’s product system, service accounts are independent of products. That is to say, the ACM console itself has no way to access the user’s KMS key configuration. However, on the ACM console, to facilitate configuration management, the user needs to encrypt the configuration on the ACM console. Therefore, the ACM console requires specific minimum operation permission for the user’s KMS key pair. Alibaba Cloud’s security system achieves this through RAM’s Role Authorization.

ACM Security Configuration Principles

User Activation Process

  1. Activate ACM; this is required.
  2. Activate KMS; this is also needed.
  3. Assign ACM a minimum permission role in RAM to read the user’s KMS encryption. This step is critical. Otherwise, ACM cannot use the key in the user’s KMS as a separate product.

Writing a Security Configuration on the ACM Console

  1. The user writes a configuration on the ACM console and sets it as a security configuration on the console.
  2. ACM identifies it as a security configuration; this relies on the user’s KMS key. Then ACM will call RAM to obtain the role with the minimum permission to read the KMS encryption; this is previously assigned to ACM by the user.
  3. The ACM uses this role to encrypt the configuration stored on the ACM console with the user’s KMS key pair by calling KMS APIs.
  4. he ACM console stores the encrypted configuration in the ACM configuration database.
  1. The configuration stored in ACM is ciphertext which it does not store the key. Even if the configuration information gets leaked, the configuration plaintext is not obtainable.
  2. ACM operates the user’s KMS key through RAM authorization. The authorized role only allows ACM to encrypt/decrypt the configuration, and — to minimize extra security risks — it does not have other permissions (such as key pair deleting operations).

Process for an Application to Read Security Configuration through ACM SDK

  1. The application reads the ACM configuration ID
  2. he application starts and reads the ACM ciphertext configuration
  3. If the ACM client identifies the configuration as a ciphtertext configuration, then the KMS client transparently decrypts the ciphertext configuration and returns the plaintext configuration.
  4. The application reads the plaintext configuration and links to the database. The plaintext configuration is does not get stored in the local disk; this ensures security.
  1. On the application side, the configuration does not contain any sensitive data and only includes one configuration item that the ACM Client needs to read.
  2. In practice, the ACM SDK will package ACM client and KMS client calls. The detailed calling process is transparent to the application.

Conclusion

  1. Regarding ease of use, configuration read/write is transparent for both the server and client.
  2. Regarding security, the integration of RAM and KMS ensures that the configuration can be encrypted in a sufficiently secure channel and stored in the ciphertext. The above measures better satisfy the current compliance and level 3 protection goals and effectively meet the security needs of most enterprise users.
  1. Secured storage of container service configuration.
  2. Secure storage of ECS auto scaling configuration
  3. Secure storage of various other PaaS service link configurations
  4. More application security enhancement scenarios are coming soon.

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

It Ain’t Much, but It’s Honest Work. Thank You!

Five ways web development has changed since the 90s

Current Progress, the next Application!

The Present and Future of DevOps — Part 1

Retina Tracking using Unity3d(c#)

Apache Avro Demystified

https://en.wikipedia.org/wiki/Apache_Avro#/media/File:Apache_Avro_Logo.svg

Sync and Share Solution on Alibaba Cloud

A story about abstraction

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

Service Mesh, Istio and Why Do We Need It

Backup and Restore Postgres data running on a Kubernetes Cluster

Introduction to Elastic Stack

What is Containerized Middleware ?