Security

Running applications and systems that are available to users for consumption is an important consideration for architects of any serious application. However, there is another equally important application feature that is one of the top priorities for architects, and this is the scalability of applications. Imagine situations in which applications are deployed and obtain great performance and availability with a few users, but both availability and performance suffer as users start increasing. Another situation could be when the application is performant and available, with a large number of users, but there is a certain time of the day or week, or there are special events during which the number of users spikes, and you cannot gauge or predict the number of users. Extending the previous situation, you might have provisioned the hardware and bandwidth for handling users during these occasions when there are spikes, but most of the time, the additional hardware is not used and does not provide any return on investment. They are provisioned for use only during peak times. I hope you are realizing the problems architects are trying to solve. All these problems are related to the capacity, sizing, and scalability of an application. The focus of this chapter is on scalability as an architectural concern, and it details the features provided by Azure to address these concerns.

Securing an application means not allowing unknown and unauthorized entities to access it. It also means that communication with the application is secure and not tampered with. This includes the following:

  • Authentication: Authentication refers to establishing the identity of a user and ensuring that the given identity can access the application or service. Authentication is performed in Azure using OpenID Connect
  • Authorization: Authorization refers to allowing and establishing permissions that an identity can perform within the application or service. Authorization is performed in Azure using OAuth.
  • Confidentiality: Confidentiality refers to the communication between the user and the application being secure. The payload exchange between entities is encrypted so that it will make sense only to the sender and receiver, but not otherwise. Confidentiality of messages is performed using symmetric and asymmetric encryption. Certificates are used to implement cryptography; that is, the encryption and decryption of messages.
  • Integrity: Integrity ensures that the payload and message exchange between sender and receiver is not tampered with. The receiver receives the same message that's sent by the sender. Digital signatures and hashes are the implementation mechanisms to check the integrity of incoming messages.

Security is a partnership between the service provider and the service consumer. Both parties have different levels of control over deployment stacks, and each should implement security best practices to ensure that all threats are identified and mitigated. We already know from Chapter 1, Getting Started, that the cloud broadly provides three paradigms—IaaS, PaaS, and SaaS—each having different levels of collaborative control over the deployment stack. Each party should implement security practices for components under its control and within its ambit. Failure to implement security at any layer in the stack or by any party would make the entire deployment and application vulnerable to attack.