Cyber Security and Network Security

Provisioned in the VPC, the API Gateway facilitates the use of REST API to congregate data requested from the web application and provides public endpoints for further future expansion of the client side architecture.

In our proposed architecture, we are using Amazon Simple Storage Service (Amazon S3) which provides secure, high-scalable, and durable object storage. Simply log in and seamlessly move and share data stored in S3 across any storage resources employing a unified, intuitive interface. Here, we are storing the data like large files and databases, which is being shared among themselves. In our proposed model, we have stored the static data or data in rest (i.e., object) in Amazon S3.

AWS Lambda is a compute service which gets activated on demand. In our proposed model, we have used AWS Lambda for size reduction of files by compressing them as much as possible before getting stored in a storage bucket. Whenever an object is sent to a storage bucket from the server, lambda is called. It takes the object from the storage bucket and reduces the size by compressing them and stores them in another storage bucket, data being encrypted at rest.

Load unbalancing is a serious problem that inhibits the performance and efficiency of compute resources. In our proposed model, the load balancer distributes the incoming traffic or load among the compute instances equally to maintain the balance of the server. Problems like server overload or under-load can be avoided using load balancer. Load balancer improves the real-time necessary constraint parameters like response time, execution time, and system stability [12].

In our proposed model, the Internet Gateway links the Virtual Private Cloud (VPC) with the public internet.

Security groups are instance level firewalls. Security groups can be configured to stop incoming and outgoing traffic in instances. In our proposed model, an advantage of using security groups is that it is a straight full service which means any rule applied to incoming rules will also be applied in outgoing rules.

Autoscaling feature helps in cost saving and efficient use of resources without human intervention. In our proposed model, autoscaling determines performance metrics which acts as good indicators for conveying the load on a resource. Autoscaling performs operations on CPU utilization, bandwidth usage, and memory utilization. Here, the user need not overprovision a server to meet the needs during high usage. During peak demands, autoscaling automatically increases computing services and other necessary resources and decreases during low usage periods, thus saving cost and optimum utilization of services and resources [13].

Amazon QLDB is a ledger database that provides an immutable, verifiable, transparent, and cryptographically transaction log centrally. It can be used to track and any application data change over time.

However, relational databases are not immutable and changes are hard to track and verify. Alternatively, blockchain frameworks can be used as a ledger but it adds complexity as an entire blockchain network needs to be set up and the nodes are required to validate each transaction before it can be added to the ledger.

With Amazon QLDB, effort of building your own ledger-like applications is eliminated. QLDB is immutable; it cannot be altered or deleted and can be easily verifiable if any unintended modifications are made. QLDB provides SQL-like API, a flexible document data model, and full support for transactions. With QLDB data can be replicated to other AWS services to support advanced analytical processing. QLDB is serverless so it is scalable according to my needs so I pay for what I use. In our proposed model, all the records of data and various other files are stored and maintained in QLDB.

In our proposed model, we have chosen NoSQL databases as it is perfect for our applications requiring flexibility, high-performance, scalability, and highly functional databases since it does not have any schema. The document type/JSON type files are stored in this database.

Sensitive data are secured using encryption algorithms mentioned in our architecture. The JSON files are being encrypted before getting stored inside the database.

Instances widely provided by the public cloud provider services can be used or virtualized compute instances can be provisioned for hosting the application on private servers. In this project, we have used an AWS EC2 instance to set up the server side application on the instance for the client devices to communicate and transmit the messages. EC2 also provides additional security, and moreover, the compute capacity is easily resizable according to the demand.

Private servers can also be spun up if not going through with public cloud providers. The instances need to be spun up with updated hypervisors keeping scalability and durability in mind. Networking needs to be managed internally in that case and NAT gateways need to be set up to facilitate communication of the virtual instances through a public facing IP.

A specific virtual private network is required to be configured for the application spanning two or more availability zones for higher availability and application reliability. One public subnet and two private subnets need to be launched for each of the availability zone that we have accounted for. Private subnets would contain the user access and data, and the storage services and only the web application instances that are launched into the public subnet would be allowed to access. The application instances would be able to access the services provisioned into the private subnets through the private endpoints which are not exposed to the public internet. Thus, all the user/application data residing in the system cannot be accessed without prior authentication and authorization through the public endpoint.

In our proposed architecture, every incoming and outgoing data coming inside or going outside the cloud needs to be passed through the network firewall or VPC. Network firewall prevents several attacking problems like data exfiltration, insider attack, and many more. Here, we have created policies which are suitable for the organization. Every incoming and outgoing package can be blocked, filtered, and monitored. In addition, if any malicious activity is detected, then that can be blocked easily without affecting the entire system.

The cloud or private server can receive data only from its client application. That data is always encrypted by the client application and never executes in the cloud without proper authentication, authorization, and validation of data. Inside the cloud, only specific actions can be done according to the privileges of the client which has been assigned by the organization. Apart from these, it can be prevented also from the VPC.

Client application encrypts each and every data which it sends to the cloud. In addition, in the cloud after verifying, i.e., whether the client is trusted or not it will decrypt the data and perform the rest operations respectively. Since the data is encrypted by double layer encryption no middle man can tamper the data as a result MITM attack cannot be possible, i.e., no one can tamper the data in between the client and cloud.